"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
   Co Creator of Samba


Unknown Vulnerability Management   pdf

Unknown Vulnerability Management

Introduction

In all forms of cyber attacks, the access into the system or device is enabled by a vulnerability in the code. Thus, the number one security priority should be finding and fixing vulnerabilities in both in-house and third-party developed code. Vulnerability management is often understood as scanning for known vulnerabilities, but finding the unknown vulnerabilities is equally important.

"Unknown zero-day vulnerabilities are the greatest threat to Enterprise networks. The Unknown Vulnerability Management process introduced by Codenomicon enables you to find and mitigate these weaknesses proactively" - Ari Takanen, CTO of Codenomicon.

There are two types of vulnerabilities: known and unknown. Known vulnerabilities have already been found and reported. The best way to keep up with known vulnerabilities is to subscribe to regular security updates from comprehensive vulnerability databases. These databases contain all reported vulnerabilities, leaving you to simply determine, which security issues are applicable to you. Unknown vulnerabilities are vulnerabilities that have not yet been found. Especially new technologies and proprietary code extensions are frequently infested with unknown vulnerabilities. However, unknown vulnerabilities also cause problems in other technologies too.

The best way to discover unknown vulnerabilities is Fuzzing, a form of attack simulation, in which vulnerabilities are triggered by abnormal inputs.

Fuzzing is also the core technology behind Codenomicon's Unknown Vulnerability Management Tools, which help organizations to discover unknown vulnerabilities proactively, thus gaining more time to fix vulnerabilities, before they are publicly exposed. Proactive testing is the most effective form of vulnerability management, because the earlier vulnerabilities are discovered, the easier and cheaper it is to fix them.

Unknown Vulnerability Management is not restricted to testing during development. Managing security updates, verifying patches, system integration and network monitoring are all essential parts of Unknown Vulnerability Management. Fixing vulnerabilities not only serves a security purpose, it also improves the Quality of Service.

With the help of Codenomicon's Unknown Vulnerability Management tools, your company can become an industry leader by providing the most secure and reliable products and services.

Download the full whitepaper from here:
http://www.codenomicon.com/resources/whitepapers/codenomicon-wp-unknown-vulnerability-management-20101019.pdf

Codenomicon UVM Process

The Codenomicon Unknown Vulnerability Management Lifecycle is a security and quality assurance process. The aim of the process is to ensure the security and robustness of both in-house and third party software productions by finding and fixing unknown vulnerabilities. Through Unknown Vulnerabilities Management organizations can gain more control over the security of their systems and devices and reduce the impact of unknown vulnerabilities.

The Unknown Vulnerability Management process consists of four phases: Analyze, Test, Report and Mitigate. The following explains how Codenomicon's automated fuzzing and network analysis tools can be used to manage unknown vulnerabilities.


Figure 1: Unknown Vulnerability Management Process

Phase 1: Analyze

Use the Codenomicon Network Analyzer to map real network traffic and to determine what needs to be tested within your network.

Organizations typically have complex networks with more exposed interfaces than they are aware of. These interfaces can be revealed by recording and analyzing real traffic in the network to determine. The Codenomicon Network Analyzer records traffic at multiple points in your network capturing the entire traffic in your network. It then automatically creates visualizations illustrating different aspects of the captured data. You can drill up and down from looking at high-level visualizations to inspecting the corresponding packet data, also in real time, and reveal hidden interfaces and even possible exploits.

For information, see: www.codenomicon.com/analyzer

Phase 2: Test

Run multiple Defensics test suites simultaneously and discover both known and previously unknown vulnerabilities with unparalleled efficiency.

The Defensics product family includes over 200 model-based fuzzers and the all-purpose XML, traffic capture and file format fuzzers, which can be used to test any XML application, communication protocol and file format. The model-based Fuzzers utilize protocol specifications to target protocol areas most susceptible to vulnerabilities. Thus, reducing the amount of test cases needed, without compromising coverage. Because the tests contain all the possible protocol messages, they can also genuinely communicate with the tested device, enabling the Fuzzers to trigger even harder to reach vulnerabilities.

For more information, see: www.codenomicon.com/defensics

Phase 3: Report

Codenomicon test suites generate different reports for different audiences.

