An eEye Guide to Internal Software Auditing

In a previous Versa newsletter, we featured an article about some of the techniques eEye’s research team uses to discover vulnerabilities in existing software products. By illustrating how a general user can identify the weak points in software, we were able to show software makers where to first look when starting to reinforce and secure their products. In this article we’d like to offer a glimpse into how eEye performs security auditing during the development of our software, including some key things to keep in mind while testing and a few tips for developing a test plan.

As software auditors, you should begin by examining the state of your environment before you introduce the software product in question. Record the state of the file system, registry, process table, and other utilized resources available for the software product from the operating system. Next, install the software application and perform the necessary actions so that the package is functional and operating. After installation is complete, record the state of the file system, registry, process table, and other utilized resources again. Compare this record with the previous analysis so that you can build a list of any modifications that were made to the system by introducing the application.

Once complete, organize this list of modifications in a way so you can begin mapping out points of input. A point of input is simply a channel that you can use to communicate with a component of the introduced application. A point of input could be a running service, a listening port, a library, an interface or any other resource that is utilized to get information to the core application being audited. After mapping out all the points of input you can begin to build a test plan.

There are 6 key points to keep in mind when auditing your software:

• Older untested components of a package are usually highly vulnerable if they contain unfamiliar or rarely used features.
  
• New components that incorporate many new features and are rushed to awaiting customers are usually highly vulnerable.
  
• The larger the project (i.e. high number of components), the more unmanageable the QA process becomes; therefore large applications are usually highly vulnerable.
  
• Applications containing features that are very difficult to develop and implement are likely vulnerable.
  
• If a component of the software is difficult to create for the developer, it is most likely very difficult for the QA engineer to properly test.
  
• If the person that created the software does not prioritize security, or does not understand the basics of writing secure code, the software they create is most likely highly vulnerable.

Network World - COMDEX Panel: Accept the Net is Vulnerable to Attack
"Companies and home Internet users need to accept that the global computer network is inherently vulnerable to attacks, worms, trojans and anything else miscreants want to unleash on it, and then accept that securing the system is everyone's responsibility, a panel of security experts said Monday at the Comdex trade show." Full Article

Washington Post - U.S. Government Flunks Computer Security Tests
"The U.S. government has earned failing marks for computer security for the second year in a row, according to a report released today by a congressional oversight committee." Full Article

BBC News - Hack Attacks on Rise in Asia
"Hackers based in Indonesia and Malaysia have been launching digital attacks on neighboring countries, say computer security experts. October, the month in which a bomb exploded on the Indonesian island of Bali, has seen heightened cyber attacks in South East Asia and Oceania, according to a report from security firm mi2g." Full Article

PC World - Microsoft Refutes Reports of Windows Flaws
"Microsoft is responding to a report published last week by London-based security intelligence firm Mi2g that claims the Apple Macintosh operating system and certain varieties of Unix are less vulnerable to attack than the popular Windows and Linux operating systems." Full Article

Q: We're having performance issues with our web applications - what should we do?

A: Assuming you've taken all the right steps in terms of checking for vulnerabilities with applications such as eEye's Retina Network Security Scanner, making sure systems/applications are all properly patched, and making sure there aren't any obvious hardware related issues adversely affecting the applications, there are a variety of tools that can help you hone in on potential application issues.

Without more details on the application, configuration, and infrastructure, you may want to start by running a network traffic analysis product like eEye's Iris to perform some quick forensics on the traffic the application is receiving. Iris will enable you to visually monitor and reassemble all traffic at a network level and watch statistical information on the bandwidth and packet size distribution. This enables you to determine if the requests via HTTP or the network traffic are a contributing factor to poor performance.

Another excellent product designed to improve performance and reliability of web applications is IntegriTea from a company called TeaLeaf. Similar to Iris in terms of its visual monitoring ability, IntegriTea tackles the problem from the end-users perspective by capturing and monitoring what the real user does and sees, recreating the problem in the context in which it occurred, and ultimately correlating the problem back to the user and where it originated.

Give these products a try, they'll undoubtedly save you endless hours trying to recreate and dissect the problems on your own.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Macromedia ColdFusion/JRun Remote SYSTEM Buffer Overflow
Release Date: November 12, 2002
Severity: High (Remote SYSTEM Level Code Execution)

Description: Macromedia JRun and ColdFusion IIS ISAPI handlers contain various heap overflows when handling URI filenames. By supplying a filename over 4096 bytes in size, heap memory can be overwritten. Various structures can be overwritten in the process heap to gain control of the remote IIS process with SYSTEM level access. This makes it rather simple for attackers to remotely compromise Microsoft IIS web servers running vulnerable versions of Macromedia Coldfusion or JRun. Full Article

New Release: Enterprise Vulnerability Assessment Solution
eEye has introduced the first truly end-to-end enterprise-ready vulnerability assessment and remediation management solution, through a seamless integration of its best-in-class Retina® Network Security Scanner technology with the sophisticated REM™ Remote Enterprise Management system. Designed specifically for customers with large and distributed networks, eEye's solution provides a complete vulnerability assessment and remediation process that enables organizations to proactively control and manage the state of network security in a proactive and efficient fashion. This solution gathers security vulnerability events from Retina scanners positioned throughout the enterprise and reports on these issues into a centralized management system. From a central console, these events can be automatically analyzed and delegated to IT staff for prompt remediation. Full Article

Retina Wins the Network World 'Best of the Tests' Award
Retina, bests the security software category because of its speed and accuracy in pinpointing security holes in an enterprise network and for its intuitive management interface and its ability to fix some vulnerabilities when they are pinpointed. Full Article

New Version - Retina 4.9.32
This version includes two new valuable audits: "No Remote Registry Access Available" and "System Not Responding on Forced Scan".

These audits are used to notify the user when they do not have administrative privileges on a remote system that is being scanned. Several Retina checks rely on administrator level rights, but in the case when the user does not have these privileges, Retina will identify that the machine may not be getting a full audit. Full Article

Top 10 Vulnerabilities of the Month for November 2002
More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.