SlideShare une entreprise Scribd logo

Vulnex app secusa2013

Télécharger en tant que PPTX, PDF
D
drewz lin
Technologie
1  sur  40
AppSecUSA New York City 2013
ME? Simón Roses Femerling • Founder & CEO, VULNEX www.vulnex.com • Blog: • Twitter: @simonroses • Former Microsoft, PwC, @Stake • DARPA Cyber Fast Track award on software security project • Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, TECHNET www.simonroses.com
BIG THANKS! • DARPA Cyber Fast Track (CFT) • Mudge • The fine folks at BIT SYSTEMS
TALK OBJECTIVES • Secure development • Verification technologies • Assess software security posture
AGENDA 1. 2. 3. 4. Secure Development: Verification BinSecSweeper Case Studies & Demos Conclusions
1. SECURE DEVELOPMENT: VERIFICATION • MS SDL – “This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases.” • Software Assurance Maturity Model (SAMM) – “Verification is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.”
1. OPENSAMM
1. MICROSOFT SDL
1. IT’S ABOUT SAVING MONEY!
1. OTHER VERIFICATION TOOLS • Microsoft BinScope http://www.microsoft.com/enus/download/details.aspx?id=11910 • RECX Binary Assurance for Windows http://www.recx.co.uk/products/exeaudit.p hp • ErrataSec Looking Glass http://blog.erratasec.com/search/label/Look ingGlass#.UodWXJ2DN9A
1. BINSCOPE
1. CURRENT VERIFICATION TOOLS • Platform specific – Windows: BinScope, Looking Glass & Binary Assurance – Linux: checksec.sh and custom scripts • Limited set of checks – Check for defenses but what about: • • • • Compiler used External libs used Malware You name it… • Not easy to extend
1. BINARY INTELLIGENCE File Information • Size • Hash • Timestamp Security Mitigations • DEP • ASLR • Stack Cookies Compiler • Name • Version Vulnerabilities • Unsafe API • Weak Crypto
2. WHY BINSECSWEEPER? • BinSecSweeper is VULNEX binary security verification tool to ensure applications have been built in compliance with Application Assurance best practices • The goal for BinSecSweeper is a tool: – Developers can use to verify their output binaries are safe after compilation and before releasing their products – IT security pros to scan their infrastructure to identify binaries with weak security defenses or vulnerabilities. • BinSecSweeper is a cross platform tool (works on Windows and Linux) and can scan different file formats: PE and ELF.
2. FEATURES • 100% open source • Easy to use • Cross-platform works on Windows & Linux • Scans Windows (PE) and Unix (ELF) files for security checks • Configurable • Extensible by plugins • Reporting
2. BINSECSWEEPER IN ACTION (I)
2. BINSECSWEEPER IN ACTION (II)
2. CURRENT WINDOWS CHECKS CHECK Address (ASLR) DESCRIPTION space layout randomization Checks if binary has opted the ASLR. Link with /DYNAMICBASE Stack Cookies (GS) Verifies if binary was compiled with Stack Cookies protection. Compile with /GS HotPatch Checks if binary is prepared for hot patching. Compile with /hotpatch Compatible with Data Prevention (NXCOMPAT) Execution Validates if binary has opted hardware Data Execution Prevention (DEP). Link with /NXCOMPAT Structured Exception Handling (SEH) Checks if binary was linked SafeSEH. Link with /SAFESEH with Abobe Malware Classifier Analyzes binary for malware behavior using machine learning algorithms Visual Studio Compiler Fingerprinting Identifies if binary was compiled with Visual Studio and version (2008, 2010 & 2012)
2. CURRENT LINUX CHECKS CHECK DESCRIPTION Fortify Source Checks if binary was compiled with buffer overflow protection (bounds checking). Compile with – D_FORTIFY_SOURCE=X Never eXecute (NX) Verifies if binary was compiled with NX to reduce the area an attacker can use to perform arbitrary code execution. Position Independent Code (PIE) Checks if binary was compiled with PIE to protects against "return-to-text" and generally frustrates memory corruption attacks. Compile with –fPIE -pie RELocation Read-Only (RELRO) Validates if binary was compiled with RELRO (partial/full) to harden data sections. Compile with –z,relro,-z,now Stack Canary Checks if binary was compiled with stack protector to protect against stack overflows. Compile with –fstackprotector
2. PLUGIN EXAMPLE: TEST PLUGIN
2. PLUGIN EXAMPLE: WINDOWS ASLR
2. PLUGIN EXAMPLE: LINUX FORTIFY_SOURCE
2. REPORTING
2. BINSECSWEEPER: WHAT’S NEXT • More plugins: – – – – – – Windows, Linux, etc. Mobile Malware Backdoors Compilers Packers • Metrics panel • Diff across product / versions
2. BINSECSWEEPER: WHERE? • Download BinSecSweeper software from www.vulnex.com
3. TIME FOR SOME ACTION • Case Study I: Verify your own software • Case Study II: Software Security Posture, ACME inc • Case Study III: Browser Security Comparison
3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE • Is your in-house software following a secure development framework? • Is your software being checked for: 1. Compiled with a modern compiler? 2. Security defenses enabled for Windows or Linux? 3. No malware included in product? 4. Using external libraries (DLL, etc.) and what is their security?
3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE • BinSecSweeper can verify that product (used by development teams): – What Visual Studio version has been used? (Windows Only) (MS SDL) – What defenses have been enabled?: Windows Linux Stack Cookies Stack Canary ASLR NX DEP Fortify Source SAFESEH PIE HotPacthing RELRO – Will audit all files in the project? • Program security posture: will it Pass / Fail?
3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC • Do IT know the security posture of all software? You can assess your vendors… • Now you know where EMET is needed!
3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC VLC SKYPE iTunes Dropbox
3. CASE STUDY III: BROWSER SECURITY COMPARISON • Let’s assess browser security posture – – – – – Chrome Firefox Internet Explorer Opera Safari • Only checked on Windows, but will be interesting to do same exercise in other OS
3. CASE STUDY III: BROWSER SECURITY COMPARISON BROWSER AUDIT FILES FILE Compiler GS Chrome 75 chrome.exe VS 2010 / 360 Firefox 28 firefox.exe VS 2010 / 11 Internet Explorer 18 iexplore.exe ¿? /5 Opera 14 opera.exe VS 2010 / 16099 Safari 48 safari.exe VS 2008 /2 ASLR DEP SAFESEH HotPatch
4. VERIFYING SOFTWARE SECURITY POSTURE MATTERS! • Binaries contain a lot of information! • The security posture of the software developed by you is important: – Security improves Quality – Branding (show you care about security) • How is the security posture of software vendors you use?
4. BINSECSWEEPER: CALL TO ARMS – How can the software be improved? – What checks do you need? – What metrics do you need? – Contact: research@vulnex.com
4. REFERENCES • Linux Security Features (Ubuntu) https://wiki.ubuntu.com/Security/Featu res • Visual Studio Compiling Options http://msdn.microsoft.com/enus/library/9s7c9wdw.aspx
4. Q&A • Thanks! • @simonroses / @vulnexsl • www.vulnex.com

