Security research, news and guidance

Agnitio v1.0.0 released today

November 19, 2010  |  Written by Security Ninja  |   Application Security, Ninja News and Updates   |   5 Comments

Hi everyone,

It has been around six months since I posted any information about the security code review tool I was developing so I thought it was time for an update. To be honest if you have read the title of this blog post you will know today’s blog is bit more than just a progress update post!

In April I showed you two images of a security code review tool which was about 25% complete. It allowed you to perform a security code review tool and that was about it but I didn’t like it, it was ugly and that’s not what I had in mind. I know that sounds a bit shallow but I wanted this tool to be easy to use, make the lives of security code reviewers easier but also be easy on the eye!

I decided to give the code review tool and facelift and a proper name before I completed anymore coding. I’m glad I did this because I can forget about the GUI design now and just focus on functionality. Before I move onto explaining the name and the functionality in v1.0.0 I wanted to show you some before and after images:

Old

New

Old

New

I decided to name the tool Agnitio which is a Latin word which means recognition and knowledge in English. This seemed like a perfect name because I recognised that the current approach to manual security code reviews (and the associated reporting, audit trails etc) has “issues” (covered later in this post) and I wanted to deliver a solution which gave reviewers the knowledge they needed to address the issues I identified.

Agnitio was developed with two main goals in mind:

  1. To help further the adoption of the Principles of Secure Development
  2. Bring more repeatability and integrity to security code reviews

I have explained each of these items in more depth in the rest of this blog post and how Agnitio will help with them both.

Repeatability and Integrity

As an industry we should always be aware of the security CIA (Confidentiality, Integrity and Availability) when it comes to any work we do. I feel that we often fail to do this when it comes to security code reviews. We record our code review notes in notepad files, Word documents or Excel spreadsheets which fail to enforce integrity or any kind of audit trail. We then turn these notes into Word or PDF format reports and give them to our customers, where is the integrity and audit trail in this process? How can I prove that I produced the report for Application A on X date? How can I prove to an auditor that the report I’m showing them hasn’t been modified since it was originally produced?

So what does Agnitio do to address these integrity concerns? Agnitio will remove the need to use notepad files for notes and it will produce reports for any applications that have been reviewed with the tool. It will make reviewers think about the application they are reviewing and the real risk associated with any findings.

Agnitio forces a reviewer to follow a checklist for each code review meaning a consistent approach to reviewing source code for security flaws in followed. To ensure the reviewer is really thinking about the application being reviewed Agnitio requires the reviewer to either create an application profile or select an existing profile before any checklist items can be answered. I feel this will make more reviewers think about the real risk of issues found in the code they are reviewing. I’m sure we all have encountered reviewers who record findings such as SQL Injection as “high” severity issues without considering the real risk associated with this finding in this particular application.

Agnitio has a code review checklist with over 60 items on it covering all of the principles of secure development. The checklist can help enforce a repeatable approach to security code reviews because the same questions will be asked for any application being reviewed.

A reviewer has to provide one of three answers for each checklist item, if the N/A answer is selected the reviewer must explain why they have answered N/A in the notes section of the review.

When a review is completed it is stored in a reviews table and it is immediately available for review in the tool or as an HTML report. The creation of the HTML report includes the creation of a verification hash which allows security professionals and auditors to check the integrity of any report produced by Agnitio.

The Principles of Secure Development

The Principles of Secure Development remove the confusion often associated with other secure development approaches by taking a positive approach and focusing on what developers should do instead of what hackers might do.

The current approach to secure development education focuses on detailing many different ways an attacker can hack your application. This approach often spends more time explaining the potential problems and “cool” hacks without really telling the developer how to actually prevent these flaws occurring in the first place.

This approach wouldn’t be an acceptable way to educate people on how to carryout other difficult tasks such as learning to drive but we continue to accept this for secure development education. The driving instructor does not tell the learner driver about all of the different ways they could crash a car and hope they figure out how not to crash. The instructor will detail how the learner driver should safely drive a car, explaining the rules of the road and speed limits. By doing this the learner driver can drive safely without needing to understand all the ways they could crash a car, the Principles of Secure Development aims to do the same for developers.

Rather than focusing on the many different ways an application can be exploited the principles detail how a developer should write secure code. This will help developers prevent the common vulnerabilities we currently see being exploited as well as unknown future threats without the developers ever needing to know the details behind them.

I have spent the past 18 months discussing this approach at security and developer conferences as well as talking with companies who have implemented this approach. I have discussed and published principles of secure development materials which cover the people and process parts of secure development, Agnitio is the first of a few tools I plan to realease that covers the technology part of secure development.

I cannot stress enough that you should not view any of the principles materials as a silver bullet and the same goes for Agnitio. In my opinion the principles approach and Agnitio can help you implement and enforce a simpler approach to secure development but it can’t solve all of the problems you will face.

I think that is everything I wanted to say about v1.0.0 of Agnitio. I plan to release new versions quite often and I have a list of potential features longer than Santa’s shopping list to keep me busy but feel free to request/suggest features and I will try to include them! I have planned a small release before Christmas which will include a few features I wanted to include in v1.0.0 but I ran out of time to include.

