David RookThe Principles of Secure DevelopmentOWASP Ireland Conference, DublinFriday, 18 September 2009
if (slide == introduction)                  System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ire...
Agenda • It is broken so lets fix it • The current approach • The Principles of Secure Development • An example of a real ...
It is broken so lets fix it  • Cross Site Scripting, 10 years old?  • SQL Injection, 11 years old?  33% of all vulnerabili...
It is broken so lets fix it                                                CVEs                                           ...
It is broken so lets fix it700060005000                                                         CVEs                      ...
It is broken so lets fix it                                                             SQLi & XSS = 32.24%700060005000   ...
Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a ...
Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a ...
The current approach                   (And why I think it fails to deliver secure applications)  • The cart before the ho...
The current approach                   (And why I think it fails to deliver secure applications)  • What if we taught driv...
The current approach                   (And why I think it fails to deliver secure applications)  • Many lists of vulnerab...
The current approach                   (And why I think it fails to deliver secure applications)  • Many lists of vulnerab...
What we need to do  • Put the application security horse before the cart        • Security guys tell developers how to wri...
Lets make secure development easier  • Keep It Short and Simple (KISS)        • The principles must be clearly defined    ...
The Principles of Secure Development  Input Validation  Output Validation  Error Handling  Authentication and Authorisatio...
The Principles of Secure Development  • Input Validation        • Identify and define the data your application must accep...
The Principles of Secure Development  • Input Validation        • Identify and define the data your application must accep...
The Principles of Secure Development  • Input Validation        • Identify and define the data your application must accep...
The Principles of Secure Development  • Input Validation        • Identify and define the data your application must accep...
The Principles of Secure Development  • Output Validation        • Identify and define the data your application must outp...
The Principles of Secure Development  • Output Validation        • Identify and define the data your application must outp...
The Principles of Secure Development  • Output Validation        • Identify and define the data your application must outp...
The Principles of Secure Development  • Error Handling        • Even the best apps will crash at some point, be prepared!F...
The Principles of Secure Development  • Error Handling        • Even the best apps will crash at some point, be prepared! ...
The Principles of Secure Development  • Error Handling        • Even the best apps will crash at some point, be prepared! ...
The Principles of Secure Development  • Error Handling        • Even the best apps will crash at some point, be prepared! ...
The Principles of Secure Development  • Authentication and Authorisation        • Even simple apps often have a need to au...
The Principles of Secure Development  • Authentication and Authorisation        • Even simple apps often have a need to au...
The Principles of Secure Development  • Authentication and Authorisation        • Even simple apps often have a need to au...
The Principles of Secure Development  • Authentication and Authorisation        • Even simple apps often have a need to au...
The Principles of Secure Development  • Authentication and Authorisation        • Even simple apps often have a need to au...
The Principles of Secure Development  • Authentication and Authorisation        • Even simple apps often have a need to au...
The Principles of Secure Development  • Session Management        • Used to manage authenticated users, no need to re-auth...
The Principles of Secure Development  • Session Management        • Used to manage authenticated users, no need to re-auth...
The Principles of Secure Development  • Session Management        • Used to manage authenticated users, no need to re-auth...
The Principles of Secure Development  • Session Management        • Used to manage authenticated users, no need to re-auth...
The Principles of Secure Development  • Session Management        • Used to manage authenticated users, no need to re-auth...
The Principles of Secure Development  • Session Management        • Used to manage authenticated users, no need to re-auth...
The Principles of Secure Development  • Secure Communications        • Protect data (i.e. CC no, passwords, sessionID’s) i...
The Principles of Secure Development  • Secure Communications        • Protect data (i.e. CC no, passwords, sessionID’s) i...
The Principles of Secure Development  • Secure Communications        • Protect data (i.e. CC no, passwords, sessionID’s) i...
The Principles of Secure Development  • Secure Communications        • Protect data (i.e. CC no, passwords, sessionID’s) i...
The Principles of Secure Development  • Secure Communications        • Protect data (i.e. CC no, passwords, sessionID’s) i...
The Principles of Secure Development  • Secure Storage        • Protect data (i.e. CC no, passwords, sessionID’s) when sto...
The Principles of Secure Development  • Secure Storage        • Protect data (i.e. CC no, passwords, sessionID’s) when sto...
The Principles of Secure Development  • Secure Storage        • Protect data (i.e. CC no, passwords, sessionID’s) when sto...
The Principles of Secure Development  • Secure Storage        • Protect data (i.e. CC no, passwords, sessionID’s) when sto...
