Integrating security into the application development process

739
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
739
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Integrating security into the application development process

  1. 1. Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  2. 2. Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
  3. 3. How to Write Good Code From http://xkcd.com/844/
  4. 4. SEEK FIRST TO UNDERSTAND
  5. 5. Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
  6. 6. Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
  7. 7. Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
  8. 8. Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
  9. 9. The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
  10. 10. The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
  11. 11. Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
  12. 12. SOURCE CODE SECURITY
  13. 13. Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
  14. 14. OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
  15. 15. Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
  16. 16. Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
  17. 17. APPSEC AND SQA
  18. 18. The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
  19. 19. Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
  20. 20. Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
  21. 21. SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
  22. 22. ANALYZING DEPLOYED APPLICATIONS
  23. 23. Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
  24. 24. Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
  25. 25. Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
  26. 26. Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
  27. 27. OTHER CONSIDERATIONS
  28. 28. SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
  29. 29. SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
  30. 30. Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
  31. 31. Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
  32. 32. RESOURCES
  33. 33. Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
  34. 34. More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
  35. 35. Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
  36. 36. Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com

×