A Security Review Process for Existing Software Applications DRAFT Gabriele Garzoglio  Computing Division, Fermilab
Overview <ul><li>Goal </li></ul><ul><ul><li>Identify technical risks and their impact </li></ul></ul><ul><li>Involvement <...
Goal <ul><li>Identify technical risks associated with the application </li></ul><ul><ul><li>Find vulnerabilities / flaws i...
Who should be involved <ul><li>Application Developers </li></ul><ul><li>Application Administrators </li></ul><ul><li>Manag...
Focus <ul><li>To achieve the goals, study the software application with the following in mind: </li></ul><ul><ul><li>what ...
Overview <ul><li>Goal </li></ul><ul><ul><li>Identify technical risks and their impact </li></ul></ul><ul><li>Involvement <...
How to identify technical risks and their impact <ul><li>Application review (interviews, documentation, etc.) </li></ul><u...
How to conduct the  &quot;Application Review&quot; <ul><li>Study: </li></ul><ul><ul><li>General Functionalities </li></ul>...
How to conduct the  &quot;Abuse Cases Analysis“ * <ul><li>Misuse or abuse cases: </li></ul><ul><ul><li>Prepare for abnorma...
48 attack patterns* <ul><li>Meta-characters in E-mail Header </li></ul><ul><li>File System Function Injection, Content Bas...
How to conduct the &quot;Architectural Risk Analysis“ * <ul><li>Process: </li></ul><ul><ul><li>Build a one page overview <...
How to conduct the &quot;Code review“ * <ul><li>Best if using automated tools </li></ul><ul><li>Look out for: </li></ul><u...
How to conduct the &quot;Application tests“ * <ul><li>Security Testing: Risk-based testing, Functional Security testing, P...
How to “write the report” <ul><li>Write a summary of your findings for each of the process steps </li></ul><ul><ul><li>App...
Upcoming SlideShare
Loading in …5
×

Security-Review-Proc..

383 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
383
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security-Review-Proc..

  1. 1. A Security Review Process for Existing Software Applications DRAFT Gabriele Garzoglio Computing Division, Fermilab
  2. 2. Overview <ul><li>Goal </li></ul><ul><ul><li>Identify technical risks and their impact </li></ul></ul><ul><li>Involvement </li></ul><ul><li>Focus </li></ul><ul><li>Process to achieve the Goal </li></ul><ul><ul><li>Application Review </li></ul></ul><ul><ul><li>Abuse Cases Analysis </li></ul></ul><ul><ul><li>Architectural Risk Analysis </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Application Tests </li></ul></ul><ul><ul><li>Write Report </li></ul></ul>Gabriele Garzoglio
  3. 3. Goal <ul><li>Identify technical risks associated with the application </li></ul><ul><ul><li>Find vulnerabilities / flaws in application code / architecture </li></ul></ul><ul><ul><li>Technical problems or complications </li></ul></ul><ul><li>… and the impact of these technical risks </li></ul><ul><ul><li>Unexpected system crashes </li></ul></ul><ul><ul><li>Avoidance of security control </li></ul></ul><ul><ul><li>Unauthorized data modification / disclosure </li></ul></ul><ul><li>Optionally: generate application quality metrics </li></ul><ul><ul><li>Number of defects </li></ul></ul><ul><ul><li>Number of critical risks </li></ul></ul>Gabriele Garzoglio
  4. 4. Who should be involved <ul><li>Application Developers </li></ul><ul><li>Application Administrators </li></ul><ul><li>Management </li></ul><ul><li>Security team </li></ul><ul><li>Security reviewers </li></ul>Gabriele Garzoglio
  5. 5. Focus <ul><li>To achieve the goals, study the software application with the following in mind: </li></ul><ul><ul><li>what it does / what it protects (business context / risk) </li></ul></ul><ul><ul><li>threat / exploit community (what does an exploiter gain) </li></ul></ul><ul><ul><li>potential vulnerabilities (what defects can be exploited) </li></ul></ul><ul><ul><li>risks (vulnerabilities x threats) </li></ul></ul>Gabriele Garzoglio
