You run an Ounce source code security scan on a brand new large Web application and come up with over 100K findings. Assuming 30 seconds to triage each finding, you estimate it will take you about 34 days working non-stop (without sleep) to clear through all the findings. Hmmm, way too much Red Bull. Now what?
Digging in a little big more, you see that most of the findings point to the same root findings in common include files. As a result, each finding in an include file translates to thousands of findings (essentially one for each JSP that includes those files).
What can you do? Fixing those few root findings will reduce your finding count. However, in some cases, these findings are false positives. Ideally, the Ounce scanner should have detected the similarities and just flagged the include file once. Ounce Labs said they are working on a fix.
One trick is to go to the Configuration perspective for that Web application. Click on the Overview tab and select the "Filter findings contained in external sources" to exclude the findings from the included file. The original intent of this filter is to "filter out any findings discovered in files that are not source files of the scanned project. This option reduces noise for projects where findings are reported in compiler-generated or temporary files, such as ASP.NET."
In my case, the subsequent scan (without any other changes) dropped the findings down from over 100K to just 15K.
Next, you will still want to scan all those include files. To do that, (as a brute force approach), you could issue the following command to find all unique include files
egrep -R -i "<%@ +include +file *= *\"" * | \
sed 's/.*file *= *"\(.*\)".*/\1/' | sort | uniq
The egrep command will recursively scan through all files looking for any lines that have <%@ followed by any number of spaces then "include" followed by "file" and then by "=". The sed command will strip off the characters between "file=" and the next """. The sort and uniq will give you the list of distinct include files.
This will create a list of include files that you have omitted from your scan. You should now create a smaller project under the current application to only scan these include files.
Hope this helps.
An0n S3c
Sunday, September 28, 2008
Secure Coding Standards ...
I was (actually still am) looking for a comprehensive set of secure coding standards that I can implement for my development teams. Ideally, I would like to find a set of standards that
can be updated automatically/easily - that way, we are working to current recommendations
I can add our own specific recommendations without making the content upgrade difficult - for example, we have our own encoding routines
can be implemented internally - e.g., it comes as a web portal
is prescriptive and can be easily applied
I would appreciate pointers to either publicly or commercially available sets. Here is the list so far OWASP Development Guide and OWASP Backend Security Project - thanks to Bedirhan Urgun for the pointer
CERT Secure Coding Standards - thanks to Robert C. Seacord for the pointer
Joint Strike Force AV C++ Coding Standards and MISRA C Coding Standards - thanks to Robert C. Seacord for the pointer
OpenOffice C++ Coding Standards
Andrew van der Stock's Coding Standards - thanks to Jim Manico for pointer
Microsoft's MSDN Secure Coding Standards - thanks to Jim Manico for pointer
Some other relevant sites include DHS Build Security In
SANS Software Security Institute
CERT Top 10 Secure Coding Practices -
SANS GIAC Secure Software Programmer
Hope you find this helpful. I plan to keep this list current.
An0n S3c
I would appreciate pointers to either publicly or commercially available sets. Here is the list so far
Some other relevant sites include
Hope you find this helpful. I plan to keep this list current.
An0n S3c
Saturday, September 27, 2008
Macbook Pro with 128GB SSD - Speed counts!!
Hmmm, me thinks me dream laptop standard has just gone up another notch. This review describes how to install a Memoright 128GB SATA Solid State Disk (SSD) into an MBP (assuming you can stomach the $3K price tag - uh for the SSD not the MBP) and compares the performance of an MBP with the SSD with a standard MBP with a Hitachi Travelstar 5K250 (5400RPM) HDD.
Ah ignore the part that says your performance may vary. I think it is so cool just to have an MBP with a SSD. Now if only the new upcoming MBPs (expected MBP updates in Oct 14) come with 8 or more GB RAM - that would be cool.
Santa - I have been good, honest!
An0n S3c
Ah ignore the part that says your performance may vary. I think it is so cool just to have an MBP with a SSD. Now if only the new upcoming MBPs (expected MBP updates in Oct 14) come with 8 or more GB RAM - that would be cool.
Santa - I have been good, honest!
An0n S3c
Input Validation or Output Encoding to prevent XSS
Found an excellent blog on Input Validation vs. Output Encoding by Scott Matsumoto, Cigital.
The gist of the blog is that although it would appear cleaner to use input validation to cleanse the data when they enter the system there are issues. Blacklist validation only works on known bad data. Whitelist only works for some data types. Finally, data can come from many disparate sources. As a result, Scott recommends output encoding or a combination of input validation (where appropriate) and encoding as defense in depth.
The gist of the blog is that although it would appear cleaner to use input validation to cleanse the data when they enter the system there are issues. Blacklist validation only works on known bad data. Whitelist only works for some data types. Finally, data can come from many disparate sources. As a result, Scott recommends output encoding or a combination of input validation (where appropriate) and encoding as defense in depth.
