Re: [SC-L] blog post and open source vulnerabilities to blog about
http://codesearch0day.appspot.com/ On Mar 16, 2010, at 11:41 AM, Matt Parsons wrote: Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 image001.jpg image002.jpg ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
This doesn't feel like responsible disclosure and is not the way to announce weaknesses in software. It is best to deal with scenarios that have already been addressed. From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Tuesday, March 16, 2010 11:41 AM To: owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [SC-L] blog post and open source vulnerabilities to blog about Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
Matt, You can find quite a list of OSS vulnerabilities over an CVE (cve.mitre.org) or NVD (nvd.nist.gov), but here are a couple ones that I tend to use for illustrative purposes when teaching. - Apache Chunked Encoding vuln (#CVE-2002-0392), an integer overflow. Of particular interest because when it was first discovered it was not believed to be exploitable to gain remote root, but due to a nuance in a memcpy() / memmove() implementation, it was (I think I'm remembering this right). An example that non-exploitability depends on more than just the program itself, but also on the underlying systems (libraries, compiler, hardware, etc). - OpenSSH crc32 compensation attack detector vulnerability (#CVE-2001-0144). Of interest because this was a remote-root vulnerability in a piece of code that was used solely to try to thwart an SSH protocol 1 cryptographic attack. A good example of more code introducing more bugs, even when the more code had an important security purpose. - Never made it into any distributed code, as it was in version control only, but there was a Linux kernel vulnerability that was a backdoor attempt. (http://kerneltrap.org/node/1584). Of interest because it was apparently an intentional typo bug to create a backdoor. A good example of something that could have easily slid by, but the way that version control was set up as well as the many eyes working on the kernel, resulted in it coming to light quickly. - A sendmail bug publicized back in 2006 (#CVE-2006-0058) was of interest because the vulnerability was not a typical buffer overflow, but was due to (if I remember correctly -- the discussion of this vuln was pretty opaque at the time, so I could be wrong on this) the intermixing of static and automatic C function variables in a fairly complex attack scenario (where a residual static pointer was pointing to a previous incarnation of an automatic buffer), resulting in an attacker being able to overwrite a section of the stack if the attack was timed just right (it didn't need the nanosecond precision that was widely publicized at first). A good example of complex code being more difficult to secure. - Greg Beeley LightSys Matt Parsons wrote, On 03/16/2010 10:41 AM: Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about
I am not suggesting exposing zero days. I only want known vulnerabilities in applications like web goat etc that are known to everyone. I don't even plan on naming where each vulnerability comes from but rather instead change the code to protect the innocent. I would never encourage promoting sharing zero days. I hope this clears it up. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled From: Arshan Dabirsiaghi [mailto:arshan.dabirsia...@aspectsecurity.com] Sent: Tuesday, March 16, 2010 2:49 PM To: McGovern, James F. (P+C Technology); Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: RE: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about I'm not sure Matt was suggesting burning sharing 0days, but if he was, I think he should not be discouraged. I think disclosure preference should be something like a protected class within OWASP. Arshan From: McGovern, James F. (P+C Technology) [mailto:james.mcgov...@thehartford.com] Sent: Tuesday, March 16, 2010 2:36 PM To: Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about This doesn't feel like responsible disclosure and is not the way to announce weaknesses in software. It is best to deal with scenarios that have already been addressed. _ From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Tuesday, March 16, 2010 11:41 AM To: owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [SC-L] blog post and open source vulnerabilities to blog about Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. image003.jpgimage004.jpgimage005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] market for training CISSPs how to code
I have been a programmer and a security analyst for a few years now. When I first started developers told me I didn't know how to code good enough and CISSP's told me I didn't have enough security experience. Has anyone had any success training CISSP's and non programmers how to write code securely and train developers how to become CISSP's and learn how to penetration test? If not does everyone think that there would be a market for such training? Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
At the OWASP Open Review project we run Fortify scans for open source project maintainers. There is some summary information on the main page, but the actual detailed scan info is only available to the project maintainers. (Echoing James McGovern's concerns we didn't want it to end up being the OWASP Open Source 0Day-Publication Project) More info can be found here: http://owasp.fortify.com/ I do like the idea of looking at CVEs for open source projects. That is good real-world data that can demonstrate patterns. Thanks, Dan -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l- boun...@securecoding.org] On Behalf Of Greg Beeley Sent: Tuesday, March 16, 2010 2:37 PM To: SC-L@securecoding.org Subject: Re: [SC-L] blog post and open source vulnerabilities to blog about Matt, You can find quite a list of OSS vulnerabilities over an CVE (cve.mitre.org) or NVD (nvd.nist.gov), but here are a couple ones that I tend to use for illustrative purposes when teaching. - Apache Chunked Encoding vuln (#CVE-2002-0392), an integer overflow. Of particular interest because when it was first discovered it was not believed to be exploitable to gain remote root, but due to a nuance in a memcpy() / memmove() implementation, it was (I think I'm remembering this right). An example that non-exploitability depends on more than just the program itself, but also on the underlying systems (libraries, compiler, hardware, etc). - OpenSSH crc32 compensation attack detector vulnerability (#CVE-2001- 0144). Of interest because this was a remote-root vulnerability in a piece of code that was used solely to try to thwart an SSH protocol 1 cryptographic attack. A good example of more code introducing more bugs, even when the more code had an important security purpose. - Never made it into any distributed code, as it was in version control only, but there was a Linux kernel vulnerability that was a backdoor attempt. (http://kerneltrap.org/node/1584). Of interest because it was apparently an intentional typo bug to create a backdoor. A good example of something that could have easily slid by, but the way that version control was set up as well as the many eyes working on the kernel, resulted in it coming to light quickly. - A sendmail bug publicized back in 2006 (#CVE-2006-0058) was of interest because the vulnerability was not a typical buffer overflow, but was due to (if I remember correctly -- the discussion of this vuln was pretty opaque at the time, so I could be wrong on this) the intermixing of static and automatic C function variables in a fairly complex attack scenario (where a residual static pointer was pointing to a previous incarnation of an automatic buffer), resulting in an attacker being able to overwrite a section of the stack if the attack was timed just right (it didn't need the nanosecond precision that was widely publicized at first). A good example of complex code being more difficult to secure. - Greg Beeley LightSys Matt Parsons wrote, On 03/16/2010 10:41 AM: Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled - --- ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC
Re: [SC-L] market for training CISSPs how to code (Matt Parsons)
Hi, Regarding training non-developers to write secure code, what are the circumstances that a non-developer would create code that would *require* security? I am assuming that system administrators know the basics of their trade and scripting language of choice so security there is taken care of BUT I fail to see other scenarios where code that would be used more than a one-off is developed by non-programmers. Additional insight would be much appreciated :) Message: 1 Date: Tue, 16 Mar 2010 21:37:03 -0500 From: Matt Parsons mparsons1...@gmail.com To: owaspdal...@utdallas.edu [snipped]I have been a programmer and a security analyst for a few years now. When I first started developers told me I didn't know how to code good enough and CISSP's told me I didn't have enough security experience. Has anyone had any success training CISSP's and non programmers how to write code securely and train developers how to become CISSP's and learn how to penetration test? If not does everyone think that there would be a market for such training? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___