How to uncover hidden PC activity

[danrok]

How to monitor what your PC is really doing. See front page:
http://www.aoaforums.com/frontpage/c...-activity.html

Comments?

[Daniel ~]

I thoght that the whole pourpose behind using Windows was to invite a breach....what else is it good for I ask you? ":O}

[Aedan]

Windows is orders of magnitude better than it used to be, that is for sure! In fact, there are some features now that I've not seen deployed on any other OS yet - for example, MS have made attempts to mitigate ROP (return orientated programming) attacks. Now this may not be entirely successful, but until DEP (data execution prevention - also known as non-executable pages) and ASLR (address space layout randomisation), ROP was unheard of because attackers didn't need to jump through such hoops.

In terms of code quality, unfortunately Open Source has been found to be poorer than closed source. Veracode have done some interesting work in this area. Disclaimer - I used to work with some of the Veracode guys whilst they were @stake, hence I have some level of respect for them. Veracode do code analysis to identify where there's potential issues within the code. I've attached a couple of images - the first is web apps that meet the OWASP Top 10 on first submission. The second is apps that meet CWE/SANS top 25 on first submission. Note that Open Source code comes out worse in terms of compliance! Also note that web app code generally does worse than non-web app. The report this was pulled from is Veracode's State of Software Security Report Volume 4.

[Kaitain]

Interesting. Equally interesting is that applications developed in-house perform better (especially on the CWE/SANS top 25) than both commercial and open source submissions.

With respect to those graphs, there's no way to determine the relative complexity of the applications, the size of the team working on them and the average experience of the programmers.

I suspect that a lot of the differences between the in-house application and the open-source application is that (I'm assuming here) the in-house application is developed by a small team of competent programmers with a solid plan and strong management, whereas the open source project may be developed by a huge team of unknown quantities, with a fag-packet plan and volunteer management.

[Daniel ~]

Well yeah but that's everyone else's Linux, My Linux be good my Linux be pure!

My Linux achives this by being FREE! ":O}

K. makes some interstining points as far as whose doing the work and under what circumstance...

Did they look across all Linux distro's, were there any exceptions amoung the "older, more established" distros?

[Kaitain]

Quote:

Originally Posted by Daniel ~

Did they look across all Linux distro's, were there any exceptions amoung the "older, more established" distros?

I took it that the graph was per-application, so it would be testing against, say, Evolution or Firefox, instead of testing against every executable in a given distro. Also "open source" can include open-source Windows applications, of which there are many.

[Daniel ~]

Still good to hear MS has change...
( Was that to bitter? ":O}

[Aedan]

It is per application. The applications are examined on the basis of paid engagements. IE, each of those apps has had someone willing to pay for them to be examined. The open sources ones are probably because they're part of a larger application which uses some open source components.

[Daniel ~]

I'm not sure I'm understanding you rightly Aedan...I don't pay for apps any more....scratch that! I still use Acronis, bought it while still using win doze for backup, works OK with Linux, but I digress...

With most Linux apps free...how's this a true comparison, when only paid for apps are benched?

I must be missing a few pieces here?

[Kaitain]

It's nothing to do with whether the applications are free to the end user or not: Veracode are doing some complicated, specialist analysis and their time and expertise don't come for free. The developers pay to have their code analysed.

If open source components are used in commercial applications, it's reasonable that the commercial developer, knowing that their security is only as good as their weakest compolnent, will pay to have open source code validated.

[Daniel ~]

Ok now I get you guys, I was on a completely different page! Thanks K.