Section 1 SDL description
Further reading:
Safety development process (SDL) Learning Overview http://www.cnblogs.com/whoami101/p/9914862.html
SDL:https://www.microsoft.com/en-us/SDL/process/training.aspx
SDL software security design First Look: https://xz.aliyun.com/t/226
SDL stands for Security Development Lifecycle, translated into Chinese is the Security Development Lifecycle, was also known as secure development processes actually a thing.
SDL is Microsoft's first proposed, is a focus on safety and security of the software development process, help developers build more secure software and solutions reduce development costs of security compliance requirements while the software development process. To achieve the goal of protecting end users, it introduces security and privacy issues in all phases of the software development process activities. Microsoft since 2004 as its company-wide mandatory policy, it can effectively address security vulnerabilities root of the problem.
Further reading:
Safety development process (SDL) Learning Overview http://www.cnblogs.com/whoami101/p/9914862.html
SDL: https://www.microsoft.com/en-us/SDL/process/training.aspx
SDL software security design First Look: https://xz.aliyun.com/t/226
Image is too large, the background can not upload, open the graphite link to view https://shimo.im/docs/gOzSUgU0Zj4NWHzX/ "11-1 SDL presentation - learning materials."
This is the whole process of SDL, divided into seven stages, namely:
1, safety training
Ye Hao understand this fact, safety is the primary development life cycle requirements, to software developers through security training students to master basic security and privacy knowledge and understanding of the relevant security background will help you understand and follow the process to establish the safety of the carried out.
2, demand
The main demands included the establishment of security needs, to create a quality door / bug bar, implement security and privacy risk assessment in three parts.
Determine the security and privacy needs help make it easier to identify key milestones and deliverables, minimize interference to plan and schedule as soon as possible; security flaws in the process need to assign security experts, minimum security and privacy standards defined applications, deployment / issue tracking system. At the beginning of setting minimum standards of safety and quality requirements contribute to the development team to understand security issues and risks, so that development teams can identify and fix security risks in the development process, and implement this standard.
Create quality gates or bug bar, mainly in order to define a security vulnerability threshold.
And what part of the final assessment is to help the team identified some of the major projects need to be released before the threat modeling and security involves review and determine the corresponding level of impact.
Popular understanding is to define security requirements, and determine security requirements as early as possible in order to avoid half-way into the security requirements led to the development of the program schedule changes also allow developers heart has a bottom; also need to set a certain threshold value and standard such as how to determine the level of security vulnerabilities, establish security issues feedback mechanisms; and finally the project is to evaluate the security situation, as well as threat modeling.
3, design
Design is divided into established design requirements, and reduce the attack surface analysis, using a threat model.
In the product early in the design should consider security requirements, analyze the possible attack surface and to repair and reduce the attack surface, such as access restrictions, application principle of least privilege and so on; and finally, it has application threat modeling approach can be more effective to determine the safety vulnerability and threat risk, establish countermeasures.
The re-emphasized the determination of security requirements in the early stage is a purpose, to avoid affecting the security requirements for normal development process. In fact, security and development or operation and maintenance convenient point of conflict has always been there, in order to increase security even more relevant mechanisms and review processes, naturally disrupt normal development process, so the relevant procedures should be considered to promote early consideration security needs as much as possible, avoid interference middle of operation.
4, Embodiment
The main embodiment also comprises three parts, namely the specified tool deprecated unsafe function, static analysis.
The publication specifies tools and related security checks, such as compiler warning information security practices can facilitate low-cost automation, and regularly update tool. Analysis and avoid using unsafe functions, can reduce potential safety defects, such as some of the header files and so on. While static source code analysis to help identify problems and ensure the development of the relevant code followed secure coding standards.
The focus here is to be checked by the designated tool, static analysis found the problem, but abandoned the non-security function to avoid introducing problems.
5. Verify
Verify contains dynamic analysis, fuzzing, the attack surface inspection.
After the last is the complete code; through dynamic analysis software runtime monitoring to detect security problems memory corruption, user privileged access and so on; at the same time by a malformed or test mode random data deliberately causing the program to fail the test, the same can be found in security issues check again the attack surface, or the system can ensure that the program has been designed to attack surface analysis and repair.
By dynamic analysis, fuzz testing, checking things to attack the three dimensions of the project to verify the security situation again.