The Principles of Secure Development  • Secure Storage        • Protect data (i.e. CC no, passwords, sessionID’s) when sto...
The Principles of Secure DevelopmentFriday, 18 September 2009
The Principles of Secure Development  • Secure Resource Access        • Obscurity != security, don’t try to hide sensitive...
The Principles of Secure Development  • Secure Resource Access        • Obscurity != security, don’t try to hide sensitive...
The Principles of Secure Development  • Secure Resource Access        • Obscurity != security, don’t try to hide sensitive...
Lets redefine what secure development means  • Follow a small, repeatable set of principles  • Try not to focus on specifi...
Evolution, not revolution  • Don’t make things more difficult than they need to be        • This isn’t a new wheel, its ju...
The new approach is working  • Private banking development company, Switzerland        • Application Security lead saw the...
The new approach is working  • Private banking development company, Switzerland        • Application Security lead saw the...
The new approach is working  • Private banking development company, Switzerland        • Application Security lead saw the...
The new approach is working  • Private banking development company, Switzerland        • Application Security lead saw the...
The new approach is working  • Private banking development company, Switzerland        • Application Security lead saw the...
The new approach is workingThey modified the principles matrix to match their own terminologyFriday, 18 September 2009
The new approach is workingThey modified the principles matrix to match their own terminologyFriday, 18 September 2009
Security Ninja new site launch!  • Security Ninja, brought you by Realex Payments        • Free application security and c...
Security Ninja new site launch!  • Security Ninja, brought you by Realex Payments        • Free application security and c...
Security Ninja new site launch!  • Security Ninja, brought you by Realex Payments        • Free application security and c...
Security Ninja new site launch!  • Security Ninja, brought you by Realex Payments        • Free application security and c...
www.securityninja.co.uk              Twitter: @securityninjaFriday, 18 September 2009
QUESTIONS?             www.securityninja.co.uk              Twitter: @securityninjaFriday, 18 September 2009
Upcoming SlideShare
Loading in …5
×

The Principles of Secure Development

862 views
790 views

Published on

The Principles of Secure Development by David Rook at the OWASP Ireland conference in 2009.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
862
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Principles of Secure Development

  1. 1. David RookThe Principles of Secure DevelopmentOWASP Ireland Conference, DublinFriday, 18 September 2009
  2. 2. if (slide == introduction) System.out.println("I’m David Rook"); • Security Analyst, Realex Payments, Ireland CISSP, CISA, GCIH and many other acronyms • Security Ninja (www.securityninja.co.uk) • Speaker at security events (national and international) • IIA Web Development Working Group • Facebook hacker and published security author (insecure magazine, bloginfosec etc)Friday, 18 September 2009
  3. 3. Agenda • It is broken so lets fix it • The current approach • The Principles of Secure Development • An example of a real world implementationFriday, 18 September 2009
  4. 4. It is broken so lets fix it • Cross Site Scripting, 10 years old? • SQL Injection, 11 years old? 33% of all vulnerabilities in 2008 and 2009 (so far) are XSS or SQL Injection (Based on CVE numbers) CVE statistics: http://web.nvd.nist.gov/view/vuln/statisticsFriday, 18 September 2009
  5. 5. It is broken so lets fix it CVEs Total SQLi XSSFriday, 18 September 2009
  6. 6. It is broken so lets fix it700060005000 CVEs Total SQLi4000 XSS 3000 2000 1000 0 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000Friday, 18 September 2009
  7. 7. It is broken so lets fix it SQLi & XSS = 32.24%700060005000 CVEs Total SQLi4000 XSS 3000 2000 1000 0 2009 2008 2007 2006 2005 2004 2003 2002 2001 2000Friday, 18 September 2009
  8. 8. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime.Friday, 18 September 2009
  9. 9. Philosophical Application Security Give a man a fish and you feed him for a day, teach him to fish and you feed him for a lifetime. I want to apply this to secure application development: Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities.Friday, 18 September 2009
  10. 10. The current approach (And why I think it fails to deliver secure applications) • The cart before the horse • Security guys tell developers about specific vulnerabilities • We hope they figure out how to prevent them • Inevitably security flaws end up in live code • Security guys complain when data gets stolenFriday, 18 September 2009
  11. 11. The current approach (And why I think it fails to deliver secure applications) • What if we taught drivers in the same way? • Instructor tells driver about the different ways to crash • We hope the driver figures out how not to crash • Inevitably the driver will crash • People complain when they get crashed intoFriday, 18 September 2009
