This article is a guest post by Gordon MacKay, Executive Vice President and CTO of the security risk assessment company, Digital Defense, Inc. Don't miss out on Gordon MacKay and Veracode CTO Chris Wysopal presenting at RSA next week! Like many of my industry peers, my first job was in the telecom industry developing software. Back in the day, we used telnet to remotely login to the work station of our choice and then go on about our day writing code and sipping coffee. Software security was not part of our vocabulary or our corporate culture. I felt the winds of change over a decade ago when I attended DefCon for the first time. As a player intrigued by cyber security, I was hungry to learn more. One of the talks that year was introducing CSRF, which up until that point, I had thought was similar to ‘Cross-site Scripting’. After the presentation, I learned that my assumptions were not entirely correct and I was on a mission make right the mistake I had made in the past on all of my web apps requiring authentication (none of which were public facing, thank Goodness). Through the process of exploration, I wrote an “exploit” to leverage a CSRF flaw in one of my projects. The ‘exploit’ was a success and gave me a testimonial to share with my colleagues who also thought they knew what CSRF was but like me before, didn’t fully understand the details and the impact. My journey took me into the world of flawed websites with issues such as SQL-Injection and XSS. The test platforms became our school as well as our playground. Together with skilled Pen Test analysts working for Digital Defense, Inc. (DDI), we agreed to perform a network vulnerability assessment on the host to see what “juicy” intelligence we could gather. I had not spent time hardening the box because I used this as an experiment only and an opportunity to learn more on application security. The resulting scan reveals OS vulnerabilities, configuration issues on default passwords for the web server and much more. One voice of reason at the time said, “You don’t need to take advantage of vulnerabilities in your fancy web-app. Why not just own the box with a default password or an off the shelf exploit for one of the Windows vulns?” The other voice challenged the norm and blazed a new trail of thought. That trail has taught us that in order to fully cover risk related vulnerabilities for a specific information asset, it is not enough to assess the immediate application that manages the information. We need to go beyond the everyday and examine more. That mentality and drive to go the extra distance, protecting the future of security through innovative methods today is the fundamental concept of the DDI-Veracode partnership and the ground-breaking integration. With this integration, we are bringing together two very important risk technologies; network based vulnerability assessments, which I view as looking at risk from the outside to inner containers that hold the applications, and application assessments, both static and dynamic, which I view as examining risk from the inside looking out. From this perspective, application assessments are examining risk at the atomic level down to the individual lines of code; whereas network vulnerability assessments are looking at risk at a more macroscopic level. Each of these technologies has its’ own strengths and although there are overlaps, each one covers risk that the other does not. Both of these are imperative. Combining the two and allowing an organization to view and manage the overall combined risk, brings forth a ground breaking offering. To get a quick sense on risk coverage of the combined offering our team configured a computer image with the following:
- Installation of a vulnerable Windows XP OS.
- Installation of an OWASP application called WebGoat onto a Windows XP machine. WebGoat is a vulnerable web application designed to teach web application security. In this experiment, it might represent a web application such as a retail online shopping site. Note that WebGoat requires Apache Tomcat as its web server.
- Enabled the Tomcat administrator’s web interface login.
- Added a mechanism to the machine to allow remote maintenance. The chosen mechanism was telnet so as to enjoy this experiment even more as it triggered a feeling of reminiscence back to my telecom days.
We then performed the following assessments:
- Static as well as a dynamic Veracode authenticated scan
- DDI unauthenticated network vulnerability scan with full password guessing option selected.
The Results: The findings were nothing less than cool! Veracode scans found many SQL-Injection flaws, Cross-Site Scripting flaws and OS Command Injection flaws for both static and dynamic scans. These issues identified are top attack vectors used by hackers. Static scans found even more interesting issues such as issues with the crypto being used within the application, credential management issues and more! The DDI scans found OS vulnerabilities such as MS12-020, MS08-067 and more, a telnet easily guessable account (username/password) as well as the Tomcat administrator login credentials. The DDI scan even found a Win32/Rorpian worm. What do you know! The machine had been compromised! Wow! There is power in this integration for those that are looking for a full-service platform to identify and address security risk and work to effectively create a culture of security. I’m excited to be speaking at RSA on this integration along with Chris Wysopal. We’ll be covering this in more detail and we’ll even cover some of the above mentioned experiments. I’ll be at the DDI booth (#2637) and dropping by the Veracode booth (#1342) each day. Come see our presentation and/or stop by and chat. I look forward to meeting you.