6, released
Create emergency plan, the final safety assessment, publishing and archiving.
Emergency program would not have said, including determining emergency contact, which is crucial; followed by a final assessment of the situation said the audit included the previously defined quality door / bug bar and so on; and archive all code specifications and other related documents.
7, in response to
Execute incident response plans, we plan to help maximize help customers from the effects of security or privacy vulnerability by performing pre-established incident response.
This is the SDL of seven phases, each corresponding to the different stages of the development process, the core idea is to integrate safety at every stage of development, that is, we often say that the requirements analysis, design, coding, testing and maintenance each corresponding parts are increased security activities, it will be possible in order to minimize security risks in the security development process.
Its six core design principles:
- Attack Surface Reduction: minimize the attack surface
- Basic Privacy: Basic privacy
- Least Privilege: permission to minimize
- Secure Defaults: Default security
- Defense in Depth: Defense in Depth
- Threat Modeling: Threat Modeling
2 threat intelligence and enterprise security
Further reading:
The Pyramid of Pain: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
STIX: https://stixproject.github.io/
CybOX: https://cyboxproject.github.io/
TAXII: https://taxiiproject.github.io/
1, threat intelligence building standard reference
STIX - Structured Threat Information eXpression
TAXII - Trusted Automated eXchange of Indicator Information
CybOX - Cyber Observable eXpression
MAEC - Malware Attribute Enumeration and Characterization
OpenIOC - Open sourced schema from Mandiant
IODEF - Incident Object Description Exchange Format
CIF - Collective Intelligence Framework
IDXWG - Incident Data eXchange Working Group
2, STIX standard Key points
The main scenario is applicable in the following four categories
1, threat analysis. The threat of judgment, analysis, investigation, retain the use of records.
2, feature classification threat. The threat signatures are classified manually or automated tools.
3, threat and security incident response process: to prevent security incidents, detect, process, summarize, etc., in security incident handling process can be a good reference, so no deal done before the event detailed information.
4, threat intelligence sharing. And sharing will be described with a standardized framework.
3, TAXII standard Key points