  12. 12. The current approach (And why I think it fails to deliver secure applications) • Many lists of vulnerabilities • OWASP Top 10 • White Hat Sec Top 10 • SANS Top 25 • Others?? • != Secure development guidanceFriday, 18 September 2009
  13. 13. The current approach (And why I think it fails to deliver secure applications) • Many lists of vulnerabilities • OWASP Top 10 • White Hat Sec Top 10 • SANS Top 25 • Others?? • != Secure development guidance • 45 vulnerabilities, 42 unique names • 8 secure coding principles to prevent themFriday, 18 September 2009
  14. 14. What we need to do • Put the application security horse before the cart • Security guys tell developers how to write secure code • Developer doesn’t need to guess anymore • Common vulnerabilities prevented in applications • Realistic or just a caffeine fueled dream?Friday, 18 September 2009
  15. 15. Lets make secure development easier • Keep It Short and Simple (KISS) • The principles must be clearly defined • Language/Platform/Framework independent • Should cover more than just the common vulnerabilities • More secure software and greater ROI on security training?Friday, 18 September 2009
  16. 16. The Principles of Secure Development Input Validation Output Validation Error Handling Authentication and Authorisation Session Management Secure Communications Secure Storage Secure Resource AccessFriday, 18 September 2009
  17. 17. The Principles of Secure Development • Input Validation • Identify and define the data your application must acceptFriday, 18 September 2009
  18. 18. The Principles of Secure Development • Input Validation • Identify and define the data your application must accept • Create regex’s to validate each data type (content and size) • For example, a credit card number data type: d{12,16}$Friday, 18 September 2009
  19. 19. The Principles of Secure Development • Input Validation • Identify and define the data your application must accept • Create regex’s to validate each data type (content and size) • For example, a credit card number data type: d{12,16}$ • Use whitelisting for validation where possibleFriday, 18 September 2009
  20. 20. The Principles of Secure Development • Input Validation • Identify and define the data your application must accept • Create regex’s to validate each data type (content and size) • For example, a credit card number data type: d{12,16}$ • Use whitelisting for validation where possible • Blacklisting approach harder and potentially less secure • Blacklist example, replacing single quotes: s.replaceAll(Pattern.quote(" "), Matcher.quoteReplacement(" " "))Friday, 18 September 2009
  21. 21. The Principles of Secure Development • Output Validation • Identify and define the data your application must outputFriday, 18 September 2009
  22. 22. The Principles of Secure Development • Output Validation • Identify and define the data your application must output • Understand where (i.e. in a URL) your data should end up • Choose the correct output encoding for the datas destinationFriday, 18 September 2009
  23. 23. The Principles of Secure Development • Output Validation • Identify and define the data your application must output • Understand where (i.e. in a URL) your data should end up • Choose the correct output encoding for the datas destination • Proper encoding means this attack: www.examplesite.com/home.html?day=<script>alert(document.cookie)</script> Becomes: day=%3Cscript%3Ealert%28document.cookie%29%3C/script%3EFriday, 18 September 2009
  24. 24. The Principles of Secure Development • Error Handling • Even the best apps will crash at some point, be prepared!Friday, 18 September 2009
  25. 25. The Principles of Secure Development • Error Handling • Even the best apps will crash at some point, be prepared! • Crashes/errors can help an attacker if you don’t handle themFriday, 18 September 2009
  26. 26. The Principles of Secure Development • Error Handling • Even the best apps will crash at some point, be prepared! • Crashes/errors can help an attacker if you don’t handle them • Handle error conditions securely, sanitise the message sentFriday, 18 September 2009
  27. 27. The Principles of Secure Development • Error Handling • Even the best apps will crash at some point, be prepared! • Crashes/errors can help an attacker if you don’t handle them • Handle error conditions securely, sanitise the message sent • No error handling = information leakage Microsoft OLE DB Provider for ODBC Drivers(0x80040E14) [Microsoft][ODBC SQL Server Driver] [SQL Server]Invalid column name /examplesite/login.asp, line 10Friday, 18 September 2009
  28. 28. The Principles of Secure Development • Authentication and Authorisation • Even simple apps often have a need to authenticate usersFriday, 18 September 2009
  29. 29. The Principles of Secure Development • Authentication and Authorisation • Even simple apps often have a need to authenticate users • Often at least two levels of authorisationFriday, 18 September 2009
  30. 30. The Principles of Secure Development • Authentication and Authorisation • Even simple apps often have a need to authenticate users • Often at least two levels of authorisation • Need to prevent horizontal and vertical privilege escalationFriday, 18 September 2009
