Dr. Achim D. Brucker
31. Januar 2013
Maßnahmen im Entwicklungsprozess zur
Sicherstellung der Anwendungssicherheit
Public
© 2013 SAP AG. All rights reserved. 3Public
SAP Today
54,500+
SAP employees worldwide
120
countries
25
industries
37
langu...
© 2013 SAP AG. All rights reserved. 4Public
Agenda
Why is SAP using Static Code Analysis?
Secure Development Lifecycle at ...
© 2013 SAP AG. All rights reserved. 5Public
Costs of Computer Hacks
Costs of Computer Hacks
• TJX Company, Inc. (2007) $ 2...
© 2013 SAP AG. All rights reserved. 6Public
Time-line of the Sony Hack(s) (excerpt):
• 2011-04-20 Sony PSN goes down
• 201...
© 2013 SAP AG. All rights reserved. 7Public
A Bluffers Guide to SQL Injection
Assume an SQL Statement for
Selecting all us...
© 2013 SAP AG. All rights reserved. 8Public
Insecure Software
© 2013 SAP AG. All rights reserved. 9Public
Evolution of Code
© 2013 SAP AG. All rights reserved. 10Public
Security Testing
© 2013 SAP AG. All rights reserved. 11Public
Dynamic Security Testing
Characteristics
• Black box approach
• Sends input t...
© 2013 SAP AG. All rights reserved. 12Public
Static Security Testing
Characteristics
• White box approach
• Analyses abstr...
© 2013 SAP AG. All rights reserved. 13Public
Security Code Scans at SAP: Overview
Started rollout in June 2010
Centrally g...
© 2013 SAP AG. All rights reserved. 14Public
Agenda
Why is SAP using Static Code Analysis?
Secure Development Lifecycle at...
© 2013 SAP AG. All rights reserved. 15Public
Education
• The prerequisite for achieving a high security quality
Security a...
© 2013 SAP AG. All rights reserved. 16Public
Secure Development Lifecycle (SDLC) at SAP
Structure the investment of time a...
© 2013 SAP AG. All rights reserved. 17Public
The Different Roles
Developer
• fixes software security issues
Security Exper...
© 2013 SAP AG. All rights reserved. 18Public
Infrastructure
© 2013 SAP AG. All rights reserved. 19Public
SAP Secure Software Development Life Cycle
For passing D2P Q-gate, evidence h...
© 2013 SAP AG. All rights reserved. 20Public
Third Party Code
Third party code
• Open Source libraries and frameworks
• Fr...
© 2013 SAP AG. All rights reserved. 21Public
Agenda
Why is SAP using Static Code Analysis?
Secure Development Lifecycle at...
© 2013 SAP AG. All rights reserved. 22Public
Code Scan Facts
Over 2000 developers are using SAST tools
Over 500 MLOC scann...
© 2013 SAP AG. All rights reserved. 23Public
Language Scan Application
ABAP SAP
C/C++ Coverity
Others HP/Fortify
Security ...
© 2013 SAP AG. All rights reserved. 24Public
Security Requirements
SAP on Corporate Security Requirements
• SAP Applicatio...
© 2013 SAP AG. All rights reserved. 25Public
Continuous Improvement
Collect feedback from the
• Product Security Response ...
© 2013 SAP AG. All rights reserved. 26Public
Input to Improve Code Scans
BuildSource Code
Normalized/
Abstract
Format
Anal...
© 2013 SAP AG. All rights reserved. 27Public
Lessons Learned
Scans have to be obligatory
• but not introduced „brute force...
© 2013 SAP AG. All rights reserved. 28Public
Agenda
Why is SAP using Static Code Analysis?
Secure Development Lifecycle at...
© 2013 SAP AG. All rights reserved. 29Public
Challenges
© 2013 SAP AG. All rights reserved. 30Public
JavaScript I
Unerstand the DOM
Resulting in a DOM-based XSS attack
Warning: D...
© 2013 SAP AG. All rights reserved. 31Public
JavaScript II
Dynamic Evaluation
Or using eval() directly (not shown here)
<s...
© 2013 SAP AG. All rights reserved. 32Public
JavaScript II
Dynamic Evaluation
Or using eval() directly (not shown here)
<s...
© 2013 SAP AG. All rights reserved. 33Public
JavaScript III
Server-Side JavaScript
var entry=JSON.parse(data);
query = “in...
© 2013 SAP AG. All rights reserved. 34Public
Challenges: Current Trends
SAST works very well for
• “traditional” programmi...
Thank you
Contact information:
Dr. Achim D. Brucker
Senior Researcher
Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe
achim....
Upcoming SlideShare
Loading in...5
×

