Skills to build upon

There’s fun things to check out this holiday season! The SANS Holiday Hack Challenge just came out a few days ago. That’s a fun challenge that is accessible in a variety of ways to people with different skills and levels. Additionally, the previous year challenges and answers are also available which is pretty nice.

A skill I am increasingly spending more of my free time on involves manual code review and assessment. I use free tools (like those used in the SWAMP), but they seem to only find a handful of the issues in the code I’ve been checking out. I will be starting a new blog series exploring this and assessing code from different perspectives.

In the meantime, check out these resources from the Trail of Bits CTF Field Guide:

-- Essential C

-- The Art of Software Security Assessment - Chapter 6

Not from the ToB site:

-- Chris Rohlf’s Modern Memory Safety: C/C++ Vulnerability Discovery, Exploitation, Hardening

When this blog series starts, having reviewed those resources will be helpful!

Omaha OWASP Dec 2016 presentation

Last week I presented at the local Omaha OWASP chapter an overview of the SWAMP. It was a lot of fun to talk about the SWAMP, both in the cloud and the new on-prem (SWAMP-in-a-box) version. I've uploaded my presentation up at SlideShare and linked it here below.

http://www.slideshare.net/AndrewFreeborn/omaha-owasp-dec-2016

Thanks!

Fuzzy Assessment: Part 7 - Threadfix in the SWAMP

In the previous post, we viewed the results of the assessment with Code Dx. Another tool available in the SWAMP is ThreadFix. Different views of the same data may provide the other perspective needed to better remediate a vulnerability finding.

Let’s get back into the SWAMP!

1. Log into the SWAMP
2. We already have the package ready and assessed, so let’s click on “Results”
   
   
   
3. Change the viewer from “Code Dx” to “Threadfix”
   
   
   
4. Scroll down to the package results (in our case OpenSSH 4.3 blog2) and check the far left checkbox. After I did this step, the viewer changed back to “Code Dx”. Make sure your viewer is still set to “Threadfix”.
   
   
   
5. If you scroll back down, at the time of this writing, only Clang is compatible with Threadfix and the only one that can be checked
6. Scroll back to the top and click on “View Assessment Results” ensuring that Threadfix is still selected
7. A new window should open up with a viewer to the results of the scan that’ll use Threadfix
8. Click on “Latest Analysis Run” for the correct package
   
   
   
9. After the viewer loads, click on “Scans” at the top
   
   
   
10. This screen below shows some interesting results. Let’s review the first option with 16 results and click the “View Scan” link.
    
    
    
11. In the “Mapped Findings” screen, we see all of the vulnerabilities from the scan:
    
    
    
12. Let’s see more detail in the “packet.c” vulnerability finding. Click “View Finding” on this line:
    
    
    
13. Here we can see additional detail for this finding:
    
    
    
    

There is not much more to say about this tool and the way we can look at vulnerabilities. Clicking on “Dashboard” at the top will return you to the main Threadfix screen that allows you to drill into vulnerability findings in a variety of ways that can help you track down specific issues.