  31. 31. The Principles of Secure Development • Authentication and Authorisation • Even simple apps often have a need to authenticate users • Often at least two levels of authorisation • Need to prevent horizontal and vertical privilege escalation • Implement strong passwords and management systemsFriday, 18 September 2009
  32. 32. The Principles of Secure Development • Authentication and Authorisation • Even simple apps often have a need to authenticate users • Often at least two levels of authorisation • Need to prevent horizontal and vertical privilege escalation • Implement strong passwords and management systems • Ensure A+A is secure, not a false sense of security (CAPTCHA?)Friday, 18 September 2009
  33. 33. The Principles of Secure Development • Authentication and Authorisation • Even simple apps often have a need to authenticate users • Often at least two levels of authorisation • Need to prevent horizontal and vertical privilege escalation • Implement strong passwords and management systems • Ensure A+A is secure, not a false sense of security (CAPTCHA?) • Don’t rely on fields that are easily spoofed (referrer field)Friday, 18 September 2009
  34. 34. The Principles of Secure Development • Session Management • Used to manage authenticated users, no need to re-authFriday, 18 September 2009
  35. 35. The Principles of Secure Development • Session Management • Used to manage authenticated users, no need to re-auth • You need to ensure that your sessionID’s have sufficient entropyFriday, 18 September 2009
  36. 36. The Principles of Secure Development • Session Management • Used to manage authenticated users, no need to re-auth • You need to ensure that your sessionID’s have sufficient entropy • SessionID’s must not be predictable or reusableFriday, 18 September 2009
  37. 37. The Principles of Secure Development • Session Management • Used to manage authenticated users, no need to re-auth • You need to ensure that your sessionID’s have sufficient entropy • SessionID’s must not be predictable or reusable • Never build your own session management, it will failFriday, 18 September 2009
  38. 38. The Principles of Secure Development • Session Management • Used to manage authenticated users, no need to re-auth • You need to ensure that your sessionID’s have sufficient entropy • SessionID’s must not be predictable or reusable • Never build your own session management, it will fail • Protect sessionID’s when in transit (i.e. SSL!)Friday, 18 September 2009
  39. 39. The Principles of Secure Development • Session Management • Used to manage authenticated users, no need to re-auth • You need to ensure that your sessionID’s have sufficient entropy • SessionID’s must not be predictable or reusable • Never build your own session management, it will fail • Protect sessionID’s when in transit (i.e. SSL!) • Issue a new value for sensitive actions (i.e. funds transfer)Friday, 18 September 2009
  40. 40. The Principles of Secure Development • Secure Communications • Protect data (i.e. CC no, passwords, sessionID’s) in transitFriday, 18 September 2009
  41. 41. The Principles of Secure Development • Secure Communications • Protect data (i.e. CC no, passwords, sessionID’s) in transit • As with all crypto, don’t create your ownFriday, 18 September 2009
  42. 42. The Principles of Secure Development • Secure Communications • Protect data (i.e. CC no, passwords, sessionID’s) in transit • As with all crypto, don’t create your own • Don’t use broken protection mechanisms (i.e. SSLv2)Friday, 18 September 2009
  43. 43. The Principles of Secure Development • Secure Communications • Protect data (i.e. CC no, passwords, sessionID’s) in transit • As with all crypto, don’t create your own • Don’t use broken protection mechanisms (i.e. SSLv2) • Don’t just use SSL/TLS for logon pages, protect the session!Friday, 18 September 2009
  44. 44. The Principles of Secure Development • Secure Communications • Protect data (i.e. CC no, passwords, sessionID’s) in transit • As with all crypto, don’t create your own • Don’t use broken protection mechanisms (i.e. SSLv2) • Don’t just use SSL/TLS for logon pages, protect the session! • Try to avoid mixing secure and insecure traffic on a pageFriday, 18 September 2009
  45. 45. The Principles of Secure Development • Secure Storage • Protect data (i.e. CC no, passwords, sessionID’s) when storedFriday, 18 September 2009
  46. 46. The Principles of Secure Development • Secure Storage • Protect data (i.e. CC no, passwords, sessionID’s) when stored • As with all crypto, don’t create your ownFriday, 18 September 2009
  47. 47. The Principles of Secure Development • Secure Storage • Protect data (i.e. CC no, passwords, sessionID’s) when stored • As with all crypto, don’t create your own • Don’t use broken protection mechanisms (i.e. DES)Friday, 18 September 2009
  48. 48. The Principles of Secure Development • Secure Storage • Protect data (i.e. CC no, passwords, sessionID’s) when stored • As with all crypto, don’t create your own • Don’t use broken protection mechanisms (i.e. DES) • Don’t store data in places where you can’t confidently secure itFriday, 18 September 2009
