|
|
Codenomicon Newsletter 2009-12Topics:
|
|
|
Fuzzing Market Continues Rapid Growth During RecessionHappy Holidays from the Codenomicon Team! We hope you have a Happy New Year and we look forward to working with you in 2010. With the year 2009 coming close to its end, it is time to look back: how did the year go and what were we able to achieve. As we all know the year has not been easy for any segment. However, product security is something that companies cannot really compromise. Together with the right R&D choices and operational effectiveness this have made the year 2009 profitable for Codenomicon. Indeed, 2009 was the ninth consecutive growth year for Codenomicon. We are grateful to our customers for staying with us even during difficult times, and excited about all the new customers we have received. In 2009, the major new releases were Defensics for XML, "Security as a Service" bundle of solutions for advanced security audits, and DEFENSICS Traffic Capture Fuzzer (featured later in this newsletter). All three have been major efforts, and the original requirements for these have stemmed from our current customer base. The ability to productize all three within 2009 have proven the power of our core technology and customer service, and the quality of our staff. The amount of accomplished deals and ongoing evaluations has proven that there ia a need for these tools and services, in addition to pointing out the attractiveness of these new use scenarios for fuzzing. We are starting to see more and more organizations deploying security into their software development life-cycle, Microsoft being one of the leading examples. This is exactly the place where security needs to be taken care of to avoid extra development costs and brand damage. More and more security auditing companies have embraced fuzzing into their standard tool-chest. The approach of integrating fuzzing both into software development and security assessments in every step of the product life-cycle is comforting as it promises us all a better, more secure world in the future of communications. With these, Codenomicon wishes all our customers and newsletter readers a Merry Christmas and a Happy New Year. Hyvää Joulua ja Onnellista Uutta Vuotta as we say in Finnish.
Tuija Postari-Kivistö |
|
|
|
Zero Day VulnerabilitiesZero-Day vulnerabilities are unknown vulnerabilities. In contrast to known flaws with ready patches and updates, the vendors are unaware of the existence of these unknown vulnerabilities, and therefore they are not prepared to fix them. All unpatched software flaws are security threats. Basically, any bug can be exploited to attack a system or an application. Bugs are weaknesses in the system, which can be exploited to attack a system or an application. Attackers send feeds to a system and if they can get an abnormal response from the system, they continue to edit their feeds until they get the system to behave the way they want. However, the Zero-Day bugs do not need to be exploited for criminal purposes to cause problems. Sometimes the bugs can be triggered by events like heavier than normal use, maintenance or even a thunder. A Zero-Day vulnerability is a ticking time bomb, it does not really matter what eventually sets it off. The important thing is to get rid off them. Traditional software security solutions focus on scanning for previously known bugs. Even though, some solutions apply heuristics and signature analysis to discover unknown bugs, the results they achieve are limited, because threat signatures can only be used to identify threats, which are close to known threats. In effect, vulnerability scanners cannot really be used to protect systems against Zero-Day attacks, which exploit unknown vulnerabilities. The best way to guarantee security is to ensure that your code is well written. There is no use in trying to protect an impaired system with firewalls and anti-virus software. These merely add to the complexity of the system, and complexity is always a threat, because it increases the attack surface of the system. DEFENSICS Fuzzing tools enable testers to accurately simulate potential attacks, and to patch the found vulnerabilities, before somebody else finds them and exploits them. Fuzzers do what attackers do, but before them. By integrating fuzz testing into your software development process, you can discover flaws at the earliest possible moment. The earlier the bugs are discovered the cheaper and easier it is to fix them. You can actually gain time and save money through preemptive security and robustness testing. Instead of, racing against the clock to get your system to work again and spending valuable resources in calming down angry customers, you can discover flaws and create patches for them proactively, before any problems occur. Remember, if it is a bug, fix it, don't try to protect it! |
|
|
|
Codenomicon Defensics Featured Tool:Traffic Capture Fuzzer2009 has been an exciting year here at Codenomicon. This year we've been working with several distinct technology areas and released security testing solutions for them. Earlier this year we've featured fuzzing solutions for Metro Ethernet, LTE core networks and XML, all of them groundbreaking solutions for their respective fields. The last but not the least major product announcement for this year is Traffic Capture Fuzzing. Unlike Metro Ethernet, LTE and XML that are targeted for very specific domains, the Defensics Traffic Capture Fuzzer is as generic and all-around as a fuzzing tool gets. The Traffic Capture Fuzzer takes a real-life capture of network traffic and fuzzes that to find security problems from protocol interfaces. The traffic captures can be created with network analyzers, loaded from Internet repositories, or taken from commercial vulnerability feeds. One of the most common tools for any technical person working with the protocols, whether in development, testing or security area, is Wireshark. To use Defensics Traffic Capture Fuzzer, all that is required is to capture the protocol sequence of interest with Wireshark or any other compatible tool and feed the capture to Defensics. Out comes a fuzz test set for the selected protocol layer(s) contained in the capture. And, true to Defensics testing philosophy that for end-to-end security both clients and servers need to be tested, users can select which end of the system to test. In case server testing is selected, Traffic Capture Fuzzer acts as a client and vice versa. Traffic Capture Fuzzer adds significant value on areas where Defensics model-based fuzzers are not available. The usage areas may include more rare standard protocols. However, the Defensics provides model-based tests for over 150 protocols or interfaces, thus the primary use cases of the Traffic Capture Fuzzer are the proprietary protocols. Often with the proprietary protocols, specifications are unavailable, resources for inhouse fuzzer development do not exist or confidentiality considerations prevent contracting the development work. In such situations, the Traffic Capture Fuzzer is the ideal solution. Together with the Traffic Capture Fuzzer and existing support for Layer 2 through Layer 7 fuzzing, Defensics is the most comprehensive protocol security testing solution available today.
