RE: Binary Analysis with Internal Solutions

[David Gillett <gillettdavid () fhda edu>]

  It's true that precise, complete risk analysis is impossible -- it's also rarely necessary.  in deciding whether to 
bring my umbrella this morning, I considered my aversion to getting drenched (probably higher than many people's, if 
not by much), the cost/effort (minimal), the weather report (warm and dry).  I DIDN'T consider the odds of asteroid 
impact -- on days when that probability isn't negligible, I'd have to also figure in the effectiveness of my umbrella 
as a mitigation....

  Even without attaching hard numbers, an experienced security engineer should have a good sense of the relative 
importance of various factors, and of how risks and mitigating measures interact.  A million-dollar security measure is 
hard to justify and rarely necessary, but a ten-thousand-dollar measure might be a wise investment or a waste, and it's 
useful to have a somewhat numerical argument demonstrating which.

David Gillett
CISSP CCNP


________________________________________
From: Mikhail A. Utin [mutin () commonwealthcare org]
Sent: Tuesday, July 24, 2012 12:30 PM
To: Simon Thornton; security-basics () securityfocus com; nschroedl () mtiorg com
Subject: RE: Binary Analysis with Internal Solutions

Nick,
And Simon as recommending so named "risk analysis".
If you want to be dragged in discovering of the Universe of InfoSec exploits/attacks/malware/etc., you can try Simon's 
" Part of the answer depends on the perceived attack surface (the risk of an attack) and the impact a successful 
compromise would have."
I wrote twice to this list that the number of attacks is unknown, and concerning the exposure of each in your company 
(infinite number - you can do that estimate for your job security for the rest of your life. BTW, both components are 
changing daily.

Quantitative risk analysis is good if you need to write a document for compliance matters, and nobody will be able to 
object your estimate as right estimates are unknown.
So, use your common sense, which is qualitative risk analysis.

However, I bet you are talking practical matters, so do not do any risk assessment IF - see above about job security.

Mikhail Utin,  CISSP, PhD


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Simon Thornton
Sent: Tuesday, July 24, 2012 12:35 PM
To: security-basics () securityfocus com; nschroedl () mtiorg com
Subject: RE: Binary Analysis with Internal Solutions

Hi Nick,

NS> "Should binary analysis (i.e. reversing and fuzzing) be part of an
NS> internal vulnerability and pen testing solution?"

You are asking about two different activities with widely different requirements in terms of the time and potentially 
resources needed. Fuzzing is the simpler of the two exercises and can be automated, often used as part of pentesting 
exercises. Reverse engineering is largely a manual process and can be significantly more challenging and time consuming.

Part of the answer depends on the perceived attack surface (the risk of an
attack) and the impact a successful compromise would have. If this is an internal application on a closed network not 
connected to the internet then it may be worth it. If however this application contains data covered by regulatory 
compliance and/or legal requirements (privacy laws) and it is exposed directly or indirectly to the internet then this 
is different.

Start with a simple risk assessment, considering the data (classification) processed by the application, location of 
the service, who accesses it etc.
This should give you an indication if you need to consider more in-depth analysis. To go as far as reverse engineering 
would normally be predicated by an event which cannot be explained by looking at source code, logs etc.
Examples might be

- if a security incident or breach occurred which could not be explained by other analysis.
- Another example might be a requirement (legal/regulatory) that all applications used strong ciphers or long key 
lengths and the source code was not available.

My experience; most of the time reverse engineering is not justified from a cost/risk perspective. Fuzzing interfaces 
can detect functional bugs not caught through normal testing.  Whatever the source of a vulnerability or issue the risk 
(impact/exploitability or impact/likelihood) needs to be addressed.


Simon


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of nschroedl () mtiorg com
Sent: Tuesday, July 24, 2012 17:15 PM
To: security-basics () securityfocus com
Subject: Binary Analysis with Internal Solutions

Hello everyone,

                A debate has been started in the office that I work in over this question.

"Should binary analysis (i.e. reversing and fuzzing) be part of an internal vulnerability and pen testing solution?"

                There is mission critical custom in house software solutions deployed here.  My opinion is Yes, but 
others say it is a waste of resources to go this deep into offensive security.  Please send your comments, and opinions 
so that I can either win/loose this debate.

Nick Schroedl



------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at http://www.commonwealthcare.org.



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------