Management reports provide high-level overview of the test execution. The log files and spreadsheets help in identifying troublesome tests and minimize false negatives in tests. The extensive test cases documentations can be augmented with PCAP traffic recordings for easy technical analysis of individual tests. And finally, all important information can automatically be collected in Remediation Package which can be sent to third parties for automated reproduction.

Phase 4: Mitigate

Use the automatic features Defensics provides to quickly and easily reproduce vulnerabilities, perform regression testing and verify patches.

The Codenomicon Defensics test suites automatically generate reports, which contain CWE values for the found vulnerabilities and direct links to the test suites that triggered the vulnerabilities. The CWE values help testers decide which vulnerabilities should be fixed first. Defensics also makes it easier identify the test cases that triggered the vulnerability, to reproduce vulnerabilities and to verify patches. The test case documentation can be used to create tailored IDS rules to block possible zero-day attacks.

Collaborate

Manage tests carried out in multiple locations, process test results and coordinate the repair process in the Collab environment.

In companies and organizations, the testing resources are often spread across geographical locations. The Codenomicon collaboration platform enables users to remotely access the same system, thus they can execute the same tests, share results and other documentation, and reproduce the same vulnerabilities.

Services

Codenomicon also provides a number of security services ranging from creating custom tools to trial tests and coordinating the process of fixing the found vulnerabilities.

For more information, see: www.codenomicon.com/services

Benefits of UVM

There is no use in trying to protect an impaired system or application with firewalls and anti-virus software. These merely add to the complexity of the system, and complexity is always a threat, because it increases the attack surface of the system. For example, if hackers manage to compromise another user in your VPN network, they gain direct entry into your network. Unknown Vulnerability Management focuses on solving the root cause of security issues by fixing vulnerabilities. By doing things right from the start you can also gain additional benefits.


Figure 2: Threats within an Enterprise Network

Save Resources

Most critical requirement for security testing is test coverage, and that ensures that most vulnerabilities still hiding in software are found proactively. The earlier vulnerabilities are found the easier and cheaper it is to fix them and the more thorough the fixes are. Moreover, if vulnerabilities are fixed, before the software is released, then there will not be any vulnerabilities for hackers to exploit.

No more Patch Rat Race

By finding and mitigating security issues proactively, you can avoid getting stuck in the endless rat race of deploying yet another patch, before attackers can create an exploit. By managing unknown vulnerabilities, you can anticipate upcoming patch releases and patch deployment no longer has to be a constant crisis management process. You can notify your customers of upcoming patch releases in beforehand and deploy all patches in one big push, a well planned security initiative. After all, downtime is always costly.

Extending Vulnerability Feeds

With the Defensics Traffic Capture Fuzzer you can generate tests from different types of vulnerability feeds and test system more thoroughly earlier. Vulnerability feed providers deliver security advisories and vulnerability information to their customers. Sometimes the actual exploit are provided as PCAP traffic recordings. In many cases, the vulnerability feed just contains general information about how to reproduce the vulnerability, and in those cases you can use Codenomicon Network Analyzer to capture and save the PCAP for later regression testing.

Build Defenses against Zero Day Attacks

Revealed attack surface can be narrowed with use of firewalls. And when blocking the interface is impossible, all millions of threats generated by Codenomicon Defensics come with extensive documentation to assist you in writing your tailored IDS rules. Defensics will automate the testing those defenses with extensive set of variations of all those real-life attack scenarios that it has generated, or that you have received from third party databases. Reproducing the attack scenarios with Defensics is very useful method of testing how well IDS/IPS systems and firewalls can detect and bloc both the original attack and variations of it.

Better Patches

By investigating security issues proactively, you gain more time and you can create better patches and also have time to test them. However, vendors usually create patches under considerable time pressure, and sometimes the quality of patches is not what it should be. With Codenomicon's Defensics fuzzers you can easily verify the quality of patches by testing them with variations of the original attack. Sometimes, even slight variations of the original attack can trigger new vulnerabilities.

Better Service

Codenomicon's Unknown Vulnerability Management is not just about making systems more robust and secure to prevent exploits and liability issues, it is also about improving sales and company reputation by providing customers better quality services.