The Building Security In Maturity Model (BSIMM) was developed in collaboration with Cigital to help you understand and plan a software security initiative. BSIMM was created through a process of understanding and analyzing real-world data from nine leading software security initiatives. Though particular methodologies differ (think OWASP CLASP, Microsoft SDL, or the Cigital Touchpoints), many initiatives share common ground. This common ground is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework (SSF), which provides a conceptual scaffolding for BSIMM. Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective.

http://bsimm2.com/

http://www.informit.com/articles/article.aspx?p=1332285

InformationWeek magazine goes green as well.  The online version will be available for free.  Only requirement is that you have to subscribe on their website.

Content of this issue:

• Our Annual Strategic Security Survey: The cyberattack on Google this year was a wake-up call to the risk that companies face from a targeted attack. Our Strategic Security Survey analysis looks at how well companies are addressing that threat, and many others.
• 7 Steps To Identity Management: Identity management lets IT better understand who users are and what they have access to, leading to better security and more efficient employee access. We walk through how to get there.
• Continuous Data Protection: How and when to move from a tape-based disaster recovery plan to one using replication or continuous data protection.
• SharePoint 2010, Office 2010: As companies strive for better collaboration platforms, here’s how the newest versions of SharePoint and Office fit in.
• Bob Evans: 10 factors behind SAP’s turnaround.
• Art Wittmann: One size doesn’t fit all. From servers to cloud computing, midmarket IT pros have a very different view of what they need.
• Rob Preston: CA CEO Bill McCracken gets cracking.

http://www.informationweek.com/gogreen/

After my first adventure with installing NeXpose Community Edition on Windows, I thought I’d give it a go on a Linux distribution (BackTrack).  I did a google search for a NeXpose Community Edition on BackTrack installation guide and found this excellent guide with step by step installation instructions (also available as PDF download).

If you didn’t install BackTrack yet, you can download the BackTrack 4 vmware image from the official website and start from there, although I did experience some performance issues using NeXpose in vmware on my laptop and decided to install NeXpose on my physical backtrack installation.

Here’s a summary of all steps required to execute to install NeXpose:

apt-get install libstdc++5
cd /pentest/exploits/framework3
svn update
wget -t 0 -c http://download2.rapid7.com/download/NeXpose-v4/NeXposeSetup-Linux32.bin
chmod +x ./NeXposeSetup-Linux32.bin
./NeXposeSetup-Linux32.bin
cd /opt/rapid7/nexpose/nsc
./nsc.sh

After completing these steps, you should be able to access the main NeXpose interface after browsing to https://127.0.0.1:3780/home.html

Some initial thoughts after using nexpose for a handfull of internal network scans:

- NeXpose identified the same or more vulnerabilities in scans I performed against some internal systems than Nessus

- The reporting includes extensive information such as vulnerability references and links to patches.  What I am missing is a section in the report with a clear overview of vulnerabilities per system.

I ran into some issues after installing NeXpose that I provide as reference to help you troubleshooting in case you would also experience them:

Not enough memory

After installing NeXpose in a BackTrack 4 VMware image I executed a test scan of 1 host on my local network.  During the scan, NeXpose automatically paused the scan and displayed an an error message that not enough memory was available on the scanning system.  In vmware I increased the memory assigned to BackTrack 4 from 768 MB of RAM to 1024 MB RAM.  Since then, I didn’t ran into this error anymore.

You have exceeded the licensed number of devices that can be scanned, or you are not authorized to scan this device range.
Entering the license key only during the NeXpose installation is not sufficient.  You have to enter your license key a second time after installing NeXpose on the following page of the NeXpose web interface: https://127.0.0.1:3780/admin/nsc.html

After entering my license key for a second time on this page, I ran into the same error message again when trying to scan my local subnet 192.168.0.1 – 192.168.0.254.  Unfortunately NeXpose Community edition is limited to scanning a maximum  of 38 hosts.

Could not activate product: Product activation failed (License cannot be activated. Please contact support.