  6. 6. Overview <ul><li>Goal </li></ul><ul><ul><li>Identify technical risks and their impact </li></ul></ul><ul><li>Involvement </li></ul><ul><li>Focus </li></ul><ul><li>Process to achieve the Goal </li></ul><ul><ul><li>Application Review </li></ul></ul><ul><ul><li>Abuse Cases Analysis </li></ul></ul><ul><ul><li>Architectural Risk Analysis </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Application Tests </li></ul></ul><ul><ul><li>Write Report </li></ul></ul>Gabriele Garzoglio
  7. 7. How to identify technical risks and their impact <ul><li>Application review (interviews, documentation, etc.) </li></ul><ul><li>Abuse Cases Analysis </li></ul><ul><li>Architectural Risk Analysis </li></ul><ul><li>Code Review </li></ul><ul><li>Application tests (Security/Penetration) </li></ul><ul><li>Write report </li></ul>Gabriele Garzoglio
  8. 8. How to conduct the &quot;Application Review&quot; <ul><li>Study: </li></ul><ul><ul><li>General Functionalities </li></ul></ul><ul><ul><li>Environment (Users, Security Policies, etc.) </li></ul></ul><ul><ul><li>Use Cases </li></ul></ul><ul><ul><li>Specific Features </li></ul></ul><ul><ul><li>Architecture </li></ul></ul><ul><ul><li>Project management practices </li></ul></ul><ul><ul><li>Operation practices </li></ul></ul><ul><ul><li>Risk Analysis / Security Requirements / Security Operations (if any) </li></ul></ul>Gabriele Garzoglio
  9. 9. How to conduct the &quot;Abuse Cases Analysis“ * <ul><li>Misuse or abuse cases: </li></ul><ul><ul><li>Prepare for abnormal behavior (attack) </li></ul></ul><ul><ul><li>Uncover exceptional cases </li></ul></ul><ul><li>Document what software will do in the face of illegitimate use </li></ul><ul><li>Process: </li></ul><ul><ul><li>Start with attack patterns (see later), requirements, and use cases </li></ul></ul><ul><ul><li>Build an attack model </li></ul></ul><ul><ul><li>Determine misuses and abuse cases </li></ul></ul><ul><li>Talk to the developers: they might know possible system abuses </li></ul>Gabriele Garzoglio <ul><li>“ Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley </li></ul><ul><li>“ Exploiting Software: How to break the code” by G. Hoglund and G. McGraw; Ed: Addison-Wesley </li></ul>
  10. 10. 48 attack patterns* <ul><li>Meta-characters in E-mail Header </li></ul><ul><li>File System Function Injection, Content Based </li></ul><ul><li>Client-side Injection, Buffer Overflow </li></ul><ul><li>Cause Web Server Misclassification </li></ul><ul><li>Alternate Encoding the Leading Ghost Characters </li></ul><ul><li>Using Slashes in Alternate Encoding </li></ul><ul><li>Using Escaped Slashes in Alternate Encoding </li></ul><ul><li>Unicode Encoding </li></ul><ul><li>UTF-8 Encoding </li></ul><ul><li>URL Encoding </li></ul><ul><li>Alternative IP Addresses </li></ul><ul><li>Slashes and URL.Encoding Combined </li></ul><ul><li>Web Logs </li></ul><ul><li>Overflow Binary Resource File </li></ul><ul><li>Overflow Variables and Tags </li></ul><ul><li>Overflow Symbolic Links </li></ul><ul><li>MIME Conversion </li></ul><ul><li>HTTP Cookies </li></ul><ul><li>Filter Failure through Buffer Overflow </li></ul><ul><li>Buffer Overflow with Environment Variables </li></ul><ul><li>Buffer Overflow in API Calls </li></ul><ul><li>Buffer Overflow in Local Command·-Line Utilities </li></ul><ul><li>Parameter Expansion </li></ul><ul><li>String Format Overflow in syslog() </li></ul><ul><li>Make the Client invisible </li></ul><ul><li>Target Programs That Write to Privileged OS Resources </li></ul><ul><li>Use a User-Supplied Configuration File to Run </li></ul><ul><li>Commands That Elevate Privilege </li></ul><ul><li>Make Use of Configuration File Search Paths </li></ul><ul><li>Direct Access to Executable Files </li></ul><ul><li>Embedding Scripts within Scripts </li></ul><ul><li>Leverage Executable Code in Non-executable Files </li></ul><ul><li>Argument Injection </li></ul><ul><li>Command Delimiters </li></ul><ul><li>Multiple