Recommandé

DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
Maurice De Beijer [MVP]
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Security Testing for Containerized Applications
Security Testing for Containerized ApplicationsSecurity Testing for Containerized Applications
Security Testing for Containerized Applications
Soluto
 

Recommandé

DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
Maurice De Beijer [MVP]
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
Outpost24
 
Security Testing for Containerized Applications
Security Testing for Containerized ApplicationsSecurity Testing for Containerized Applications
Security Testing for Containerized Applications
Soluto
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
Stephen de Vries
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
Matteo Emili
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
HackerOne
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
AWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and securityAWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and security
AWS Chicago
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Implementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud PlatformsImplementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud Platforms
Gaurav "GP" Pal
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫
drewz lin
 
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03
drewz lin
 

Contenu connexe

Tendances

Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Implementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud PlatformsImplementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud Platforms
Gaurav "GP" Pal
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 

Tendances (20)

Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
AWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and securityAWS Chicago talk from John Downey - Containers and security
AWS Chicago talk from John Downey - Containers and security
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Implementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud PlatformsImplementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud Platforms
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
 

En vedette

分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫
drewz lin
 
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03
drewz lin
 
大型网站架构
大型网站架构大型网站架构
大型网站架构
drewz lin
 
那些非理性的测试行为——心理学诠释常见的测试怪象
那些非理性的测试行为——心理学诠释常见的测试怪象那些非理性的测试行为——心理学诠释常见的测试怪象
那些非理性的测试行为——心理学诠释常见的测试怪象
drewz lin
 
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案 Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
drewz lin
 

En vedette (6)

