Wouldn’t it be nice if we could measure the application security skills of our developers?


Download 496 b.
Sana15.11.2017
Hajmi496 b.



Wouldn’t it be nice if we could measure the application security skills of our developers?

  • Wouldn’t it be nice if we could measure the application security skills of our developers?

  • Well … Yes

  • SANS and many other organizations have recognized a need for this

  • SANS with the help of many others, including OWASP is trying to enable us to be able to do so

      • See the press release: http://www.sans-ssi.org/ssi_press.pdf


The SANS (SysAdmin, Audit, Network, Security) Institute is a U.S. based company that

  • The SANS (SysAdmin, Audit, Network, Security) Institute is a U.S. based company that

    • Provides Information Security Training
    • IT Security Certifications (GIAC)
    • IT Security Research, Policy, Community
    • Publishes the SANS Top 20
      • Which is what the OWASP Top 10 is modeled after
    • And now the SANS Software Security Institute (www.sans-ssi.org)
  • Check out www.sans.org for more details



A battery of language specific secure coding exams for programmers

  • A battery of language specific secure coding exams for programmers

    • C and Java/J2EE – 1st target languages
      • Free practice tests available
    • C++, .NET, PHP, PERL soon thereafter
  • Each test will include

    • General application security questions
    • Language specific secure coding questions
    • Tests will be generated from a large bank of questions per language


Consider the following program:

  • Consider the following program:

  • 1. #include 2. #include 3. void usage(char *ptCommand) { 4. char usageInfo[1023]; 5. snprintf(usageInfo, 1023, "Usage: %s \n", ptCommand); 6. printf(usageInfo); 7. } 8. int main(int argc, char * argv[]) { 9. if (argc < 2) 10. usage(argv[0]); 11. }

  • Q1. If in the above code argv[0] may be provided by a malicious user, what security problem can the code have? A. Format string vulnerability B. Out-of-bound array write C. String null-termination error D. String truncation

  • The candidate is asked to find the best answer, not the only right answer.



Allow employers to rate their programmers security skills

    • Allow employers to rate their programmers security skills
    • Help buyers to measure secure programming skills of suppliers
    • Allow programmers to identify their gaps
    • Allow employers to evaluate job candidates and consultants
    • Encourage universities to teach secure coding
    • Help individuals and organizations compare their skills to others
    • See: http://www.sans-ssi.org/#pgoals


More than 400 organizations polled in October, 2006, said they will use the exams.

  • More than 400 organizations polled in October, 2006, said they will use the exams.

  • 83.7% said To identify our programmers’ secure programming gaps

  • 62.1% said To ensure consultants and vendors have security-skilled programmers

  • 60.1% said To evaluate programming candidates

  • 57.4% said To select people with skills for critical projects

  • 44.1% said To persuade universities to bake security into core programming courses

  • 38.9% said To compare our programmers to others in our industry

  • To help give our customers confidence that we are delivering products that include code written by certified secure programmers



Randy Marchany, Ruiliang Chen, and Professor Jung Min Park of Virginia Tech.

  • Randy Marchany, Ruiliang Chen, and Professor Jung Min Park of Virginia Tech.

  • Professor Matt Bishop of UC Davis, author of “Computer Security: Art and Science”

  • Ed Tracy of Booz Allen Hamilton

  • Steve Christey of MITRE, and editor of the CVE project

  • Ryan Berg and Jack Danahy of Ounce Labs

  • Professor James Walden of Northern Kentucky University

  • Brian Chess and Eric Cabetas of Fortify Software

  • Bryan Sullivan and a large team at SPI Dynamics

  • Danny Allen and Karl Snider of Watchfire

  • Andrew Van der Stock and Jeff Williams of Aspect Security and OWASP 

  • Mandeep Khera of Cenzic



Identify the key vulnerabilities and the programming errors that caused them

  • Identify the key vulnerabilities and the programming errors that caused them

  • Draft rules that would have avoided them

  • Group the rules into categories/tasks

  • Rank the tasks on criticality, importance, and frequency to determine question counts

  • Draft questions

  • Vet questions

  • Work with MITRE and the CWE program to keep them current



SANS plans to sponsor a new $5K OWASP Spring of Code project to develop questions

  • SANS plans to sponsor a new $5K OWASP Spring of Code project to develop questions

    • This is being slipped in, in addition to all the other projects already announced
  • Dinis Cruz is soliciting proposals for this now

    • Please consider a submission!!


For certification: proctored three times a year, partnering with colleges around the world (pilot in August in Washington)

  • For certification: proctored three times a year, partnering with colleges around the world (pilot in August in Washington)

  • For assessment in large organizations – the enterprise edition – online

  • For assessment for all others – the open edition – online

    • See: http://www.sans-ssi.org/#deployment
  • How do we avoid disclosure?

    • Thousands of questions, constantly changing


Help make the tests better

  • Help make the tests better

    • Blueprints
    • Questions
  • University partners

    • Test administration site
    • Teaching courses for students and local industry
  • Enterprise partners



Required

  • Required

  • Optional

    • Work with universities to encourage them to include secure coding (initiative launched)
    • Use the exam for assessments
    • Get people certified
    • A few of the partners: Siemens, Tata (60,000 programmers), Juniper, Symantec, ABN AMRO, Intel


Test Blueprints and Practice Tests, Top Three Errors, Press coverage, Critics’ Page, more

  • Test Blueprints and Practice Tests, Top Three Errors, Press coverage, Critics’ Page, more

    • www.sans-ssi.org
  • Email for participation

    • spa@sans.org
  • OWASP Spring of Code Submission for SPSA Question Generation Project

    • www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications



Do'stlaringiz bilan baham:


Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2017
ma'muriyatiga murojaat qiling