I ran into this issue with the initial NeXpose serial number I had obtained.  I reported this problem to Rapid7, and they provided me with a new serial number that worked flawlessly.

SANS Institute made available a prioritised baseline of information security measures and controls that allows organisations to focus their spending on the key security controls that protect against known attacks and detect attacks that occur.

For each of the 20 controls a number of properties are described in detail:

• How do attackers exploit the lack of this control?
• How can this control be implemented, automated, and its effectiveness measured?
• Procedures and tools for implementing and automating this control:
• Control metrics
• Control test details
• Referencing to NIST SP 800-53

http://www.sans.org/critical-security-controls/

SANS also offers the 20 Critical Security controls document available in PDF version.

In March 2010 Google released its automated web application security reconnaissance tool Google Skipfish.

The official Skipfish website only offers Skipfish as uncompiled download. Compiling Skipfish on Linux platform is straigthforward, but I didn’t find the same for compiling Skipfish in Cygwin on Windows.  To save you some headaches, the guys at Information Security Short Takes blog offer the compiled Windows binaries for download:

http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html

Google Skipfish command line options:

C:\skipfish>skipfish.exe --help

skipfish version 1.29b by <lcamtuf@google.com>

skipfish: unknown option -- -

Usage: skipfish [ options ... ] -o output_dir start_url [ start_url2 ... ]

Authentication and access options:

 -A user:pass   - use specified HTTP authentication credentials

 -F host:IP     - pretend that 'host' resolves to 'IP'

 -C    - append a custom cookie to all requests

 -H    - append a custom HTTP header to all requests

 -b (i|f)       - use headers consistent with MSIE / Firefox

 -N             - do not accept any new cookies

Crawl scope options:

 -d max_depth   - maximum crawl tree depth (16)

 -c max_child   - maximum children to index per node (1024)

 -r r_limit     - max total number of requests to send (100000000)

 -p crawl%      - node and link crawl probability (100%)

 -q hex         - repeat probabilistic scan with given seed

 -I string      - only follow URLs matching 'string'

 -X string      - exclude URLs matching 'string'

 -S string      - exclude pages containing 'string'

 -D domain      - crawl cross-site links to another domain

 -B domain      - trust, but do not crawl, another domain

 -O             - do not submit any forms

 -P             - do not parse HTML, etc, to find new links

Reporting options:

 -o dir         - write output to specified directory (required)

 -J             - be less noisy about MIME / charset mismatches

 -M             - log warnings about mixed content

 -E             - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches

 -U             - log all external URLs and e-mails seen

 -Q             - completely suppress duplicate nodes in reports

 -u             - be quiet, disable realtime progress stats

Dictionary management options:

 -W wordlist    - load an alternative wordlist (skipfish.wl)

 -L             - do not auto-learn new keywords for the site

 -V             - do not update wordlist based on scan results

 -Y             - do not fuzz extensions in directory brute-force

 -R age         - purge words hit more than 'age' scans ago

 -T    - add new form auto-fill rule

 -G max_guess   - maximum number of keyword guesses to keep (256)

Performance settings:

 -g max_conn    - max simultaneous TCP connections, global (50)

 -m host_conn   - max simultaneous connections, per target IP (10)

 -f max_fail    - max number of consecutive HTTP errors (100)

 -t req_tmout   - total request response timeout (20 s)

 -w rw_tmout    - individual network I/O timeout (10 s)

 -i idle_tmout  - timeout on idle HTTP connections (10 s)

 -s s_limit     - response size limit (200000 B)

Send comments and complaints to <lcamtuf@google.com>.

Google Skipfish sample output:

Official website: http://code.google.com/p/skipfish/

Windows binairies download: http://www.shortinfosec.net/2010/03/compiling-latest-skipfish-for-windows.html

Network Infrastructure Parser (Nipper) is software that can assist during firewall and router security configuration reviews.  The software will identify security weaknesses in device configurations and highlight configuration settings that should be focussed on during the further manual review process.