Service specification: the definition of the type of service TAXII, TAXII type of intelligence and information exchange format
Message specification: XML format
Protocol Specification: determining the protocol HTTP / HTTPS as TAXII transmitted. From the safety point of view can be https protocol. Query Format specification: defines the default query format and processing rules.
3 situational awareness and monitoring and early warning
1, situational awareness products
1.1 Mingjian network security situational awareness bulletin warning platform
1.2 360 situational awareness and security operations platform
2, on the understanding situational awareness
(1) situational awareness is to understand the current state, including the state identification and validation (discovered attacks), and situational awareness for quality assessment of sources of information and material required.
(2)态势理解则包括了解攻击的影响、攻击者(对手)的行为和当前态势发生的原因及方式。简单可概括为:损害评估、行为分析(攻击行为的趋势与意图分析)和因果分析(包括溯源分析和取证分析)。
(3)态势预测则是对态势发展情况的预测评估,主要包括态势演化(态势跟踪)和影响评估(情境推演)
3、在线态势感知平台
1、全景网络安全防御系统
http://guanjia.qq.com/system/preloader.html
2、网络安全威胁信息共享平台
https://share.anva.org.cn/index
3、腾讯位置大数据
https://heat.qq.com/
4、360流量监控平台
http://scan.netlab.360.com/#/dashboard
4、态势感知的应用价值
1、应对关键性威胁:快速发现失陷主机;全面的Web安全保障。
2、提升分析研判能力:分析研判保障事件正确响应处置、逐步完善防御架构;依赖外部威胁情报和本地的流量日志进行有效的分析研判。
3、信息与情报共享:实现本行业、本领域的网络安全监测预警和信息通报;研判分析和情报共享是预警、预测的基础。
4、履行行业监管职责:边界流量探针、云监控和外部情报监测等优选检测手段,实现对行业的监管。
4 漏洞生命周期与漏洞的披露
扩展阅读
漏洞披露究竟怎么做更”合适“?看看美国相关部门怎么看 https://www.freebuf.com/articles/neopoints/123847.html
专家 | 黄道丽:网络安全漏洞披露规则及其体系设计 https://blog.csdn.net/kevin_bobolkevin/article/details/79408610
谷歌披露Windows关键漏洞惹怒微软 因只给了10天反应期 http://tech.qq.com/a/20161101/040313.htm
1、安全漏洞生命周期
安全漏洞指信息系统中存在的缺陷或不适当的配置,它们可使攻击者在未授权情况下访问或破坏系统,导致信息系统面临安全风险。利用安全漏洞来造成入侵或破坏效果的程序就称为渗透代码(Exploit),或者漏洞利用代码。
围绕着安全漏洞生命周期所进行的攻防技术,一直是安全社区永恒的话题,而一个典型的安全路东生命周期包括如下7部分:
一、 安全漏洞研究与挖掘
由高技术水平的黑客与渗透测试师开展,主要利用源代码审核(白盒测试)、逆向工程(灰盒测试)、Fuzz测试(黑盒测试)等方法,挖掘目标系统中存有的可被利用的安全漏洞。
二、渗透代码开发与测试
在安全漏洞挖掘的同时,黑客会开发概念验证性的渗透攻击代码(POC),用于验证找到的安全漏洞是否确实存在,并确认其是否可被利用。
三、安全漏洞和渗透代码在封闭团队中流传
在发现安全漏洞并给出渗透攻击代码后,负责任的“白帽子”们采取的处理策略是首先通知厂商进行修补,而在厂商给出补丁后再进行公布;而“黑帽子”与“灰帽子”一般在封闭小规模团队中进行秘密地共享,以充分地利用这些安全漏洞和渗透攻击代码所带来的攻击价值。
四、安全漏洞和渗透代码开始扩散
由于各种原因,在封闭团队中秘密共享的安全漏洞和渗透代码最终会被披露出来,在互联网上得以公布,“黑帽子”会快速对其进行掌握和应用,并在安全社区中快速扩散。
五、恶意程序出现并开始传播
“黑帽子”将在掌握安全漏洞和渗透代码基础上,进一步开发更易使用、更具自动化传播能力的恶意程序,并通过黑客社区社会组织结构和互联网进行传播。在此过程中(或之前或之后),厂商完成补丁程序开发和测试,并进行发布。
六、 渗透代码/恶意程序大规模传播并危害互联网
厂商发布补丁程序和安全警报将进一步地让整个黑客社区了解出现新的安全漏洞和相应的渗透代码、恶意程序,更多的“黑帽子”将从互联网或社区关系网获得并使用这些恶意程序,对互联网的危害也在这个阶段达到顶峰。
七、渗透攻击代码/攻击工具/恶意程序逐渐消亡
在厂商补丁程序、安全公司提供的检测和移除机制得到广泛应用后,相应的渗透代码、恶意程序将被“黑帽子”逐渐抛弃,从而慢慢消亡。