More information: |
|
|
|
Good practice guidance on Metro Ethernet (Layer 2) SecuritySince 2008, UK's Centre for the Protection of National Infrastructure (CPNI) and Codenomicon have jointly scrutinized and tested the security of Metro Ethernet technology and deployments. As a result, vendors were able to harden their devices and good practice guidelines were released to assist anyone who owns, deploys or manages Ethernet devices, which are as relevant to small business as to large enterprise networks and carriers. Codenomicon provides world leading security services whenever the complexity of the assessment environment goes beyond the traditional Enterprise IT environment. So even if you are not directly interested in Metro Ethernet, you might find the report published by CPNI interesting. You can download the report here: Good practice guidance - Considerations when deploying Layer 2 Ethernet switches (pdf) During the project, the Defensics protocol coverage has improved to address all critical areas of modern Layer 2 ethernet robustness challenges. All these tools are now generally available from Codenomicon. In summary, CPNI recommends including security into the purchase process, especially into the phases involving product or service specification. The CPNI recommendation includes a large set of questions that you can pose to your vendors across industries, as they apply to basically all domains of communications. The second set of advice focuses on the installation and configuration of devices after purchase. One critical aspect is definitely the awareness of topologies, attack surface, and system openness. The key aspect of security is understanding the technology you are using, and being able to configure it so that the risks are minimized. |
|
|
|
Fuzzing Metrics: Introducing Attack ModifiersThere are several methods for calculating an numerical score for the severeness of software vulnerabilities and attacks. In proactive security assessment, CWE (Common Weakness Enumeration) combined with the CVSS (Common Vulnerability Scoring System) scoring metrics facilitate the failure prioritization of found vulnerabilities through impact analysis. On the reactive side, CVE (Common Vulnerabilities and Exposures) directory classifies different known vulnerabilities in a database in an attempt to identify unique vulnerabilities. CAPEC (Common Attack Pattern Enumeration and Classification) is used to identify attacks, i.e. each CVE entry can have many types of attacks exploiting the individual vulnerabilities. Codenomicon has developed a complimentary scoring technique, called attack modifier. Attack modifiers are based on metrics, which are useful for identifying the technical difficulty of performing a successful attack exploiting a specific vulnerability. The harder it is to perform an attack, the less serious the vulnerability is. Attack modifiers are easily calculated from the protocol models used in fuzzing tools, based on the location of the anomaly in the model itself, and the features or categories of the anomaly. Our users can use attack modifiers to estimate how difficult it is for an attacker to exploit a found vulnerability and how serious a found flaw is. Attack modifiers are calculated from several sub-components, where each component gives a value for one aspect, which will influence the technical difficulty of a possible attack and/or affect the seriousness of a potential flaw. All components are easily understood, and they contain simple descriptions, so that the person responsible for risk assessment can easily interpret the resulting attack modifier values. Attack modifiers are calculated for each test case. A sample attack modifier is presented below (Codenomicon TLS server test suite):
Attack modifier = -15 Attack modifier values are around zero for "normal errors". A flaw with an attack modifier value below zero may be considered as hard to exploit, while an attack modifier value higher than zero may be considered as easy to exploit. For more details and examples, please see the Defensics documentation on the new recently deployed D3 test suites. |
|
|
|
Follow Codenomicon In Social MediaBe sure to visit Codenomicon Labs Backstage! https://backstage.codenomicon.com Codenomicon Labs Backstage is an on-line user community for Codenomicon testing technology users and the people part of our ecosystem, including Codenomicons OEM, services and channel partners. Through backstage we offer flexible environment to interact with Codenomicon and with other Codenomicon users, easy access to additional documentation and private groups to collaborate with the help of latest Web 2.0++ technology. |
|
|
|
See Codenomicon At EventsCodenomicon is currently scheduling its conference calendar for 2010 , please check out the latest status from: http://www.codenomicon.com/news/events.shtml The events we recently visited (but which were not mentioned in the last newsletter). MAE 2009
Eurostar 2009
Cisco Toolapalooza India 2009
|
|
|
|
Latest News
For latest news from Codenomicon, see: |
