Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Broken Web Applications VM Version 0.9 Released

Written by Chuck Willis

As I mentioned in my previous post, I have been working on creating a Linux Virtual Machine containing a variety of vulnerable web applications. Just in time for the OWASP AppSec DC Conference, version 0.9 of the VM has been released!

You can find details about the VM on the project summary page on Google Code. You can also get the VM via the downloads page.

The VM is still a work in progress. I would like to add additional applications, especially those that use different application frameworks, but the applications that are there should work. I really hope that some people at the conference will get excited about the project and contribute some additional content that can be included on the 1.0 release.

If you would like to contribute some effort or a vulnerable application or just have some comments / criticism, I’d love to hear from you at chuck.willis (at) mandiant (dot) com.

I will be speaking about this project at the OWASP AppSec DC Conference. I hope to see you there!

Chuck

Tags: , ,

. 12 Nov 09 | Conferences | Comments (0)

The 2009 CWE/SANS Top 25 (and security in unmanaged code)

Written by Chuck Willis

Over the past couple months, I had the good fortune of providing some input to the process of creating the “2009 CWE/SANS Top 25 Most Dangerous Programming Errors”. The goal of the project was to create a “list of the most significant programming errors that can lead to serious software vulnerabilities”.

 

I think that the team came up with a really good list of weaknesses that cut across programming languages and platforms. I am also a big fan of the way that the list was written. The discussion of each item on the list is informal, not preachy, and very easy to read and understand.

 

The Top 25 is general in nature in that it tried not to be specific to any application type, language, or platform (though it did end up including a couple web application specific issues). While this general nature makes the list useful in some situations (such as in a University course), it does limit the usefulness of the Top 25 in other circumstances. For example, if you want to educate web developers or incorporate security into procurement of a web application, the OWASP Top Ten is certainly more applicable than the CWE Top 25.

 

Unfortunately, the limitation of the list to 25 items meant that some pretty important security issues got left off, particularly weaknesses that primarily affect unmanaged code (such as C or C++). For example, format string vulnerabilities are not mentioned in the Top 25 at all (though they could be seen as a child of CWE-20: Improper Input Validation and/or CWE-116: Improper Encoding or Escaping of Output). Weaknesses related to the parsing of data files or streams (the source of so many web browser and desktop application vulnerabilities) are also absent (unless those issues are considered part of CWE-682: Incorrect Calculation).

 

Overall, I think that the Top 25 does a good job working within the parameters that it was given, but it suffers from trying to be too many things to too many people. What the process highlighted for me, however, is that there is not a concise, generally accepted, security reference available for development in unmanaged languages. So much of software security is focused on the web and managed languages, but there is still a lot of unmanaged code in use and being written today. There are excellent books available on writing secure software, and SANS provides some materials that could be used as a reference on the GIAC Secure Software Programmer (GSSP) Certification web site, but I think that the community would be well served by a short, easily digestible list similar to the OWASP Top Ten or the CWE/SANS Top 25 focused on security issues in unmanaged code.

 

Anyone interested in creating that list?

 

Chuck

Tags: , , , , ,

. 26 Jan 09 | General | Comments (0)