分布式爬虫
分布式爬虫分布式爬虫
分布式爬虫
 
Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03Do it in-production-seth_eliot_2013_03
Do it in-production-seth_eliot_2013_03
 
大型网站架构
大型网站架构大型网站架构
大型网站架构
 
那些非理性的测试行为——心理学诠释常见的测试怪象
那些非理性的测试行为——心理学诠释常见的测试怪象那些非理性的测试行为——心理学诠释常见的测试怪象
那些非理性的测试行为——心理学诠释常见的测试怪象
 
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案 Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
Top100summit东软 孙广宇-uni sdp基于html5构建的跨平台的统一智能设备解决方案
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 

Similaire à Vulnex app secusa2013

Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
Henry Stamerjohann
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
PranavPatil822557
 

Similaire à Vulnex app secusa2013 (20)

Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
100 Security Operation Center Tools EMERSON EDUARDO RODRIGUES
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 
Top 5 DevSecOps Tools- You Need to Know About
Top 5 DevSecOps Tools- You Need to Know AboutTop 5 DevSecOps Tools- You Need to Know About
Top 5 DevSecOps Tools- You Need to Know About
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 

Plus de drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
drewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
drewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
drewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
drewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
drewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
drewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
drewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
drewz lin
 

Plus de drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Vulnex app secusa2013

