Secure software development presentation

643 views

Published on

ارائه در مورد ضرورت ایجاد امن نرم‌افزار و روش‌های انجام آن

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
643
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure software development presentation

  1. 1. Web Application SecuritySecure Developing Mahdi Dolati mahdidolati@ut.ac.ir ‫الرحیم‬ ‫الرحمن‬ ‫اهلل‬ ‫بسم‬
  2. 2. An example to see why
  3. 3. TopTen Attacks • OpenWeb Application Security Project • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration owasp.org/index.php/Top_10_2013-T10
  4. 4. SQL Injection http://www-935.ibm.com/services/us/iss/xforce/trendreports/
  5. 5. SQL Injection
  6. 6. • Fill in the blanks! • SELECT OrderId FROM Sales WHERE CustomerId = ‘ ’ • SELECT OrderId FROM Sales WHERE CustomerId = ‘’ UNION SELECT Table_Name FROM INFORMATION_SCHEMA.Table; -- ’ SQL Injection
  7. 7. SELECT OrderID FROM Sales WHERE CustomerID = ‘ ’ Giving Information to the Attacker ‘ ‘
  8. 8. Giving Information to the Attacker
  9. 9. Hide the Error • • try { resultSet = READ FROM DATABASE; } catch(error) { redirect(“home.html”); } if(resultSet.RowCount > 0) redirect(“history.html”); else redirect(“home.html”); Read From DB Error? Is Result > 0 Go to “home” Go to “history” Yes Yes No No
  10. 10. CustomerID = ‘ CustomerID = ‘ ; delay 1 min. ;-- Wait 1 min. Go to “home” Go to “home” Blind SQL Injection
  11. 11. Is the first letter of the name of the first table an ‘A’ No, it’s not go to “home” Is the first letter of the name of the first table an ‘B’ Yes, it is go to “history” SELECT OrderID FROM Sales WHERE CustomerID = ‘’ OR MID( (SELECT table_name FROM INFORMATIN_SCHEMA.tables LIMIT 1) , 1, 1) = ‘A’ Blind SQL Injection
  12. 12. Solutions • Validate Input • No SQL syntax • No single quote • What about Mr. JohnO’Malley? • No single quote attack • URL encoding • Prevent OR 1 = 1 • Regex • Encode or escape
  13. 13. Solutions • Validate Input • No SQL syntax • No single quote • Prevent OR 1 = 1 • Regex • Encode or escape
  14. 14. Solutions • Validate Input • No SQL syntax • No single quote • Prevent OR 1 = 1 • Regex • Encode or escape Regexlib.com Search for: person’s name Allows apostrophes SQL injection: X’ OR A IS NOT NULL
  15. 15. Solutions • Validate Input • No SQL syntax • Escape input • Insert backslash • Parameterized queries • Stored Procedures
  16. 16. Bake Security In
  17. 17. Cost • “Economic Impacts of Inadequate Infrastructure for SoftwareTesting” Nist.gov/director/planning/upload/report02-3.pdf 0 5 10 15 20 25 30 35 Req. / Design Coding / Unit Testing Integration Testing Customer Beta Testing Release Relative Cost to Fix Software Defects
  18. 18. Time Find vulnerabilities Hold release to fix Fix Schedule a pentest Pentest
  19. 19. HOW to bake security in?
  20. 20. Training
  21. 21. Threat Modeling • Ultimate pessimist’s game • ManyApproaches • Asset-centric • Attacker-centric • Software-centric • Mitigation • E.g. encrypt database
  22. 22. SDLThreat ModelingTool • A Data Flow Graph • STRID • Spoofing • Tampering • Information disclosure • Denial of service • Elevation of privilege Add item into cart View cart conte nts User database ProductCatalog Cart Database User
  23. 23. Secure Coding Libraries • Don't reinvent the wheel • Code review • Correctness or Disuse • OWASP AntiSamy or MicrosoftAnti-XSS • OpenSSL
  24. 24. Secure Coding Libraries Bryan Sullivan andVincent Liu,WebApplication Security, McGraw Hill, 2011
  25. 25. Code Review
  26. 26. Static Analysis Tools • White-BoxTesting • Integrate them • Build process • Code repository server • False positive reports
  27. 27. Automated AnalysisTools Tool Lang / Framework Free / Commercial FindBugs™ Java Free (LGPL) OWASP LAPSE+ Java Free (GPL) FxCop .NET Free (Ms-PL) PHP Securoty Scanner PHP Free (GPL) JSLint JavaScript Free (LGPL) HP Fortify Source Code Analyser C/C++, .NET, Java, PHP, others Commercial
  28. 28. SecurityTesting • Functional test approach • Black-BoxTesting • Just like a Hacker • Active • Passive
  29. 29. Black-BoxTestingTools IBM Rational AppScan • Active • Commercial OWASP WebScarab • Reactive • Free
  30. 30. Back-Box vs.White-Box GoF# Scala Admin.php System Boundary
  31. 31. Security Incident Response planning
  32. 32. Industry Standard Secure Development Methodologies
  33. 33. Trustworthy Computing Memo
  34. 34. training • Core Security Training Req. • Establish Security Requiremen ts • Create Quality Gates/Bug Bars • Security & Privacy Risk Assessment Design • Establish Security Requiremen ts • Analyze Attack Surface • Threat Modeling Impl. • Use Approved Tools • Deprecate Unsafe Functions • Static Analysis Verif. • Dynamic Analysis • FuzzTesting • Attack Surface Review Release • Incident Response Plan • Final Security Review • Release Archive Resp. • Execute Incident Response Plan Security Development Lifecycle (SDL) Microsoft.com/sdl
  35. 35. SDL-Agile
  36. 36. OWASP Comprehensive LightweightApplication Security Process (CLASP) Project manager SecurityAuditor Test Analyst Implementer Architect Requirements Specifier Designer
  37. 37. `

×