The biggest update to Agnitio will be the move away from a local SQLite database to a centralised database.  I plan to work on this once I’ve released the “Christmas” update because I think the centralised database option is vital to allow development and security teams to use Agnitio together and ultimately deliver centralised reporting and metrics based on the reviews conducted using Agnitio.

So the waiting is finally over! I would like to emphasise that Agnito was developed by me on my own time and while my employers are aware of the work I’ve done developing Agnito and support the work that I do, Agnito is a free application and it will be hosted on Source Forge. The Agnitio project page and installer download can be found here.

I look forward to receiving any feedback you have!

SN

This entry was posted on November 19, 2010 at 2:57 pm and is filed under Application Security, Ninja News and Updates . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 comments   >

  1. Pingback: Jackwillk Security 2010-11-20 13:50:00 | Portable Digital Video Recorder

  2. Pingback: Agnitio Update Released : Liquidmatrix Security Digest

  3. Pingback: Agnitio Update Released | Portable Digital Video Recorder

  4. Pingback: Agnitio: Vamos anotar o que está errado no seu código! | Coruja de TI

  5. OminiaTem says:

    allegra nyc buy allegra discount online allegra devita dido allegra online buying allegra in the united kingdom discount cod for 5673fg4j9 cheapest allegra available for purchase generic allegra online mastercard no script arizona cheap allegra jcb buy allegra-d online in uk allegra prescriptions allegra no doctor best price allegra loxapine in internet amex allegra recommended minimum dosage allegra free consultation u.s. pharmacy expired allegra prescription still good allegra (fexofenadine) and viagra not working allegra-d delivered in australia no prescription required overnight allegra without a prescription allegra 180 side effects
    I bought this tablets from this shops!
    buy periactin c o d care
    astelin generic online pharmacy discrete
    valacyclovir cost
    buy real retrovir – cheap retrovir
    fedex mentax without prescription
    cheap non prescription epivir
    risperidone powered by vbulletin
    best zovirax pric iceland
    cash for lamisil
    abuse of phenergan in internet jcb no rx canada
    not expensive zoloft real cod saturday delivery
    hexal paroxetine
    prozac testimonies
    taking paxil and desyrel together
    allegra-d faq
    can i buy clarinex neoclarityn in internet overnight pennsylvania
    where to buy buy endep online
    famvir without a perscriptions
    cheap paxil next day
    where to buy famvir in beijing
    how to buy lotrisone betamethasone online
    pamelor from mexico without prescription
    phenergan mg
    how to get a endep prescription
    take no prescription paxil
    lamisil free fedex shipping in massachusetts
    on line prescription retrovir online in montreal
    zoloft no prescription. buy online
    rabatt generischen claritin heilbronn
    order allegra-d online
    kauf pamelor
    low price vitamin c regaine in internet amex no rx
    abuse of sinequan western union no prescription
    best price lamisil
    nizoral krem
    buying epivir online no doctors germany
    online pharmacy phenergan in portland
    where to buy periactin rx fast delivery canada
    lexapro wikipedia
    buy brand zovirax online buy brand zovirax in ohio
    zovirax find buy cheap
    zyrtec dicloridrato
    cymbalta voucher
    buy online cheap risperdal
    buy in online diltiazem hcl online store no prescription
    order lamisil without prescription from us pharmacy
    united states hydrobromide celexa citalopram
    buy rebetol in spain
    order cheap elavil without a prescription
    i want tofranil 5ml online jcb alaska

    Because of the buy seroquel of paranoid aid with seroquel xr, difference should wean scheduled in responsible theres warning and marks (5. Alternatively, the third buy seroquel drugs may cover the diseases of the syndrome, consuming the searching member
    fast worldwide delivery and get price of mentax mentax sinusitis. mentax same day delivery can i buy mentax online check oklahoma generic mentax online without prescription how to get a mentax now in or keizer. abuse of mentax moneygram north carolina in mi best natural mentax buy mentax no prescription mentax topical without a script buy mentax fedex where can i purchase mentax in fresno best offers cheap mentax online mentax in venezuela where to buy mentax uk buying mentax safely online we offer mentax on greatly discounted prices mentax in micronesia, federated states of mentax doctor consult buying mentax online
    Tell the buy prozac right regularly if the form has suppressants like worsened depression, average thoughts, or babies in behavior. A buy prozac no prescriptions was shown treatment-emergent if it occurred for the first?time or worsened while indicating binge restricting personality evaluation. Do newly regain prozac weekly delayed-release capsules if you are away including sarafem or symbyax.
    astelin in romania runny nose cure infant natural purchasing astelin in philadelphia cheap get pills astelin astelin vs zyrtec idn buy cheap online astelin epharmacist generika astelin online saarland cheaping astelin without prescription cheap non prescription astelin best price net astelin astelin allergy duration. astelin buy astelin online nashville-davidson by credit card cheap astelin astelin sales australia astelin in new jersey astelin overnight without prescription astelin treating no prescription buy astelib buy astelin online in iowa. united states buy cheap online astelin sale online

Leave a comment

VIDEOS & SLIDESHARES

Look at our latest security Videos & SlideShares

EVENTS & SEMINARS

Upcoming Security Events & Seminars

PODCASTS & DOWNLOADS

Check out our Podcasts & White Papers