Professional Documents
Culture Documents
Michael Kass
Information Technology Laboratory
National Institute of Standards and
OWAS Technology
http://samate.nist.gov
P michael.kass@nist.gov
AppSe
c
This is a work of the U.S. Government and is not subject to
copyright protection in the United States.
DC
October 2005
The OWASP
http://www.owasp.org/
Foundation
SAMATE Goals:
select
tool class
and
functions
focus
group
functional
specification
test plan
test suite
”External” Tools
Network Scanners
Web Application Scanners
Web Services Scanners
Dynamic Analysis Tools
“Internal” Tools
Much of the information in the Software Security Tool Taxonomy is derived from the DISA Application Security
Assessment Tool Survey, July 2004, to be published as a DISA STIG.
OWASP AppSec DC 2005 5
Network Scanners
Remotely scan targeted machines, performing port scans, and
probing
for vulnerabilities known in operating systems and third party
network
software.
RDS requirements:
networked testbed
customize-able deployment scenarios for vulnerability
environment OWASP AppSec DC 2005 6
RDS requirements:
HTTP(S) server with applications having known security flaws
and vulnerabilities
networked testbed
customize-able deployment environment for vulnerability
scenarios OWASP AppSec DC 2005 7
Web Services Scanner Functions
RDS requirements:
a networked testbed of web services with known security flaws
and vulnerabilities
networked testbed
customize-able deployment environment for vulnerability
scenarios
test case documentation against a functional specification for
OWASP AppSec DC 2005 8
web services scanner SA tools
Dynamic Analysis Tool Functions
RDS requirements:
a testbed of applications with known security flaws and
vulnerabilities
virtual environment (sandbox)
customize-able operating environment to create vulnerability
scenarios
test case documentation against a functional specification for
OWASP AppSec DC 2005 9
dynamic analysis SA tools
Software Requirements Verification Tool
Functions
RDS requirements:
a corpus of application requirement documents that introduce
security vulnerabilities into application design and/or
implementation
test case documentation against a functional specification
OWASP AppSec DC 2005 for 10
RDS requirements:
a corpus of design documents that introduce security
vulnerabilities into application design and/or implementation
test case documentation against a functional specification for
design/model verification SA tools
OWASP AppSec DC 2005 11
Compilers
Choosing “type safe” compilers, or extending the
capability of some compilers can provide an additional
level of software security (although not guaranteed).
Some security functions of “extended compilers” include:
RDS requirements:
a testbed of applications with known security flaws and
vulnerabilities
A virtual test environment
customize-able operating environment to create vulnerability
scenarios OWASP AppSec DC 2005 12
RDS requirements:
a corpus of source code examples with known security flaws
and vulnerabilities
test case documentation against functional specification for
source code analysis SA tools
OWASP AppSec DC 2005 13
Static Bytecode Analysis Tools
RDS requirements:
a corpus of byte code examples with known security flaws and
vulnerabilities
test case documentation against functional specification for
static bytecode analysis tools
RDS requirements:
a corpus of binary executable examples with known security
flaws and vulnerabilities
test case documentation against functional specification for
static binary code analysis tools OWASP AppSec DC 2005 15
Defining a Software Security Flaw Taxonomy
Some flaws have never been seen in real world code… yet
OWASP WebGoat
Foundstone HacmeBook and HacmeBank
CVE listing of known vulnerabilities
MIT Lincoln Lab Source Code Contribution (1000+ test cases)
Fortify Software Source Code Contribution (80+ test cases)
Both “In the Wild” and “Manufactured” code will be part of the reference
dataset
DAY #1 – Papers
DAY #2 - “Target Practice” for source code scanner tool developers
against SAMATE SA Tool Reference Dataset