Software Security Initiative James Walden Northern Kentucky University

Topics Security Operations Web Application Firewalls Build Security In Maturity Model

Security Operations

Web Application Firewalls

Build Security In Maturity Model

Software Security Practices Code Reviews Risk Analysis Penetration Testing Security Operations Requirements Design Coding Testing Maintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing Security Testing Abuse Cases Security Operations

Code Reviews

Risk Analysis

Penetration Testing

Security Testing

Abuse Cases

Security Operations

Security Operations User security notes Software should be secure by default. Enabling certain features/configs may have risks. User needs to be informed of security risks. Incident response What happens when a vulnerability is reported? How do you communicate with users? How do you send updates to users?

User security notes

Software should be secure by default.

Enabling certain features/configs may have risks.

User needs to be informed of security risks.

Incident response

What happens when a vulnerability is reported?

How do you communicate with users?

How do you send updates to users?

Code Deployment Manage deployment process Change management process. Scrub debug/test code from software. Use automated tools for deployment. Maintain three sets of servers Development Staging Production

Manage deployment process

Change management process.

Scrub debug/test code from software.

Use automated tools for deployment.

Maintain three sets of servers

Development

Staging

Production

Web Application Firewalls Analyze + filter HTTP traffic Intrusion Detection Intrusion Prevent Open Source WAFs AQTronix WebKnight Breach ModSecurity Commercial WAFs Armorlogic Profense Breach WebDefend Citrix Application Firewall Fortify Defender

Analyze + filter HTTP traffic

Intrusion Detection

Intrusion Prevent

Open Source WAFs

AQTronix WebKnight

Breach ModSecurity

Commercial WAFs

Armorlogic Profense

Breach WebDefend

Citrix Application Firewall

Fortify Defender

Modes of Operation Bridge : transparent bridging firewall. Router : install at single point of entry. Reverse Proxy : traffic redirected to flow through WAF by DNS or routing. Embedded : server plugin; no need to configure network but only works with some web servers.

Bridge : transparent bridging firewall.

Router : install at single point of entry.

Reverse Proxy : traffic redirected to flow through WAF by DNS or routing.

Embedded : server plugin; no need to configure network but only works with some web servers.

Modes of Operation Bridge or Router Embedded Reverse Proxy

SSL Terminates SSL : Reconfigure network to move SSL operations to WAF itself. WAF to server communication can be plaintext or SSL encrypted. Passively decrypts SSL : WAF decrypts SSL traffic using copy of server’s SSL private key. Data travels untouched to web server. Occurs after SSL : Embedded WAFs can be posititioned to analyze traffic after server decrypts SSL data.

Terminates SSL : Reconfigure network to move SSL operations to WAF itself. WAF to server communication can be plaintext or SSL encrypted.

Passively decrypts SSL : WAF decrypts SSL traffic using copy of server’s SSL private key. Data travels untouched to web server.

Occurs after SSL : Embedded WAFs can be posititioned to analyze traffic after server decrypts SSL data.

Traffic Blocking Connection Intermediation : Traffic intercepted by WAF. Attacks blocked by not forwarding packets to destination. Connection Reset : Traffic inspected by WAF, which blocks attacks by resetting TCP connections. 3 rd Party Blocking : Traffic inspected by WAF, which notifies other devices to block.

Connection Intermediation : Traffic intercepted by WAF. Attacks blocked by not forwarding packets to destination.

Connection Reset : Traffic inspected by WAF, which blocks attacks by resetting TCP connections.

3 rd Party Blocking : Traffic inspected by WAF, which notifies other devices to block.

Traffic Blocking WAFs can block IP addresses TCP connections HTTP requests Application sessions Application users Too many new requests/sessions WAFs can rewrite parts of HTTP request Request headers Response headers Cookies URLs HTTP message bodies

WAFs can block

IP addresses

TCP connections

HTTP requests

Application sessions

Application users

Too many new requests/sessions

WAFs can rewrite parts of HTTP request

Request headers

Response headers

Cookies

URLs

HTTP message bodies

Canonicalization WAFs convert data to standard form URL-decoding Paths (., .., ) Mixed case Whitespace condensation HTML entity decoding Escaped cahracter decoding Unicode standardization

WAFs convert data to standard form

URL-decoding

Paths (., .., )

Mixed case

Whitespace condensation

HTML entity decoding

Escaped cahracter decoding

Unicode standardization

Signatures and Rules Signatures Text strings Regular expressions Rules Signatures + Operators (length, field) Logical expressions Control flow Session management

Signatures

Text strings

Regular expressions

Rules

Signatures +

Operators (length, field)

Logical expressions

Control flow

Session management

BSI Maturity Model Guide for building and improving a SSI. Based on survey of top software security programs: Adobe Depository Trust and Clearing Corporation EMC Google Microsoft QUALCOMM Wells Fargo Software Security Initiative Statistics 2-10 years old (average 4) 12-100 people (average 41) Approximate 100:1 developer:security person ratio.