安全漏洞生命周期如下图所示:
在安全漏洞生命周期内,从安全漏洞被发现到厂商发布补丁程序用于修补该漏洞之前,安全社区普遍称为"0day"。在这段时间,黑客们攻击存有该安全漏洞的目标可以达到百分之百的成功率,同时也可以躲避检测,在“0day”的安全漏洞和对应的渗透代码对于黑客社区具有很高的价值,挖掘“0day”安全漏洞并给出渗透代码也成为高水平黑客的追求目标。
参考链接:https://blog.csdn.net/henni_719/article/details/77947938
5 安全自动化协议SCAP
扩展阅读:
SCAP官方页面: https://csrc.nist.gov/projects/security-content-automation-protocol/
1、SCAP中文社区
SCAP中文社区是一个开放的安全资讯聚合与利用平台,其使命是促进SCAP系列标准在中国的采纳与应用。当前的社区中集成了SCAP框架协议中的CVE、OVAL、CPE等3种网络安全相关标准数据库。用户可以方便地使用本站对CVE漏洞库、OVAL漏洞检查语言以及CPE平台列表进行查询。
截止现在,SCAP中文社区主要收录了近6万条CVE数据(2002年以来),以及14000余条OVAL数据。并提供了有史以来最为详细的CVE中文解释以和OVAL的判定逻辑表达式的解析。SCAP中文社区在深入分析大量数据的基础上,完成了CVE与OVAL之间的映射:即如果一个CVE漏洞存在相应的OVAL漏洞检查技术细节,那么在在两个数据之间会有直接的链接,点击相关链接能够相互跳转(如CVE-2013-0095),这为漏洞分析人员的工作提供了极大的方便。此外,社区还完成了与CNNVD完整库的映射,通过CVE可以很方便地查看相关的中国国家信息安全漏洞库资源。
CVE数据库:http://cve.scap.org.cn
可以通过关键字、厂商和软件名称对CVE数据进行检索分析:http://cve.scap.org.cn/
OVAL数据库:http://oval.scap.org.cn
2、OVAL
OVAL由MITRE公司开发,是一种用来定义检查项、脆弱点等技术细节的一种描述语言。OVAL同样使用标准的XML格式组织其内容。它提供了足够的灵活性,可以用于分析Windows、Linux、Unix以及各种嵌入式操作系统的系统状态、漏洞、配置、补丁等情况,而且还能用于描述测试报告。OVAL能够清晰地对与安全相关的检查点作出描述,并且这种描述是机器可读的,能够直接应用到自动化的安全扫描中。OVAL的核心是“公开”(Open),这就意味着任何人都可以为OVAL的发展作出自己的贡献,共享知识和经验,避免重复劳动。 实际上XCCDF设计的目标是能够支持与多种基础配置检查技术交互。其中推荐的,默认的检查技术是MITRE公司的OVAL。在实际的SCAP应用中,XCCDF和OVAL往往是成对出现,XCCDF定义检查单,而OVAL定义每个检查项的具体实施细节。
OVAL以XML格式描述,包含如下几种XML格式(Schema):OVAL定义格式(OVAL Definition Schema),OVAL系统特性格式(OVAL System Characteristics Schema)与OVAL结果格式(OVAL Result Schema)。OVAL系统特性格式用于描述系统信息快照,该快照可用于和OVAL定义文件进行匹配以得出评估结果,OVAL结果格式用于描述评估结果。
在三种OVAL格式中,OVAL定义格式占有较为重要的位置,OVAL定义格式提供了一种机器可读的对系统进行安全评估的操作指南,它可用来描述系统的配置信息、分析系统的安全状态、报告评估结果等。典型的OVAL定义格式的XML文档由定义(Definition)、测试(Test)、对象(Object)、状态(State)和变量(Variable)等要素构成,其结构比较简单,主要是将各个要素以枚举的方式列出,如图1所示。
6 SCAP的应用与示例
扩展阅读:
分值计算的示例可以参考: https://www.first.org/cvss/examples https://www.first.org/cvss/specification-document
心脏出血漏洞:
https://nvd.nist.gov/vuln/detail/CVE-2014-0160
CVSS 3.0计算器: https://www.first.org/cvss/calculator/3.0
CWE树状图: https://nvd.nist.gov/vuln/categories/cwe-layout
利用SCAP有效进行主机安全管
理: https://www.edu.cn/info/fei/wang_luo/an_quan_ji_shu/201303/t20130306_912136.shtml
1、OVAL学习笔记
OVAL由MITRE公司开发,是一种用来定义检查项、脆弱点等技术细节的一种描述语言。OVAL同样使用标准的XML格式组织其内容。它提供了足够的灵活性,可以用于分析Windows、Linux、Unix以及各种嵌入式操作系统的系统状态、漏洞、配置、补丁等情况,而且还能用于描述测试报告。OVAL能够清晰地对与安全相关的检查点作出描述,并且这种描述是机器可读的,能够直接应用到自动化的安全扫描中。OVAL的核心是“公开”(Open),这就意味着任何人都可以为OVAL的发展作出自己的贡献,共享知识和经验,避免重复劳动。 实际上XCCDF设计的目标是能够支持与多种基础配置检查技术交互。其中推荐的,默认的检查技术是MITRE公司的OVAL。在实际的SCAP应用中,XCCDF和OVAL往往是成对出现,XCCDF定义检查单,而OVAL定义每个检查项的具体实施细节。
OVAL以XML格式描述,包含如下几种XML格式(Schema):OVAL定义格式(OVAL Definition Schema),OVAL系统特性格式(OVAL System Characteristics Schema)与OVAL结果格式(OVAL Result Schema)。OVAL系统特性格式用于描述系统信息快照,该快照可用于和OVAL定义文件进行匹配以得出评估结果,OVAL结果格式用于描述评估结果。