Parsers and Double Escapes </li></ul><ul><li>User-Supplied Variable Passed to File System Calls </li></ul><ul><li>Postfix NULL Terminator and Backslash </li></ul><ul><li>Relative Path Traversal </li></ul><ul><li>Client-Controlled Environment Variables </li></ul><ul><li>User-Supplied Global Variables (DEBUG=1, PHP Globals, etc.) </li></ul><ul><li>Session ID, Resource 10, and Blind Trust </li></ul><ul><li>Analog In-Band Switching Signals (aka &quot;Blue Boxing&quot;) </li></ul><ul><li>Attack Pattern Fragment: Manipulating Terminal Devices </li></ul><ul><li>Simple Script Injection </li></ul><ul><li>Embedding Script in Nonscript Elements </li></ul><ul><li>XSS in HTTP Headers </li></ul><ul><li>HTTP Query Strings </li></ul><ul><li>User-Controlled Filename </li></ul><ul><li>Passing Local Filenames to Functions That Expect a URL </li></ul>Gabriele Garzoglio * “Exploiting Software: How to break the code” by G. Hoglund and G. McGraw Ed: Addison-Wesley
  11. 11. How to conduct the &quot;Architectural Risk Analysis“ * <ul><li>Process: </li></ul><ul><ul><li>Build a one page overview </li></ul></ul><ul><ul><li>Architectural analysis </li></ul></ul><ul><ul><ul><li>Attack resistance analysis (see attack patterns) </li></ul></ul></ul><ul><ul><ul><li>Ambiguity analysis </li></ul></ul></ul><ul><ul><ul><li>Weakness analysis </li></ul></ul></ul><ul><ul><li>Rank risks </li></ul></ul><ul><ul><li>Build mitigations </li></ul></ul>Gabriele Garzoglio <ul><li>“ Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley </li></ul><ul><li>“ Building Secure Software” by J. Viega & G. McGraw; Ed: Addison-Wesley </li></ul>
  12. 12. How to conduct the &quot;Code review“ * <ul><li>Best if using automated tools </li></ul><ul><li>Look out for: </li></ul><ul><ul><li>Input validation and representation </li></ul></ul><ul><ul><li>API abuse </li></ul></ul><ul><ul><li>Security features </li></ul></ul><ul><ul><li>Time and state </li></ul></ul><ul><ul><li>Error handling </li></ul></ul><ul><ul><li>Code quality </li></ul></ul><ul><ul><li>Encapsulation </li></ul></ul><ul><ul><li>Environment </li></ul></ul>Gabriele Garzoglio <ul><li>“ Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley </li></ul><ul><li>“ Building Secure Software” by J. Viega & G. McGraw; Ed: Addison-Wesley </li></ul>
  13. 13. How to conduct the &quot;Application tests“ * <ul><li>Security Testing: Risk-based testing, Functional Security testing, Penetration testing, … </li></ul><ul><ul><li>Several Standards of compliance: CHECK, OSSTMM, OWASP , … </li></ul></ul><ul><ul><li>Most appropriate for web applications is OWASP http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents </li></ul></ul><ul><ul><li>Select tests according to outcomes of previous analyses </li></ul></ul>Gabriele Garzoglio <ul><li>“ Software Security: Building Security in” by G. McGraw; Ed: Addison-Wesley </li></ul>
  14. 14. How to “write the report” <ul><li>Write a summary of your findings for each of the process steps </li></ul><ul><ul><li>Application Review </li></ul></ul><ul><ul><li>Abuse Cases Analysis </li></ul></ul><ul><ul><li>Architectural Risk Analysis </li></ul></ul><ul><ul><li>Code Review </li></ul></ul><ul><ul><li>Application Tests </li></ul></ul><ul><li>Identify impact of technical risks </li></ul><ul><ul><li>Remember your “focus”: </li></ul></ul><ul><ul><ul><li>what it does / what it protects </li></ul></ul></ul><ul><ul><ul><li>threat / exploit community </li></ul></ul></ul><ul><ul><ul><li>potential vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>risks (vulnerabilities x threats) </li></ul></ul></ul><ul><ul><li>What are the business needs of the application? </li></ul></ul><ul><ul><ul><li>Availability, confidentiality, integrity, authenticity/non-repudiation, … </li></ul></ul></ul><ul><ul><li>Link the risks with the business needs </li></ul></ul><ul><li>Propose mitigation strategies for highest impact risks </li></ul>Gabriele Garzoglio

×