MIR-SWAMP Pen Testing with Black Hills

The SWAMP team prides itself on having a dedicated cybersecurity group. We take this responsibility very seriously. As proud as we are, it would be foolish to not seek review by someone unaffiliated with our project that can provide an objective assessment. So when the reputable cybersecurity firm Black Hills Information Security (BHIS) generously offered to perform a network penetration test, web application penetration test, and risk assessment all pro bono, we jumped at the opportunity. BHIS is owned by John Strand, one of the co-hosts of the popular Paul’s Security Weekly podcast.

The pen test planning started with our staff providing a high level overview of the SWAMP network and DNS namespace to determine what resources would be considered in-scope and to plan the order in which the resources would be tested. It also gave us an opportunity to announce maintenance windows during times when user facing services would be tested. SWAMP users were notified of these windows in advance of the testing. However, the SWAMP’s infrastructure was designed to handle significant network loads and was not disrupted by the pen test activities. The actual pen testing started on January 9th, 2017 with a reconnaissance phase in which BHIS attempted to discover as much information about SWAMP staff, resources, and names as possible through social media, websites, DNS registration records, and other public records. From the earliest days of the SWAMP, our staff has given attention to these types of public information vulnerabilities, and BHIS recognized that with praise in their final report.

After the reconnaissance phase, BHIS began scanning the SWAMP’s external network for listening services and checking for known vulnerabilities in any services found. Fortunately, the network scan discovered no surprise exposures that we were not already aware of, although it is quite common to find vulnerable services running during such a scan. The SWAMP staff performs these types of scans on a regular basis.

During the following week of the test, BHIS focused on the SWAMP web application and backend services to check for unique vulnerabilities in the web application. This was the most valuable part of the test, because although we run software analysis tools on the SWAMP code to try to detect weaknesses, the current state of software analysis is somewhat limited, which is something SWAMP is working to change. There can be logic mistakes that are difficult to detect using automated tools and require manual investigation. Their manual scan found such a weakness in the form of a privilege escalation vulnerability that was easier to detect through pen testing than it was using static analysis tools. Instead of waiting until delivering the final report, BHIS immediately and confidentially contacted SWAMP’s security team to report the problem. We fixed it in test and production the same day and released a new version of SWAMP-in-Box the following week. That BHIS decided to notify us immediately, demonstrated their understanding of the risk presented by the vulnerability. It also gave them an impression of the effectiveness of our incident response procedures, which they rated as excellent.

They also performed an internal network scan, which included using a pivot host that represented a compromised system on our internal network. This simulated a more threatening scenario for an attack. The scan found a few hosts that were behind on patches, which were due to delayed updates from license re-negotiations. The tests also provided us a way to effectively see how well our Intrusion Detection System (IDS) worked. During the test, our IDS detected and notified us of a variety of port scans, SQL Injection attacks, SSH brute force attempts, network traceroutes, unusual email traffic, and malware downloads. On each new class of alerts, we confirmed with the testers that the alarms were due to their activity. After comparing the detection and notification logs with the information in the BHIS report, we determined that the IDS detected and notified us for the majority of their attempts.

The test concluded on January 27, 2017. The final report was that the overall risk level of the SWAMP is “Low”, which is the second lowest rating on their five category scale.

From the final report: “BHIS considers the overall risk to SWAMP based on the key findings in this report to be Low. SWAMP’s external web application appeared to have secure coding standards in place and the external testing did not result in any significant issues. BHIS found the internal network to have several systems missing up-to-date patches, specifically in virtual machine management devices.”

The SWAMP team is already working to address the issues that BHIS brought up and plans to resolve them within the next month, if not sooner.

The SWAMP team would like to thank Black Hills Information Security for this penetration test. The fruits of their efforts not only protect the SWAMP, but also its users, and thus contributes to achieving a more secure software community.

SWAMP & Secure Development for the Cloud

MISTI logoIn today’s MISTI blog post, “Secure Development for the Cloud,” author Randall Brooks mentions SWAMP and SWAMP-in-a-Box as great resources for organizations with limited funds who are looking for secure coding solutions. Incorporating many free and open-source analysis tools, the Software Assurance Marketplace offers both cloud-based and on-premises solutions for continuous software assurance. Read the full article.

Brooks will also be presenting at the upcoming 2017 InfoSec World Conference in Orlando. Session B4 “Secure Development for the Cloud” will include a bit about the SWAMP. Catch the presentation on Monday, April 3 at 2:15pm-3:05pm.