Integrating Application Security into a Software Development Process

290

Published on

Static Code Analysis (SCA) is an important means for detecting software vulnerabilities at an early stage in the software development lifecycle. The wide-spread introducing static code analysis at a large software vendor is challenging. Besides the technical challenges, e.g., caused by the large number of software development projects, large number of used programming languages (e.g., ABAP, C, Objective-C, ...), the use of dynamic programming models such as HTML5/JavaScript, there are also many non-technical challenges, e.g, creating security awareness among the developers, organizing trainings, integration of static code analysis into the development and maintenance processes. In this talk, we report the experiences we made while introducing static code analysis at SAP AG.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Integrating Application Security into a Software Development Process

  1. 1. Dr. Achim D. Brucker 31. Januar 2013 Maßnahmen im Entwicklungsprozess zur Sicherstellung der Anwendungssicherheit Public
  2. 2. © 2013 SAP AG. All rights reserved. 3Public SAP Today 54,500+ SAP employees worldwide 120 countries 25 industries 37 languages 75 country offices 1,200+ services partners worldwide
  3. 3. © 2013 SAP AG. All rights reserved. 4Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  4. 4. © 2013 SAP AG. All rights reserved. 5Public Costs of Computer Hacks Costs of Computer Hacks • TJX Company, Inc. (2007) $ 250 million • Sony (2011) $ 170 million • Heartland Payment Systems (2009) $ 41 million “A hack not only costs a company money, but also its reputation and the trust of its customers. It can take years and millions of dollars to repair the damage that a single computer hack inflicts.” (http://financialedge.investopedia.com/financial-edge/0711/Most-Costly-Computer-Hacks-Of-All-Time.aspx)
  5. 5. © 2013 SAP AG. All rights reserved. 6Public Time-line of the Sony Hack(s) (excerpt): • 2011-04-20 Sony PSN goes down • 2011-05-21 Sony BMG: data of 8300 users leaked (SQL Injection) • 2011-05-23 Sony Japanese database leaked (SQL Injection) • 2011-05-24 Sony Canada: roughly 2,000 leaked (SQL Injection) • 2011-06-05 Sony Pictures Russia (SQL Injection) • 2011-06-06 Sony Portugal: SQL injection, iFrame injection and XSS • 2011-06-20 20th breach within 2 months, 177k email addresses were grabbed via a SQL injection (http://hassonybeenhackedthisweek.com/history) Has Sony been Hacked this Week? http://hassonybeenhackedthisweek.com/
  6. 6. © 2013 SAP AG. All rights reserved. 7Public A Bluffers Guide to SQL Injection Assume an SQL Statement for Selecting all users with user name userName from the table users. What happens if we choose the following (weird) userName: userName = "‟ or ‟1=‟1" Resulting in the following statement: statement = "SELECT * FROM „users‟ WHERE „name‟ = „’ or ’1’=’1’;" Which is equivalent to statement = "SELECT * FROM „users„;" statement="SELECT * FROM „users„ WHERE „name„ = ‟" + userName + "‟;" And selects the information about all users stored in the table users
  7. 7. © 2013 SAP AG. All rights reserved. 8Public Insecure Software
  8. 8. © 2013 SAP AG. All rights reserved. 9Public Evolution of Code
  9. 9. © 2013 SAP AG. All rights reserved. 10Public Security Testing
  10. 10. © 2013 SAP AG. All rights reserved. 11Public Dynamic Security Testing Characteristics • Black box approach • Sends input to applications and analyses response Advantages • Provides concrete examples (attacks) • Analyze dataflows across multiple components Disadvantages • Coverage unclear • Requires test system
  11. 11. © 2013 SAP AG. All rights reserved. 12Public Static Security Testing Characteristics • White box approach • Analyses abstraction of the source (binary) Advantages • Explores all data paths / control flows • Can analyze single modules (unit test) Disadvantages • High false positive rate (not exploitable findings) • Does not consider application environment
  12. 12. © 2013 SAP AG. All rights reserved. 13Public Security Code Scans at SAP: Overview Started rollout in June 2010 Centrally guided by a project team • Definition of Security Requirements • Establishment of Scan Infrastructure Support of the most important languages SAP development and third party code
  13. 13. © 2013 SAP AG. All rights reserved. 14Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  14. 14. © 2013 SAP AG. All rights reserved. 15Public Education • The prerequisite for achieving a high security quality Security awareness • Reducing the number of “built-in” security problems Trained persons • Analyze and fix vulnerabilities much more efficiently Trainings • Secure Programming, Build & Scan, Auditing, …. First Step: Security Training
  15. 15. © 2013 SAP AG. All rights reserved. 16Public Secure Development Lifecycle (SDLC) at SAP Structure the investment of time and resources • to safeguard a high level of security • to ensure security standards across all areas Security requirements • are taken into account and • are implemented in all phases of product development
  16. 16. © 2013 SAP AG. All rights reserved. 17Public The Different Roles Developer • fixes software security issues Security Expert • review scan results, decides on fixes Build Master • scans the source code, manages results Scrum Master • requests scan, assigns vulnerabilities to developers