Since the Nipper 0.11.x release series the Nipper author has included commercial use clauses in its license. Although Nipper was still released under GPL, the author did include additional clauses which is not allowed by the GPL licensing model:

Section 10 of the GPLV3:
"You may not impose any further restrictions on the exercise of the rights granted
or affirmed under this License."

Nevertheless, it is not because the author does not mind software licensing infrigments, that we don’t have to.  Those who still want to use Nipper for commercial purposes but do not want to pay for the software will need to look into versions older than version 0.11.x.  Home users will be able to continue to use the latest Nipper versions for free.  The author has removed all old versions from the Nipper sourceforge page.  If you want to download the latest Nipper version that is not subject to the commercial limitations, version Nipper 0.10.0 can be downloaded from PacketStorm.

http://www.titania.co.uk/

Hakin9 magazine, previously a paper based IT Security magazine, is available for free in digital version from now on. The first issue will be released on April 30th. To receive the free magazine, you need to subscribe to their newsletter.

http://hakin9.org/

Mavituna released a free version of their Netsparker software.  Netsparker is a web application security scanner claiming its reports are false positive free.

Some important limitations of the community edition: no authentication support (forms, NTLM,…) whatsoever, and a number of security checks are not performed, as detailed on the ‘Compare Netsparker Editions’ page.

A professional license costs $3000 with unlimited websites support.  The professional license costs $1000 with support for up to 3 websites.

http://www.mavitunasecurity.com/communityedition/

Recently the company Rapid7 acquired Metasploit, the open source Penetration Testing Framework developed by HD Moore. As I personally never heared about Rapid7 in the past, I took a look at what products Rapid7 is currently offering. I am currently a Nessus ProfessionalFeed subscriber, and, although I really love Nessus and think it is a great piece of software for vulnerability and compliance assessments, I am not satisfied with the quality of the reports it produces.
Rapid7 offers a Community Edition (read: free for personal  and commercial use; limited to scanning 38 hosts) version of their NeXpose software, so I thought I’d give it a try.

After applying for a license for the Community Edition I was happy to get a license key assigned.  I downloaded the NeXpose installer for the Windows OS (32 bit edition), and the installation of the software went smoothly.

The installation creates a desktop icon that runs nsc.bat. After runnin this file, the NexPose server should start, and it should be possible to connect to the server via browsing to http://127.0.0.1:3780

The server however doesn’t work on my system after a successfull installation. (Update: issue identified – Windows XP SP2, Windows Vista, Windows 7, and Windows 2008 are currently not supported yet)

The following output is shown after running nsc.bat.

