OWASP BeNeLux days 2012 ? training day - Building a Software Security Program On Open Source Tools

by admin Email

This was a two-day training condensed into one day for the OWASP BeNeLux days 2012, the instructor was Dan Cornell. Dan is a fast paced talker but still easy to understand. Because there was so much material to go through we did not play around with the tools as much as I would have liked. In this recap I will just highlight some of the things that were most interesting for me.


The first quarter of the talk handled the methodology used to formulate, implement and measure the quality of the security effort for an organization. The title of the training mentions the SLDC (Software Development Lifecycle) and this is taken in its broadest sense, this is not just about writing software, getting it on the market and maintaining it. The methodology used is OpenSAMM.


First order of business for a company that needs/wants to implement more/better security in its products is to do a threat assessment. Next up is the design of a secure architecture. To do this you need to do threat modeling. You cannot defend against any and all threats at the same time and some applications are not as critical as others to protect. This will allow a company to allocate resources correctly since they are always a scarce commodity.


Dan?s company has developed a tool called ThreadFix. It looks like a very good tool with loads of functionality such as data collection and aggregation from multiple scan engines, over time reporting on security issues found, integration with bug tracking systems, comparing of different scans, automatic generation of WAF rules for issues found and polling of WAF rules from the WAF, reading of WAF logs to link issues found to actual attempts to exploit those on the WAF. ThreadFix also exposes a RESTful API and a command line interface so you can script it to server your needs. In fact this tool looks to have so much nice functionality that I will write an article on how to use it later.


The well known webgoat is used to train developers and make them aware of security problems, this tools is not only useful for penetration testers.


The web app scanner evaluation project  tests the  accuracy of scanners and can help to differentiate open source and commercial scanners. It is also a good starting point for an organization that needs to select a toolset for performing security tests.  Some of these tools can be integrated in the continuous build cycle whereas others will be used by the QA department to further check for security related issues.


When security related issues are found they must be rated in order to provide management with an indication of the severity. As an external pentester I use DREAD  to rate vulnerabilities since it is simple to calculate and explain to developers as well as management. I let them worry about internal priorities of the different applications since you need to be in the company to judge that correctly. The most important thing when reporting vulnerabilities is to include steps for remediation.


According to Dan, based on his extensive experience, security all testing takes up (on average) about 30% of the development time.  This gives a good indication on the amount of time needed if you need to make a very quick estimate.  

Code reviews should be done using both tools and manual inspection. In an agile environment the practice of code reviews is already in use, it is just a matter of training the developers to look at code also from a security perspective and not just a code quality perspective (although one might argue that security is an aspect of high quality code). The automated tools to do code reviews are called static analysis tools. They have the benefit of being run early in the development but they tend to be rather expensive and they are notoriously bad at finding logic problems. All of them need to be configured and some effort to set them up needs to be considered. It is clear that manual code reviews are a perfect complement to these tools.

Some examples of static analysis tools are:

  • findBugs : for JAVA code and is also available as eclipse plugin
  • cat.net : from Microsoft, does dataflow analysis, future plans not clear
  • brakeman : for Ruby on Rails, installs as a ruby gem, maintained by Twitter developers
  • agnitio : for manual code reviews, it includes a set of checklists and some grep like search capabilities


For companies using a lot of Microsoft products, Microsoft released the MBSA or Microsoft baseline security analyzer. This tool scans computers/scanners and returns recommendations to improve security for products like Internet Explorer, IIS MS SQL Server etc.


Finally Dan talked about mod_security. This WAF is now also available to protect IIS and Nginx.

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

Feedback awaiting moderation

This post has 268 feedbacks awaiting moderation...