  • 2. ME? Simón Roses Femerling • Founder & CEO, VULNEX www.vulnex.com • Blog: • Twitter: @simonroses • Former Microsoft, PwC, @Stake • DARPA Cyber Fast Track award on software security project • Black Hat, RSA, OWASP, SOURCE, AppSec, DeepSec, TECHNET www.simonroses.com
  • 3. BIG THANKS! • DARPA Cyber Fast Track (CFT) • Mudge • The fine folks at BIT SYSTEMS
  • 4. TALK OBJECTIVES • Secure development • Verification technologies • Assess software security posture
  • 6.
  • 7. 1. SECURE DEVELOPMENT: VERIFICATION • MS SDL – “This phase involves a comprehensive effort to ensure that the code meets the security and privacy tenets established in the previous phases.” • Software Assurance Maturity Model (SAMM) – “Verification is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.”
  • 10. 1. IT’S ABOUT SAVING MONEY!
  • 11. 1. OTHER VERIFICATION TOOLS • Microsoft BinScope http://www.microsoft.com/enus/download/details.aspx?id=11910 • RECX Binary Assurance for Windows http://www.recx.co.uk/products/exeaudit.p hp • ErrataSec Looking Glass http://blog.erratasec.com/search/label/Look ingGlass#.UodWXJ2DN9A
  • 13. 1. CURRENT VERIFICATION TOOLS • Platform specific – Windows: BinScope, Looking Glass & Binary Assurance – Linux: checksec.sh and custom scripts • Limited set of checks – Check for defenses but what about: • • • • Compiler used External libs used Malware You name it… • Not easy to extend
  • 14. 1. BINARY INTELLIGENCE File Information • Size • Hash • Timestamp Security Mitigations • DEP • ASLR • Stack Cookies Compiler • Name • Version Vulnerabilities • Unsafe API • Weak Crypto
  • 15.
  • 16. 2. WHY BINSECSWEEPER? • BinSecSweeper is VULNEX binary security verification tool to ensure applications have been built in compliance with Application Assurance best practices • The goal for BinSecSweeper is a tool: – Developers can use to verify their output binaries are safe after compilation and before releasing their products – IT security pros to scan their infrastructure to identify binaries with weak security defenses or vulnerabilities. • BinSecSweeper is a cross platform tool (works on Windows and Linux) and can scan different file formats: PE and ELF.
  • 17. 2. FEATURES • 100% open source • Easy to use • Cross-platform works on Windows & Linux • Scans Windows (PE) and Unix (ELF) files for security checks • Configurable • Extensible by plugins • Reporting
  • 18. 2. BINSECSWEEPER IN ACTION (I)
  • 19. 2. BINSECSWEEPER IN ACTION (II)
  • 20. 2. CURRENT WINDOWS CHECKS CHECK Address (ASLR) DESCRIPTION space layout randomization Checks if binary has opted the ASLR. Link with /DYNAMICBASE Stack Cookies (GS) Verifies if binary was compiled with Stack Cookies protection. Compile with /GS HotPatch Checks if binary is prepared for hot patching. Compile with /hotpatch Compatible with Data Prevention (NXCOMPAT) Execution Validates if binary has opted hardware Data Execution Prevention (DEP). Link with /NXCOMPAT Structured Exception Handling (SEH) Checks if binary was linked SafeSEH. Link with /SAFESEH with Abobe Malware Classifier Analyzes binary for malware behavior using machine learning algorithms Visual Studio Compiler Fingerprinting Identifies if binary was compiled with Visual Studio and version (2008, 2010 & 2012)
  • 21. 2. CURRENT LINUX CHECKS CHECK DESCRIPTION Fortify Source Checks if binary was compiled with buffer overflow protection (bounds checking). Compile with – D_FORTIFY_SOURCE=X Never eXecute (NX) Verifies if binary was compiled with NX to reduce the area an attacker can use to perform arbitrary code execution. Position Independent Code (PIE) Checks if binary was compiled with PIE to protects against "return-to-text" and generally frustrates memory corruption attacks. Compile with –fPIE -pie RELocation Read-Only (RELRO) Validates if binary was compiled with RELRO (partial/full) to harden data sections. Compile with –z,relro,-z,now Stack Canary Checks if binary was compiled with stack protector to protect against stack overflows. Compile with –fstackprotector
  • 22. 2. PLUGIN EXAMPLE: TEST PLUGIN
  • 23. 2. PLUGIN EXAMPLE: WINDOWS ASLR
  • 24. 2. PLUGIN EXAMPLE: LINUX FORTIFY_SOURCE
  • 26. 2. BINSECSWEEPER: WHAT’S NEXT • More plugins: – – – – – – Windows, Linux, etc. Mobile Malware Backdoors Compilers Packers • Metrics panel • Diff across product / versions
  • 27. 2. BINSECSWEEPER: WHERE? • Download BinSecSweeper software from www.vulnex.com
  • 28.
  • 29. 3. TIME FOR SOME ACTION • Case Study I: Verify your own software • Case Study II: Software Security Posture, ACME inc • Case Study III: Browser Security Comparison
  • 30. 3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE • Is your in-house software following a secure development framework? • Is your software being checked for: 1. Compiled with a modern compiler? 2. Security defenses enabled for Windows or Linux? 3. No malware included in product? 4. Using external libraries (DLL, etc.) and what is their security?
  • 31. 3. CASE STUDY I: VERIFY YOUR OWN SOFTWARE • BinSecSweeper can verify that product (used by development teams): – What Visual Studio version has been used? (Windows Only) (MS SDL) – What defenses have been enabled?: Windows Linux Stack Cookies Stack Canary ASLR NX DEP Fortify Source SAFESEH PIE HotPacthing RELRO – Will audit all files in the project? • Program security posture: will it Pass / Fail?
  • 32. 3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC • Do IT know the security posture of all software? You can assess your vendors… • Now you know where EMET is needed!
  • 33. 3. CASE STUDY II: SOFTWARE SECURITY POSTURE, AMCE INC VLC SKYPE iTunes Dropbox
  • 34. 3. CASE STUDY III: BROWSER SECURITY COMPARISON • Let’s assess browser security posture – – – – – Chrome Firefox Internet Explorer Opera Safari • Only checked on Windows, but will be interesting to do same exercise in other OS
  • 35. 3. CASE STUDY III: BROWSER SECURITY COMPARISON BROWSER AUDIT FILES FILE Compiler GS Chrome 75 chrome.exe VS 2010 / 360 Firefox 28 firefox.exe VS 2010 / 11 Internet Explorer 18 iexplore.exe ¿? /5 Opera 14 opera.exe VS 2010 / 16099 Safari 48 safari.exe VS 2008 /2 ASLR DEP SAFESEH HotPatch
  • 36.
  • 37. 4. VERIFYING SOFTWARE SECURITY POSTURE MATTERS! • Binaries contain a lot of information! • The security posture of the software developed by you is important: – Security improves Quality – Branding (show you care about security) • How is the security posture of software vendors you use?
  • 38. 4. BINSECSWEEPER: CALL TO ARMS – How can the software be improved? – What checks do you need? – What metrics do you need? – Contact: research@vulnex.com
  • 39. 4. REFERENCES • Linux Security Features (Ubuntu) https://wiki.ubuntu.com/Security/Featu res • Visual Studio Compiling Options http://msdn.microsoft.com/enus/library/9s7c9wdw.aspx
  • 40. 4. Q&A • Thanks! • @simonroses / @vulnexsl • www.vulnex.com