在三种OVAL格式中,OVAL定义格式占有较为重要的位置,OVAL定义格式提供了一种机器可读的对系统进行安全评估的操作指南,它可用来描述系统的配置信息、分析系统的安全状态、报告评估结果等。典型的OVAL定义格式的XML文档由定义(Definition)、测试(Test)、对象(Object)、状态(State)和变量(Variable)等要素构成,其结构比较简单,主要是将各个要素以枚举的方式列出
定义”是最重要的构成元素,它会引用一个或多个“测试”,根据“测试”的结果综合判定整体的结果,“测试”使用“对象”和“状态”与系统交互并得出检查结果,“状态”可以使用固定值或引用“变量”中的值。OVAL各组成要素之间的逻辑关系如下图。在下图中,Definition1包含两个“测试”Test1和Test2,假设其判定标准为AND的逻辑关系,那么如果两个Test均为True,整个Definition1结果为True。举例来说,如果Test1测试结果为True,Test2测试结果为False,根据Definition1中的判定条件Test1=True AND Test2=True,整个Definition的测试结果为False。
OVAL定义
“定义”(Definition)用于描述如何对某一特定安全问题进行检查,通常一个OVAL文档中包含多个“定义”。主要有四类定义,分别是漏洞(Vulnerability):描述如何根据系统状态判定系统中是否存在某个特定漏洞;补丁(Patch):与漏洞定义类似,但它更关注如何判定系统中是否安装了某个特定补丁;软件(Inventory):描述如何对系统中是否安装了某个特定的软件进行判定;合规(Compliance):描述如何对系统是否满足某个特定的配置要求进行判定。表1是一个OVAL定义的示例数据。
OVAL测试
“测试”(Test)通过定义一组OVAL对象(Object)和OVAL状态(State)执行,OVAL 测试的数据结构如表2所示,而图2则较为清晰地表达了OVAL测试中OVAL对象与OVAL状态是如何相互配合执行测试。
OVAL对象
“对象”(Object)用来描述测试主体,由于测试主体类别众多(如注册表、组策略、文件、软件包等),因此Object的类型也很多,且每种类型的数据结构各不相同。下面是一个passworkpolicy_object的定义,可以看出系统策略类的OVAL对象只需要指明一个id即可被解释器识别:
<passwordpolicy_object id="oval:gov.nist.usgcb.windowsseven:obj:27" version="2"/>
下面是一个registry_object的定义,可以看到注册表类OVAL对象需要指明注册表Hive、注册表键和注册表项的名称:
<registry_object id="oval:gov.nist.usgcb.winseven:obj:16" version="2">
<hive>HKEY_LOCAL_MACHINE</hive>
<key>SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW</key>
<name>DWAllowHeadless</name>
</registry_object>
OVAL状态
“状态”(State)用来描述测试主体的参考状态值,同OVAL对象类似,State也分为多种类型,每种类型的数据结构不相同,下面是一个passwordpolicy_state的定义:
<passwordpolicy_state id="oval:gov.nist.usgcb.winseven:ste:33" version="2">
<min_passwd_len operation="greater than or equal" datatype="int" var_ref="oval:gov.nist.usgcb.winseven:var:22"/>
</passwordpolicy_state>
可以在Value中使用正则表达式以更好的完成字符串匹配工作。下面是一个registry_state的定义,用来识别注册表中获取的值能与字符串“Windows 7”相匹配。
<registry_state id="oval:org.mitre.oval:ste:5027" version="4" comment="Matches with Windows 7">
<value operation="pattern match">
^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$
</value></registry_state>
可以看出,OVAL状态中可以使用var_ref引用一个OVAL变量表示OVAL状态的值,或者直接将值写入到value节点中。
OVAL变量
“变量”(Variable)定义了执行测试时State所需的值,其有三种类型:常量(constant_variable)、本地变量(local_variable)和外部变量(external_variable)。常量定义一个不能在运行时改变的值,本地变量定义在OVAL中直接使用的值,而外部变量通常用于将XCCDF的Value值传递到OVAL中。下面是一个外部变量的定义:
<external_variable comment="Minimum Password Length is greater than or equal to the prescribed value" datatype="int" id="oval:gov.nist.usgcb.winseven:var:22" version="2"></external_variable>
注:以上大多转自破壳笔记学习资料,欢迎大家前来报名学习