Mark Curphey - SecurityBuddha.com

My last blog leads me neatly onto to the good stuff. Joining a new company is like a poker game. They need to tell you enough to get you interested but not too much that if you decide not to join you could screw up their plans. I knew ACE had bits of cool stuff that was part of my grand dream of create a real platform and suite of tools to make informed security decisions, but I didn’t know just how much or how cool they were.

What follows is pure ACE before I joined but there is an uncanny resemblance to what I had hoped to build! I will leave the commentary about where this will fit into the Oxygen Security Platform™ and the future for a later date but I do have some screen shots of a few tools to share as ”sneaks peeks” of what the future may look like for our tooling. It won’t take a brain surgeon to extrapolate that the focus is on solving pragmatic security business problems. The future is about connecting People, Process and Technology! It’s also worth pointing out that these screen-shots are all software security specific tools and software security is a small part of the grand vision but nevertheless these will give you a flavor of what maybe around the corner

Threat Analysis & Modeling Enterprise (TAM-E)

By now Threat Modeling has become widely adopted as a “defacto” practice when building secure software. It’s no secret there are several threat modeling methodologies at Microsoft all tuned to their target audience. The SWI folks have one, PAG has another and ACE has another. It’s the English phrase “horses for courses” meaning some race horses will perform better over flat races and some will perform better over jumps. The ACE methodology is asset centric and tailored to building LOB and web apps. For a while my colleagues in ACE have been figuring out a solution to a simple question “If we all agree threat modeling should be a core part of the process of building secure line of business and web applications, what does the tooling look like for teams?”. As a result we have developed what is now called –Threat Analysis & Modeling Enterprise or TAM-E for short. I mentally call it Oxygen release 0.9 but I am obsessed! The idea behind TAM-E is that it is a system for managing the certain attributes of application security lifecycle across your enterprise and help effective security knowledge management across your enterprise. If you are in a corporate environment you are going to smile and nod your head violently.

When you first launch the tool you get this screen.

TAM-E is based around the high level concept of Define, Model, Measure.

The idea is you can first Define all of your applications across your enterprise. We call this the Application Portfolio Management or APM for short. We are smart like that with naming! You can think of APM as an application asset tracking system, ie this is an HR application called HRWorld, built by team X, made up of technology components Y and processing Z type of data. This portfolio sits at the heart of managing the security of the applications throughout the lifecycle. When populated you can run a query asking which applications in the environment process a particular type of data or even use a specific library.

You can organize applications by business units and org units etc. and we have the built in the ability to undertake a basic web based risk assessment (yes Hutton I know it’s not a real risk assessment, this is why we need to talk frequently so you can drum into me what risk assessment really is)) which organizations can then use determine attributes of the security process that will follow. “Application X is this type of app therefore you need this type of assessment or will need to leverage these libraries or standards. Of course questions can all be tailored to the exact organization.

Most people have already seen the Threat Modeling client tools used to build up the model itself so I won’t go into details here although it’s obviously been updated and has some new functionality.

Now it gets good! Companies can use or extend our control types and define their own. This is very powerful. We ship with a CTL or Common Task List. As an example a CTL entry may say “Lib Y” which may then be mapped to securing credit card data.

AntiXSS lib can be mapped to exit points or sinks (outputs fields) of your application and so on. It doesn’t take a brain surgeon to figure out how powerful this can become in a corporate enterprise!

TAM-E is available today under a subscription model. You can contact me or any of my colleagues on the ACE Team to get more information!

(CAT.NET (Code Analysis Tool)

The next tool is a code tool for managed code. It started life as a Microsoft research project by a smart guy we have here called Ben Livshits. Ben and his crew are working on all sorts of smart stuff like safer languages and ways of constructing applications. The original paper for this tool can be found here. Essentially it takes the IL and building a call graph, traverses the call graph to figure out where input validation attacks can occur. I am told it’s been tested against the commercial tools and performs very well We have a free trial version going on MSDN that just looks for XSS (went live today) and an extended version that we are using internally and that is available to selected folks (like the Developer Security MVP’s) in a private beta. The tool integrates with Visual Studio and can be run on its own. We are in the process of deciding what to do next with this tool and your feedback can shape its future so don’t be shy!

Spider TCM

Spider is a big tool that has taken a LOT of development. It’s an assessment and compliance tool that ties host based security posture to higher level standards and policies.

Scans can be configured to be run automatically (or manually) and targets selected.

Spider then goes off across the network and collects the data from targets and brings it back to a central location. Reports can be generated. It’s a simple concept but Spider has been optimized to be fast and accurate.

No you can imagine Spider hooking back into a platform for workflow and remediation of issues found and you can see why I get excited by things like this!

Spider is available today as a subscription model.

As you can see the ACE Team have been extremely busy and plan to continue the pace as these tools grow and expand.

Blue skies!

Right I have to run and catch a plane to Rome in a few hours and some sleep might be useful! I have to be up again in 4 hours. Phew…..been there, slept 3 hours, went to Rome, had pasta for lunch, met some great people, flew back and finished the blog. Phew. Oh look its 1am again!