Guide for building and improving a SSI.

Based on survey of top software security programs:

Adobe

Depository Trust and Clearing Corporation

EMC

Google

Microsoft

QUALCOMM

Wells Fargo

Software Security Initiative Statistics

2-10 years old (average 4)

12-100 people (average 41)

Approximate 100:1 developer:security person ratio.

Using the Maturity Model Executive leadership Accountability and empowerment. Difficultieis: Grassroots and network security. Identify organization security goals. Identify which practices fit best with organizational culture. Use all 12 practices. Better to put some level 1 activities in each practice in place than go to level 3 in one. Not necessary to do all practices in level 1 before moving to level 2.

Executive leadership

Accountability and empowerment.

Difficultieis: Grassroots and network security.

Identify organization security goals.

Identify which practices fit best with organizational culture.

Use all 12 practices.

Better to put some level 1 activities in each practice in place than go to level 3 in one.

Not necessary to do all practices in level 1 before moving to level 2.

Software Security Framework Governance : Practices that help manage and measure a software security program. Intelligence : Practices producing collection sof corporate knowledge used in swsec. SSDL Touchpoints : Practices associated with analysis and assurance of particular software development artifacts & processes. Deployment : Practices interfacing with network security and software configuration abd maintenance organizations.

Governance : Practices that help manage and measure a software security program.

Intelligence : Practices producing collection sof corporate knowledge used in swsec.

SSDL Touchpoints : Practices associated with analysis and assurance of particular software development artifacts & processes.

Deployment : Practices interfacing with network security and software configuration abd maintenance organizations.

Software Security Framework

Practices and Business Goals

Strategy and Metrics

Compliance and Policy

Training

Attack Models

Security Features and Design

Standards and Requirements

Architecture Analysis

Code Review

Security Testing

Penetration Testing

Software Environment

Configuration Management

Ten Core Activities Everyone Does

References Brian Chess, Gary McGraw, Sammy Migues, Building Security In—Maturity Model, http://www.bsi-mm.com/ CLASP, OWASP CLASP Project, http://www.owasp.org/index.php/Category:OWASP_CLASP_Project , 2008. Noopur Davis et. al., Processes for Producing Secure Software. IEEE Security & Privacy, May 2004. Karen Goertzel, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software : A Reference Guidebook on Software Assurance, October 2008. Michael Howard and Steve Lipner, The Security Development Lifecycle , Microsoft Press, 2006. Gary McGraw, Software Security, Addison-Wesley , 2006. Ivan Ristic, Apache Security , O’Reilly, 2005. Ofer Shezaf, ModSecurity “The Core Rule Set”: Generation detection of application layer attacks ModSecurity "The Core Rule Set": Generic detection of application layer attacks, 6th OWASP AppSec Conference, 2007. Web Application Security Consortium, “WAFEC, or how to choose WAF technology,” http://www.webappsec.org/projects/wafec/ , 2006.

Brian Chess, Gary McGraw, Sammy Migues, Building Security In—Maturity Model, http://www.bsi-mm.com/

CLASP, OWASP CLASP Project, http://www.owasp.org/index.php/Category:OWASP_CLASP_Project , 2008.

Noopur Davis et. al., Processes for Producing Secure Software. IEEE Security & Privacy, May 2004.

Karen Goertzel, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software : A Reference Guidebook on Software Assurance, October 2008.

Michael Howard and Steve Lipner, The Security Development Lifecycle , Microsoft Press, 2006.

Gary McGraw, Software Security, Addison-Wesley , 2006.

Ivan Ristic, Apache Security , O’Reilly, 2005.

Ofer Shezaf, ModSecurity “The Core Rule Set”: Generation detection of application layer attacks ModSecurity "The Core Rule Set": Generic detection of application layer attacks, 6th OWASP AppSec Conference, 2007.

Web Application Security Consortium, “WAFEC, or how to choose WAF technology,” http://www.webappsec.org/projects/wafec/ , 2006.