HPE Community
Operating System - HP-UX
1832276 Members
1892 Online
110041 Solutions
New Discussion

How to measure and record SW security level?

 
Lennart Damm
Occasional Contributor

‎11-25-2003 10:53 PM

‎11-25-2003 10:53 PM

How to measure and record SW security level?

How can I measure (and record) the security level of a program, be it OS, service SW or applications SW? How can I measeure the security level improvement after a security patch? Is there any known solutions to this or any research going on to define "measuring of SW security"?
There is always something ...
0 Kudos
Reply
4 REPLIES 4
G. Vrijhoeven
Honored Contributor

‎11-26-2003 12:37 AM

‎11-26-2003 12:37 AM

Re: How to measure and record SW security level?

Hi,

You can check.

suid/sgid bits, open dirs, services/port numbers the software uses. User/group definitions.
O.S. security level ( Trusted or not)
I do not know a any software that checks everything, but you can write a script that checks stuff you think is important.

Gioden
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎11-26-2003 12:45 AM

‎11-26-2003 12:45 AM

Re: How to measure and record SW security level?

We use a 3rd party program called Nessus which probes all ports for known vunerabilities. After it reports problems we try to secure them - with security patches or config changes, then run Nessus again to see if they are now secure.

eg. it reports;

List of open ports :


sunrpc (111/tcp) (Security notes found)
smtp (25/tcp) (Security hole found)
http (80/tcp) (Security notes found)
unknown (942/tcp) (Security notes found)
ftps-data (989/tcp) (Security notes found)
unknown (4045/tcp) (Security notes found)
unknown (49152/tcp) (Security notes found)
unknown (49153/tcp) (Security notes found)
unknown (49154/tcp) (Security notes found)
unknown (49155/tcp) (Security notes found)
unknown (49156/tcp) (Security notes found)
unknown (49192/tcp) (Security notes found)
unknown (52439/tcp) (Security notes found)
sunrpc (111/udp) (Security notes found)
unknown (941/udp) (Security notes found)
nfs (2049/udp) (Security notes found)
unknown (4045/udp) (Security notes found)
unknown (49163/udp) (Security hole found)
unknown (49164/udp) (Security notes found)
unknown (49165/udp) (Security notes found)
unknown (49166/udp) (Security notes found)
unknown (49169/udp) (Security hole found)
unknown (49179/udp) (Security notes found)
epmap (135/tcp) (Security warnings found)
epmap (135/udp) (Security notes found)
ftp (21/tcp) (Security hole found)
netbios-ssn (139/tcp) (Security notes found)
netbios-ns (137/udp) (Security warnings found)
nfs (2049/tcp) (Security warnings found)
snmp (161/udp) (Security hole found)
ssh (22/tcp) (Security hole found)
shell (514/tcp) (Security warnings found)
login (513/tcp) (Security warnings found)
general/tcp (Security notes found)
general/icmp (Security warnings found)
unknown (49179/tcp) (Security hole found)

[ back to the list of ports ]
Information found on port sunrpc (111/tcp)


The RPC portmapper is running on this port.

An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.

Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223


[ back to the list of ports ]
Information found on port sunrpc (111/tcp)


RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port

Nessus ID : 11111


etc etc.
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Ralph Haefner
Frequent Advisor

‎11-26-2003 03:41 AM

‎11-26-2003 03:41 AM

Re: How to measure and record SW security level?

I like reading www.securityfocus.com and infosecuritymag.techtarget.com. They often have articles relating to your questions above about measuring and documenting security. You may find some good information scanning the archives at those websites.
0 Kudos
Reply
Keith Buck
Respected Contributor

‎12-01-2003 05:30 AM

‎12-01-2003 05:30 AM

Re: How to measure and record SW security level?

First, I'll say that it's important to know what you are measuring. Many things could be called 'security level' that may have very subtle meanings. Two options:

Security Patch Check
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

Can be used to tell you how many patches are missing from the system. Maybe you could say that 10 patches missing is worse than 5. However, if one of the 5 is a remote root exploit, it might be worse off than if the 10 patches are relatively minor. All you can say is that you are missing that many patches. It doesn't tell you about the severity of those fixes or about any other steps you need to take to secure the system (updates, manual actions, etc.)

CIS has a tool that will give the system a score (scalar number between 0 and 10). This is probably what you are looking for, but use caution when looking at the results. Items in the CIS benchmark are not weighted, so very serious issues could exist even with a high score, while closing all the serious issues may still result in a low score :(

And, neither of these include 3rd party applications. If those apps run as root, for example, it could compromise the entire system despite other security measures.

In order to define a proper security metric, it needs to look at many axes: authentication, authorization, integrity, reliability, etc. It also needs to look at the entire network and take threat levels into account.

Hope that helps.

-Keith
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.