SWAMP-in-a-Box Update 1.29

SWAMP-in-a-Box version 1.29 is now available for download! The latest files are on GitHub, or you can download the install files here. Noteworthy changes include:New

  • Added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • Addition of 9 assessment tools for web scripting languages: CSS Lint (for CSS), ESLint (for JavaScript), Flow (for JavaScript), HTML Tidy (for HTML and XML), JSHint (for JavaScript or HTML files with inline JavaScript), PHPMD (for PHP), PHP_CodeSniffer (for PHP, JavaScript, and CSS), Retire.js (for JavaScript), and XML Lint (for XML).
  • Added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, and PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the local file system or enter an external URL and a checkout argument (branch, tag, or commit) for a remote Git repository.
  • Improved error reporting for assessment failures. Successful assessment runs are no longer erroneously reported as having finished with errors. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.
  • Minimum hardware requirements have increased to 4 CPU cores and 16 GB of RAM.

Let us know if you have any questions at sib@continuousassurance.org.

See SWAMP at OSCON 2017

If you will be in Austin, TX this May for OSCON 2017, stop by to see the SWAMP Team! When registering for the conference, use our discount code, SWAMP25, to save 25% on your admission, and be sure to look out for the Software Assurance Marketplace in Booth #518 on May 10th and 11th!

Several SWAMP team members will be giving presentations at the conference, in addition to demoing the latest enhancements to SWAMP and SWAMP-in-a-Box!

OSCON 2017 Exhibiting Banner

SWAMP-in-a-Box Update 1.28.2

Greetings, SWAMP-in-a-Box community.

SWAMP-in-a-Box build 1.28.2.33 is a security release addressing a privilege escalation vulnerability found in a pentest by Black Hills Infosec. We’d like to thank them for their thorough and professional work on behalf of the SWAMP project.

The vulnerability allows authenticated SWAMP users to obtain unauthorized administrative rights. At this time, we do not believe the vulnerability is known outside of the SWAMP team or being actively exploited, but we recommend SWAMP-in-a-Box deployers upgrade to this latest version as soon as possible. If you are unable to upgrade, you should disable any untrusted users as a temporary mitigation.

Additionally, we have updated the SWAMP-in-a-Box install/upgrade script to be tied to HTCondor version 8.4.11. Please contact us if you are currently running HTCondor version 8.6.0.

Packages for new installs can be found at https://github.com/mirswamp/deployment (GitHub) and https://platform.swampinabox.org/siab-latest-release/ (SWAMP read-only server).

Instructions for upgrading can be found in README-UPGRADE.md.

SWAMP Supports CodeSonar and Web Scripting Languages!

Today, the SWAMP released several new and exciting updates which are now available on mir-swamp.org! New

  • GrammaTech’s CodeSonar static analysis tool has been added to assess C/C++ packages. Users must request access, agree to the EULA, and receive permission before using this tool in the SWAMP.
  • We added support for 5 new programming languages: CSS, HTML, JavaScript, PHP, and XML.
  • We added 9 new assessment tools for web scripting languages:
    • CSS Lint (for CSS)
    • ESLint (for JavaScript)
    • Flow (for JavaScript)
    • HTML Tidy (for HTML and XML)
    • JSHint (for JavaScript or HTML files with inline JavaScript)
    • PHPMD (for PHP)
    • PHP_CodeSniffer (for PHP, JavaScript, and CSS)
    • Retire.js (for JavaScript)
    • XML Lint (for XML)
  • We added several new sample curated packages for the web scripting languages on the Resources tab under Packages.
  • We added new versions and/or updates for the following assessment tools: Bandit, Flake8, Pylint, checkstyle, OWASP Dependency Check, error-prone, FindBugs, PMD.
  • When adding a new package or adding a new version to an existing package, users have the option to select an archive file from the Local File System or enter an external URL and a checkout argument (branch, tag, or commit) for a Remote Git Repository.
  • Improved error reporting for assessment failures. Assessments that complete with a status of “finished with errors – retry” can be re-run and should complete successfully.
  • Updated the “Status.out and Debugging SWAMP Failures” document on the Help page to assist with debugging failed assessments. Failed assessments now show the contents of the status.out file at the top of the Failed Assessment Report (by clicking the “! Error” button in the Results column).
  • Added a Compatibility tab to the Package Version view to show platform compatibility information for curated packages.
  • The names of the statuses shown on the Results page have been updated to better indicate what is happening as assessment jobs are processed.

Let us know if you have any questions at support@continuousassurance.org.

SWAMP Is Coming to OSCON 2017!

Are you headed to Austin, TX in May for OSCON 2017? If so, today is the last day to get the “Best Price” on conference passes. Use our discount code, SWAMP25, to save 25% on your admission, and be sure to look out for the Software Assurance Marketplace in Booth #518 at OSCON on May 8-11!

Our team members will be giving several presentations at the conference, as well as demoing the latest enhancements to SWAMP and SWAMP-in-a-Box!

 

« Older Entries