C:\Program Files\rapid7\nexpose\nsc>nsc.bat
 Copying server libs
 Validating jre in directory _jvm
 Using jre at _jvm
 PATH: .DLLCACHE;..\_jvm\bin;..\_jvm\bin\server;%CommonProgramFiles%\Microsoft Sh
 ared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Pro
 gram Files\Intel\DMIX;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stac
 k\bin\;C:\Program Files\Wave Systems Corp\Gemalto\Access Client\v5\;C:\Program F
 iles\Intel\WiFi\bin\;c:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Pr
 ogram Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Windows\System32\Window
 sPowerShell\v1.0\;c:\tools;C:\Program Files\QuickTime\QTSystem\;C:\Program Files
 \IBM\Rational AppScan\;C:\Program Files\Common Files\Microsoft Shared\Windows Li
 ve;C:\Program Files\Nmap;C:\Program Files\Nmap;C:\Program Files\Nmap
 Logging to file C:\Program Files\rapid7\nexpose\update.log
 Copying server libs
 Validating jre in directory _jvm
 Using jre at _jvm
 PATH: .DLLCACHE;..\_jvm\bin;..\_jvm\bin\server;.DLLCACHE;..\_jvm\bin;..\_jvm\bin
 \server;%CommonProgramFiles%\Microsoft Shared\Windows Live;C:\Windows\system32;C
 :\Windows;C:\Windows\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\
 NTRU Cryptosystems\NTRU TCG Software Stack\bin\;C:\Program Files\Wave Systems Co
 rp\Gemalto\Access Client\v5\;C:\Program Files\Intel\WiFi\bin\;c:\Program Files\C
 ommon Files\Roxio Shared\DLLShared\;c:\Program Files\Common Files\Roxio Shared\1
 0.0\DLLShared\;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\tools;C:\Program F
 iles\QuickTime\QTSystem\;C:\Program Files\IBM\Rational AppScan\;C:\Program Files
 \Common Files\Microsoft Shared\Windows Live;C:\Program Files\Nmap;C:\Program Fil
 es\Nmap;C:\Program Files\Nmap
 NSC         13/03/10 12:37 PM: Logging initialized (system time zone is Australi
 a/Sydney)
 NSC         13/03/10 12:37 PM: initializing JDBC drivers
 NSC         13/03/10 12:37 PM: NeXpose is running interactively under super-user
 : Wouter
 NSC         13/03/10 12:37 PM: System memory: 3534MB total (939MB free)
 NSC         13/03/10 12:37 PM: System speed: 2394MHz (x2)
 NSC         13/03/10 12:37 PM: Running first-time configuration
 Nexpose     13/03/10 12:37 PM: Configuring PostgreSQL installation in C:\Program
 Files\rapid7\nexpose\nsc\nxpgsql
 PostgresInst13/03/10 12:37 PM: Verifying permissions on C:\Program Files\rapid7\
 nexpose\nsc\nxpgsql
 PostgresInst13/03/10 12:37 PM: Verifying disk space on C:\Program Files\rapid7\n
 expose\nsc\nxpgsql
 PostgresInst13/03/10 12:37 PM: Postgres data directory already exists. Cleaning
 up. C:\Program Files\rapid7\nexpose\nsc\nxpgsql\nxpdata
 PostgresInst13/03/10 12:37 PM: Creating data directory in C:\Program Files\rapid
 7\nexpose\nsc\nxpgsql\nxpdata
 PostgresInst13/03/10 12:37 PM: Recursively adding access rights of C:\Program Fi
 les\rapid7\nexpose\nsc\nxpgsql to SYSTEM
 PostgresInst13/03/10 12:37 PM: Adding access rights from root to C:\Program File
 s\rapid7\nexpose\nsc\nxpgsql to Wouter
 SetFileSecurity failed
 NSC         13/03/10 12:37 PM: A critical error occured during initialization: c
 om.rapid7.os.OSException: insertAccessAllowedACE failed: Access is denied.

at com.rapid7.os.win32.OSProvider.insertUserIntoACL(Native Method)
 at com.rapid7.os.win32.OSProvider.insertUserIntoACL(Unknown Source)
 at com.rapid7.os.win32.OSProvider.insertUserRights(Unknown Source)
 at com.rapid7.nexpose.util.D.F(Unknown Source)
 at com.rapid7.nexpose.util.C.J(Unknown Source)
 at com.rapid7.nexpose.nsc.FirstTimeConfigurator.A(Unknown Source)
 at com.rapid7.nexpose.nsc.FirstTimeConfigurator.configure(Unknown Source
 )
 at com.rapid7.nexpose.nsc.NSC.¾(Unknown Source)
 at com.rapid7.nexpose.nsc.NSC.¶(Unknown Source)
 at com.rapid7.nexpose.nsc.NSC.§(Unknown Source)
 at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
 at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)

NSC         13/03/10 12:37 PM: Error during server initialization: java.lang.Nul
 lPointerException
 NSC         13/03/10 12:37 PM: java.lang.NullPointerException
 at com.rapid7.nexpose.nsc.NSC.§(Unknown Source)
 at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
 at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)

NSC         13/03/10 12:37 PM: Shutting down immediately
 NSC         13/03/10 12:37 PM: shutting down config manager
 NSC         13/03/10 12:37 PM: Shutting down database
 NSC         13/03/10 12:37 PM: shutting down logging
 : shutting down console
 NeXpose Server exited with code 0
 Finished.

C:\Program Files\rapid7\nexpose\nsc>

I contacted Rapid7 regarding this issue, but until date (14 days later!) and 2 reminders later I did not receive feedback from them how I can resolve this issue.  If you have any idea what could cause this error, let me know!

