In Lab-3, you created a threat model, explored the possible threats against the blog site, and suggested countermeasures. In this lab, you will change your focus away from the product into the development environment.
Developer computers are an essential part of SDLC. You need to ensure that the development environment has been prepared for secure development. The environment should have a minimized attack surface and free of vulnerabilities. Attack Surface Analyzer is an open-source security tool to analyze the changes in the attack surface of development machines due to newly installed software or configuration changes.
Lab 4.1: Attack Surface Analyzer
Part 1: Preparation
1. Click on the “Windows 10”.
2. Type in “isecstudent” without quotes as the password to log in to Window 10.
3. Once you logged in, open a Command Prompt with administrator privileges.
a. Click the start button
b. Type cmd
c. Right-click on the cmd icon
d. Click on “run as administrator”.
4. Change directory to C:\Users\isecstudent\.dotnet\tools in the Command Prompt.
5. Run the command “asa gui” to open Attack Surface Analyzer in Microsoft Edge browser.
Part 2: First Run of Attack Surface Analyzer (ASA)
Assume that the Windows 10 computer is the development environment and has the company-approved baseline configuration. Now, assume the role of security administrator and create a snapshot of the computer by following the steps below.
1. Uncheck “Send usage data to Microsoft to help us improve our products”.
2. Click “Get Started”.
3. Keep “Static Scan” checked.
4. Type “First run” into the Run ID field.
5. Keep “Ports” and “Services” checked; uncheck the others.
6. Click the “Collect Data” button.
7. Minimize the Microsoft Edge window.
Part 3: Out-of-Baseline Software Installation
Now, assume the role of developer. For some reason, you want to install the FTP service on your development computer. Double click the file “FileZilla_Server-0_9_60_2.exe” on the desktop and make a default installation of the FileZilla FTP server.
Part 4: Second Run of Attack Surface Analyzer (ASA)
You are again in the role of the security administrator. You want to review any changes that might have been made to the development environment.
1. Click on the Microsoft Edge icon on the taskbar to open the ASA once again.
2. Type “Second run” into the Run ID field.
3. Leave everything else unchanged and click on the “Collect Data” button.
Part 5: Analyze Results
1. Click the “Results” tab on the top menu of ASA.
2. Select “First run” for the “Base Run Id” field.
3. Select “Second run” for the “Product Run Id” field.
4. Click the “Run Analysis” button.
5. After the analysis has been done, choose a type of result to view from the left menu.
a. Select Ports.
Confirm that port 21 is listed in the results pane. Take a screenshot.
b. Select Services.
Confirm that the “FileZilla Server FTP server” service is listed in the results pane. Take a screenshot.
1. Submit screenshots.
2. What is the difference between a vulnerability and an attack surface?
3. Summarize what you’ve done in this lab as if you are explaining it to a non-technical person.
Lab 4.2: Vulnerable Sandbox
In this Lab, you will analyze a documented vulnerability in an online Python compiler (You will use the same compiler in Lab-6)
1. Navigate to the online Python compiler on https://repl.it/languages/python3. You can type your Python code on the left part; and you can see the compiled code on the right.
You run Python from a Linux shell or command prompt on your personal computer, depending on the operating system you use. There must be an underlying operating system that runs the online Python complier. The critical point is whether it has been successfully isolated from the anonymous Internet users or not.
2. As shown in the window below, when you write a simple code and run the compiler, you drop to the operating system’s bash shell that runs the online Python compiler.
This vulnerability has been patched. Please don’t try it on your computer.
There are two critical databases for categorizing and tracking vulnerabilities. These are CWE and CVE; the MITRE organization maintains both.
CWE stands for Common Weakness Enumeration. CVE stands for Common Vulnerabilities and Exposures.
CWE is a category system for software weaknesses and vulnerabilities. It is maintained by a community project to understand flaws in software and create automated tools that can be used to identify, fix, and prevent those underlying flaws (Wikipedia). CWE has nothing to do with the instance of a vulnerability within a product or system; this is where CVE comes in. CVE indexes vulnerabilities of the products or systems, not the underlying flaw.
1. You can explore the list of software CWEs here:
Find the category of vulnerability on the online Python compiler.
Provide your justifications in a short paragraph.
2. Below is the list of top-25 most dangerous CWEs: https://cwe.mitre.org/data/definitions/1200.html
Pick 2 CWEs and find one corresponding CVE for each. (The instance of the flaw described in CWE)
You can use the page below to search CVEs:
Provide your justifications in a short paragraph.