  17. 17. © 2013 SAP AG. All rights reserved. 18Public Infrastructure
  18. 18. © 2013 SAP AG. All rights reserved. 19Public SAP Secure Software Development Life Cycle For passing D2P Q-gate, evidence has to be provided that the source code has been scanned and exploitables have been fixed. P2D: Planning to Development. / D2P: Development to Production. / P2R: Production to Ramp-up (gradual roll-out to customers). Code Scans
  19. 19. © 2013 SAP AG. All rights reserved. 20Public Third Party Code Third party code • Open Source libraries and frameworks • Freeware • other third party components Different approaches • SAST analysis by SAP • Trusted (certified) vendors • Certificate from trusted third party (e.g., based on binary analysis) • SLA with vendor
  20. 20. © 2013 SAP AG. All rights reserved. 21Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  21. 21. © 2013 SAP AG. All rights reserved. 22Public Code Scan Facts Over 2000 developers are using SAST tools Over 500 MLOC scanned Over 15000 issues removed Statistics Jan 2012 ABAP Java C,C++,C# Java and COther languages
  22. 22. © 2013 SAP AG. All rights reserved. 23Public Language Scan Application ABAP SAP C/C++ Coverity Others HP/Fortify Security Scan Tools used at SAP
  23. 23. © 2013 SAP AG. All rights reserved. 24Public Security Requirements SAP on Corporate Security Requirements • SAP Applications shall be free of backdoors • SQL injection vulnerabilities shall be avoided • Cross-Site Scripting vulnerabilities shall be prevented • Directory traversal vulnerabilities shall be prevented • The system shall be protected against buffer overflow vulnerabilities OWASP Top 10 CWE/SANS Top 25 2011 CVE
  24. 24. © 2013 SAP AG. All rights reserved. 25Public Continuous Improvement Collect feedback from the • Product Security Response Team • Development Teams Develop rules/models to improve the scans Continuously improve the infrastructure Continuously improve the rollout process
  25. 25. © 2013 SAP AG. All rights reserved. 26Public Input to Improve Code Scans BuildSource Code Normalized/ Abstract Format Analyze/Scan Analysis Results Review and Fix Security Response Team Security Messages Security Code Scan Team Rules/Models/Template/Filters Further input channels: Development teams, internal research, scan reviews, code reviews
  26. 26. © 2013 SAP AG. All rights reserved. 27Public Lessons Learned Scans have to be obligatory • but not introduced „brute force‟ Establish Secure Development Life Cycle • make scans a natural part of development Plan carefully • Do not start with scans right before Dev. Close • Do it regularly (nightly) • Do regression testing of new versions of the used tools • Do continuously discuss new threats with the security community Do not introduce changes during development
  27. 27. © 2013 SAP AG. All rights reserved. 28Public Agenda Why is SAP using Static Code Analysis? Secure Development Lifecycle at SAP Static Code Analysis at SAP Challenges and Outlook
  28. 28. © 2013 SAP AG. All rights reserved. 29Public Challenges
  29. 29. © 2013 SAP AG. All rights reserved. 30Public JavaScript I Unerstand the DOM Resulting in a DOM-based XSS attack Warning: DOM implementations are Browser specific <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring (pos,document.URL.length)); </SCRIPT> Welcome to our system Assume the following (simplified) index.html: And a call index.html?name=<script>alert(document.cookie)</script>
  30. 30. © 2013 SAP AG. All rights reserved. 31Public JavaScript II Dynamic Evaluation Or using eval() directly (not shown here) <script language="javascript"> document.write("<script src=‟other.js‟></script>"); </script> A simple script tag: Dynamic creation of script tags var oHead = document.getElementsByTagName(‟HEAD‟).item(0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src="other.js"; oHead.appendChild( oScript);
  31. 31. © 2013 SAP AG. All rights reserved. 32Public JavaScript II Dynamic Evaluation Or using eval() directly (not shown here) <script language="javascript"> document.write("<script src=‟other.js‟></script>"); </script> A simple script tag: Dynamic creation of script tags var oHead =ndocument.getElementsByTagName(‟HEAD‟).item(0); var oScript= document.createElement("script"); oScript.type = "text/javascript"; oScript.src="other.js"; oHead.appendChild( oScript);
  32. 32. © 2013 SAP AG. All rights reserved. 33Public JavaScript III Server-Side JavaScript var entry=JSON.parse(data); query = “insert into ”FOO(“.NAME”)””; var conn = $.db.getConnection(); conn.execute(query); Combining the complexity of both worlds:
  33. 33. © 2013 SAP AG. All rights reserved. 34Public Challenges: Current Trends SAST works very well for • “traditional” programming languages • Analyzing data paths within one technology Many new development uses JavaScript • HTML5 / JavaScript UIs • Server-side JavaScript JavaScript • Untyped / dynamically typed • Dynamic programming model “You cannot pay people well enough, to do proper code audits. I tried it.” Yaron Minsky, Jane Street Capital
  34. 34. Thank you Contact information: Dr. Achim D. Brucker Senior Researcher Vincenz-Priessnitz-Strasse 1, 76131 Karlsruhe achim.brucker@sap.com http://xkcd.com/327/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×