Interim conclusion: Would I recommend installing the Community Edition? Sure! I heared it is supposed to be good! Would I consider myself buying or recommending someone the commercial version? No.  My first impressions of the Rapid7 support services and the application’s Windows compatibility are not the best. Once I get the Community Edition up and running I will reconsider my conclusion.

Update: Issue was related due to installing NeXpose on one of the currently not supported OS’es – I installed it on Vista.  I’ll give the Linux installer a go today!

Katana is a portable multi-boot security suite designed for many of your computer security needs. The idea behind this tool is to bring together all of the best security distributions to run from one USB drive. Katana includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, Malware Removal and more.

Distro’s that are currently included in Katana:

- Backtrack 4
- the Ultimate Boot CD
- Ultimate Boot CD for Windows
- Ophcrack Live
- Puppy Linux
- Kaspersky Live
- Trinity Rescue Kit
- Clonezilla
- Derik’s Boot and Nuke

http://www.hackfromacave.com/katana.html

XBMC is a  free and open source software media player and entertainment hub for digital media. XBMC is available for Linux, OSX, Windows, and the original Xbox. Created in 2003 by a group of like minded programmers, XBMC is a non-profit project run and developed by volunteers located around the world. More than 50 software developers have contributed to XBMC, and 100-plus translators have worked to expand its reach, making it available in more than 30 languages.

While XBMC functions very well as a standard media player application for your computer, it has been designed to be the perfect companion for your Home Theatre PC.  Almost endless range of remote controls, and combined with its beautiful interface and powerful skinning engine, XBMC feels very natural to use from the couch and is the ideal solution for your home theater.

Currently XBMC can be used to play almost all popular audio and video formats around. It was designed for network playback, so you can stream your multimedia from anywhere in the house or directly from the internet using practically any protocol available. Use your media as-is: XBMC can play CDs and DVDs directly from the disk or image file, almost all popular archive formats from your hard drive, and even files inside ZIP and RAR archives. It will even scan all of your media and automatically create a personalized library complete with box covers, descriptions, and fanart. There are playlist and slideshow functions, a weather forecast feature and many audio visualizations. Once installed, your computer will become a fully functional multimedia jukebox.

http://xbmc.org/

Security Acts is a free magazine for professionals in IT Security.

Download the latest magazine
Subscribe to be notified when new issues are released.

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc).

http://www.greensql.net/

Zenoss Core is an open-source network monitoring and server monitoring product.  Zenoss features include

• Network, Server, and Application monitoring with a single product
• Ability to monitor any SNMP enabled device
• Real-time alerting when outages or slowdowns occur
• Single Event Console containing Zenoss alerts, SNMP traps, and log events

http://www.zenoss.com/product/network-monitoring

PacketFence is a free and open source network access control (NAC) system.  The standard feature list illustrated on the official website:

• Registration
  PacketFence supports an optional registration mechanism similar to “captive portal” solutions. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it. The duration of a node registration can be a relative value (eg. “four weeks from first network access”) or an absolute date (eg. “Thu Jan 20 20:00:00 EST 2009″).
• Detection of abnormal network activities
  Abnormal network activities (computer virus, worms, spyware, etc.) can be detected using local and remote Snort  sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.
• Proactive vulnerability scans
  Nessus vulnerability scans can be performed on a scheduled or ad-hoc basis. PacketFence correlates the Nessus vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.
• Isolation of problematic devices
  PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.
• Remediation through a captive portal
  Once trapped, all HTTP, IMAP and POP sessions are terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with removal instructions for the particular infection he/she has.
• 802.1X
  802.1X is supported through a FreeRADIUS module.
• Wireless integration
  PacketFence intregrates perfectly with wireless networks through a FreeRADIUS module. This allows you to secure your wired and wireless networks the same way.
• DHCP fingerprinting
  DHCP fingerprinting can be used to automatically register specific device types (eg. VoIP phones) and to disallow network access to other device types (eg. game consoles).

http://www.packetfence.org