Thursday, September 25, 2008
"Memory Limit Failure" during Ounce Scan
I was scanning a large-ish Web application (about 2M LOC) with Ounce 6 OSA when the scanner ran into memory limits. The OSA console showed the following messages
Processing restricted for call graph with root "acme.util.cal_jsp._jspService", process memory limit exceeded during initial pass
Processing restricted for call graph with root "acme.util.cal_jsp.getComboOptions", process memory limit exceeded during initial pass
Processing restricted for call graph with root "acme.util.cal_005fmb_jsp.xxxYYYZZZZaaaa", process memory limit exceeded during initial pass
Processing restricted for call graph with root "acme.util.common_005mmmm_jsp.", process memory limit exceeded during initial pass
Processing restricted: out of memory. 31 percent of roots skipped
Skipping file: list_set.jsp due to error: Memory Limit Failure
After some tweaking and help from Ounce Support, I finally got that scan working. The trick is to
1. launch $OUNCE_HOME/bin/ouncesettings.sh to modify the amount of memory to give the scanner and to get the scanner to swap content from memory to disk
2. in Ounce Settings, make the following changes
3. By the way, don't forget to hit the Save Tab before moving to the next tab.
Hope these settings work for you.
An0n S3c
Processing restricted for call graph with root "acme.util.cal_jsp._jspService", process memory limit exceeded during initial pass
Processing restricted for call graph with root "acme.util.cal_jsp.getComboOptions", process memory limit exceeded during initial pass
Processing restricted for call graph with root "acme.util.cal_005fmb_jsp.xxxYYYZZZZaaaa", process memory limit exceeded during initial pass
Processing restricted for call graph with root "acme.util.common_005mmmm_jsp.
Processing restricted: out of memory. 31 percent of roots skipped
Skipping file: list_set.jsp due to error: Memory Limit Failure
After some tweaking and help from Ounce Support, I finally got that scan working. The trick is to
1. launch $OUNCE_HOME/bin/ouncesettings.sh to modify the amount of memory to give the scanner and to get the scanner to swap content from memory to disk
2. in Ounce Settings, make the following changes
| Parameter | Memory Limits Failure |
| IPVA Settings > Prototypical Traces | 1 |
| IPVA Settings > Pruning Size Heuristics | 40 |
| Java Settings > JavaC initial, max settings | 2600 (or to the limit of your JVM) |
| Java Settings > JSP Chunking | off (unchecked) |
| Memory Settings > Swapping Levels | 100 |
| Memory Settings > Max Num of Mem Chips ... | 200 |
| Scan Settings > Show Info Findings | off (unchecked) |
3. By the way, don't forget to hit the Save Tab before moving to the next tab.
Hope these settings work for you.
An0n S3c
Monday, September 15, 2008
How to bump up the size of Ounce Security Analyst's (OSA) JVM heap
OSA is an Eclipse-based RCP application from Ounce Labs that you can use to scan applications for security vulnerabilities (e.g., XSS, SQL Injection, etc). You may want to bump up the amount of space allocated to OSA (and its worker process) if you are working with a large assessment.
To bump up the JVM heap,
1. edit $INSTALL_DIR/config/osa.cp
2. add or modify the -Xmx parameter to something large (but within your system constrainst). For example, on Windows (32-bit), try setting the max JVM heap size to around 1.5GB.
-Xmx1536m
You may have to lower that value if your JVM is unable to allocate that much memory (see message below).
Error occurred during initialization of VM
Could not reserve enough space for object heap
Could not create the Java virtual machine.
Keep dropping the -Xmx until you can start your JVM. You should be able to get slightly above 1.2GB without too much trouble.
3. On my RHEL Linux 5, I can bump up the max JVM to 3GB (-Xmx3g)
4. I have not tried setting the following on OSA on a Macbook Pro but I was able to bump the native HotSpot JVM that comes with Leopard OS X to 5GB by adding the following parameters
-d64 <= enable the 64-bit JVM
-Xmx5g
I will gladly test #4 for you if you have a new MBP handy - preferably 2.5GHz, 15" MBP, with 4GB memory or if you can wait, maybe one of the new MBPs to be announced Oct 14, 2008. I am hoping one of the new MBPs will be upgradable to 8GB memory. :)
An0n S3c
To bump up the JVM heap,
1. edit $INSTALL_DIR/config/osa.cp
2. add or modify the -Xmx parameter to something large (but within your system constrainst). For example, on Windows (32-bit), try setting the max JVM heap size to around 1.5GB.
-Xmx1536m
You may have to lower that value if your JVM is unable to allocate that much memory (see message below).
Error occurred during initialization of VM
Could not reserve enough space for object heap
Could not create the Java virtual machine.
Keep dropping the -Xmx until you can start your JVM. You should be able to get slightly above 1.2GB without too much trouble.
3. On my RHEL Linux 5, I can bump up the max JVM to 3GB (-Xmx3g)
4. I have not tried setting the following on OSA on a Macbook Pro but I was able to bump the native HotSpot JVM that comes with Leopard OS X to 5GB by adding the following parameters
-d64 <= enable the 64-bit JVM
-Xmx5g
I will gladly test #4 for you if you have a new MBP handy - preferably 2.5GHz, 15" MBP, with 4GB memory or if you can wait, maybe one of the new MBPs to be announced Oct 14, 2008. I am hoping one of the new MBPs will be upgradable to 8GB memory. :)
An0n S3c
W3lc0me to my security blog
Welcome to my application security blog. I hope to share some of my trials and tribulations applying application security to my company's applications. Email me if you are in the same field and would like to share experiences or to join my network.
Subscribe to:
Posts (Atom)
Posts