  49. 49. The Principles of Secure Development • Secure Storage • Protect data (i.e. CC no, passwords, sessionID’s) when stored • As with all crypto, don’t create your own • Don’t use broken protection mechanisms (i.e. DES) • Don’t store data in places where you can’t confidently secure it • Strong protection mechanisms, how strong should it be?Friday, 18 September 2009
  50. 50. The Principles of Secure DevelopmentFriday, 18 September 2009
  51. 51. The Principles of Secure Development • Secure Resource Access • Obscurity != security, don’t try to hide sensitive resourcesFriday, 18 September 2009
  52. 52. The Principles of Secure Development • Secure Resource Access • Obscurity != security, don’t try to hide sensitive resources • Understand the users flow through an app, cover weak spotsFriday, 18 September 2009
  53. 53. The Principles of Secure Development • Secure Resource Access • Obscurity != security, don’t try to hide sensitive resources • Understand the users flow through an app, cover weak spots • T-Mobile didn’t do the above, Paris Hiltons account hackedFriday, 18 September 2009
  54. 54. Lets redefine what secure development means • Follow a small, repeatable set of principles • Try not to focus on specific vulnerabilities • Develop securely, not to prevent "hot vuln of the day" • Build security into the code, don’t try to bolt it on at the endFriday, 18 September 2009
  55. 55. Evolution, not revolution • Don’t make things more difficult than they need to be • This isn’t a new wheel, its just a smoother, easier to use wheel • Don’t treat security as something separate, integrate it • By integrating security fully a security bug is just another bug • Secure development doesn’t have to be hard, KISS it!Friday, 18 September 2009
  56. 56. The new approach is working • Private banking development company, Switzerland • Application Security lead saw the secure development principlesFriday, 18 September 2009
  57. 57. The new approach is working • Private banking development company, Switzerland • Application Security lead saw the secure development principles • Re-designed secure development training for his companyFriday, 18 September 2009
  58. 58. The new approach is working • Private banking development company, Switzerland • Application Security lead saw the secure development principles • Re-designed secure development training for his company • Security training costs down, quicker "spin up" of developersFriday, 18 September 2009
  59. 59. The new approach is working • Private banking development company, Switzerland • Application Security lead saw the secure development principles • Re-designed secure development training for his company • Security training costs down, quicker "spin up" of developers • Security within their SDLC now based on the principlesFriday, 18 September 2009
  60. 60. The new approach is working • Private banking development company, Switzerland • Application Security lead saw the secure development principles • Re-designed secure development training for his company • Security training costs down, quicker "spin up" of developers • Security within their SDLC now based on the principles • In his own words: You released the "secure development principles" at a time I had issues with my dev teams in how to teach them secure development. Your approach convinced me to look in another direction, not trying to teach every vulnerability but finding the basic principles that help prevent their existence. At that time, this was genius for me: most of my training since has been inspired by your secure development principles.Friday, 18 September 2009
  61. 61. The new approach is workingThey modified the principles matrix to match their own terminologyFriday, 18 September 2009
  62. 62. The new approach is workingThey modified the principles matrix to match their own terminologyFriday, 18 September 2009
  63. 63. Security Ninja new site launch! • Security Ninja, brought you by Realex Payments • Free application security and compliance resource siteFriday, 18 September 2009
  64. 64. Security Ninja new site launch! • Security Ninja, brought you by Realex Payments • Free application security and compliance resource site • Blog and site managed and updated by myselfFriday, 18 September 2009
  65. 65. Security Ninja new site launch! • Security Ninja, brought you by Realex Payments • Free application security and compliance resource site • Blog and site managed and updated by myself • Security presentations, whitepapers, videos and audio onlineFriday, 18 September 2009
  66. 66. Security Ninja new site launch! • Security Ninja, brought you by Realex Payments • Free application security and compliance resource site • Blog and site managed and updated by myself • Security presentations, whitepapers, videos and audio online • Secure Development Principles whitepaper available here todayFriday, 18 September 2009
  67. 67. www.securityninja.co.uk Twitter: @securityninjaFriday, 18 September 2009
  68. 68. QUESTIONS? www.securityninja.co.uk Twitter: @securityninjaFriday, 18 September 2009

×