SlideShare a Scribd company logo

Find & fix the flaws in your code

Download as PPTX, PDF
Rogue Wave Software
Rogue Wave Software

Discover how to create a viable Connected Car business model and drive consumer uptake through a safer driving experience. Everyone is aware of the need to worry about security but it isn't just about security--it's about all of the coding fundamentals including code quality, security, and open source management. In this presentation you will learn how to: -Measure the gaps in your developer's code first: Nearly 90% of all detected security holes can be traced back to just ten types of vulnerabilities -Educate your developers: 57% of people don't think automotive software development teams have the skills necessary to combat software security threats -Empower your developers with the right policies, processes, and tools to fill these gaps: 48% of people believe one of the main challenges of security automobile software is due to lack of defined corporate application security policies

Software
1 of 27
1© 2015 Rogue Wave Software, Inc. All Rights Reserved. 1 Find & fix the flaws in your code Connected Cars Conference London, UK
2© 2015 Rogue Wave Software, Inc. All Rights Reserved. 2 How confident are you in your code? Lots of vulnerabilities in automotive software development Measure your gaps, find your gaps, use the right tools for these gaps
3© 2015 Rogue Wave Software, Inc. All Rights Reserved. 3 The top ten automotive cybersecurity vulnerabilities of 2015 Numeric errors Cryptographic issues Code injection Code Resource management errors Improper access control Improper input validation Information exposure Access Control Memory buffer problems
4© 2015 Rogue Wave Software, Inc. All Rights Reserved. 4 Code CWE-17 : Weaknesses introduced during development including specification, design and implementation 4.4% • Somewhat of a catchall for a number of design or implementation flaws: – mismanaging passwords, storing plaintext passwords, hardcoded passwords – Improper handling of API contracts – Improper or absent error handling – Improperly handling time and state • Also code generation issues, like compiler removing “unneeded” code added for security
5© 2015 Rogue Wave Software, Inc. All Rights Reserved. 5 Example: chrony (NTP) CVE-2015-1822 http://listengine.tuxfamily.org/chrony.tuxfamily.org/ch rony-announce/2015/04/msg00002.html chrony does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.
6© 2015 Rogue Wave Software, Inc. All Rights Reserved. 6 chrony example: fail
7© 2015 Rogue Wave Software, Inc. All Rights Reserved. 7 chrony example: fix
8© 2015 Rogue Wave Software, Inc. All Rights Reserved. 8 Code issues: remediation • Design review – Use well-identified coding patterns – Create consistent API contracts – Track use and storage of encrypted data and passwords • Manual analysis – Identify unclean code—poor quality likely points to unidentified security issues – Handle all errors! Use well-identified coding patterns Design review Create consistent API contracts Track use and storage of encrypted data and passwords
9© 2015 Rogue Wave Software, Inc. All Rights Reserved. 9 What do you need to know?
10© 2015 Rogue Wave Software, Inc. All Rights Reserved. 10 Awareness Awareness of these top ten issues can help with nearly 90% of all vulnerabilities in embedded software 88%
11© 2015 Rogue Wave Software, Inc. All Rights Reserved. 11 Best practices Clean design Methodical process Good tools Careful analysis 1 2 3 4
12© 2015 Rogue Wave Software, Inc. All Rights Reserved. 12 Tools Tools only work when you’re using them Make sure they’re part of your processes Validation Build
13© 2015 Rogue Wave Software, Inc. All Rights Reserved. 13 Black boxes Don’t ignore the black boxes They’re part of the system design too font engines web browsers PDF viewers speech rec engines graphics toolkits Adobe Flash & AIR
14© 2015 Rogue Wave Software, Inc. All Rights Reserved. 14 Bugs can be found in very stable code, so plan on OTA updates to address deployed systems Over-the-air (OTA)
15© 2015 Rogue Wave Software, Inc. All Rights Reserved. 15 Why wait until it’s too late?
16© 2015 Rogue Wave Software, Inc. All Rights Reserved. 16 Security matters 50% of defects are introduced in implementation and build, yet the cost of defects increases exponentially throughout the build cycle. 50% 90% of developers say it is somewhat to very difficult to secure applications in automobiles. 90%
17© 2015 Rogue Wave Software, Inc. All Rights Reserved. 17 What can you do?
18© 2015 Rogue Wave Software, Inc. All Rights Reserved. 18 Start with strong OSS
19© 2015 Rogue Wave Software, Inc. All Rights Reserved. 19 Open source is everywhere 80% of developers admit to having open source software in their code. 80% 70% of development organizations don’t have clear policies, procedures, and tools for using open source code. 70%
20© 2015 Rogue Wave Software, Inc. All Rights Reserved. 20 How do you protect against OSS flaws? OSS Policy Acquisition & approval Support & maintenance Tracking Audit & governanceTraining Legal compliance Community interaction
21© 2015 Rogue Wave Software, Inc. All Rights Reserved. 21 Use all features of SCA
22© 2015 Rogue Wave Software, Inc. All Rights Reserved. 22 SCA – not your same old tool 37% of developers aren’t using automated scanning tools during development 37% 57% of developers don’t think automotive teams have the skills necessary to combat software security threats 57%
23© 2015 Rogue Wave Software, Inc. All Rights Reserved. 23 SCA can detect weaknesses Buffer overflows Un-validated user input Memory and resource leaks Information leakage Cross-site scripting Injection Vulnerable coding practices Banned APIs Infinite loops Concurrency violations Dereferencing NULL pointers Usage of uninitialized data Resource management Memory allocation errors
24© 2015 Rogue Wave Software, Inc. All Rights Reserved. 24 SCA can detect weaknesses CWE CWE/SANS Top 25 MISRA CERT DISA STIG OWASP Or create your own
25© 2015 Rogue Wave Software, Inc. All Rights Reserved. 25 Now you can be confident in your code? Lots of vulnerabilities in automotive software development Measure your gaps, find your gaps, use the right tools for these gaps Attend our upcoming webinar for the top 10 Tools can help make these vulnerabilities less daunting Open source tools can help mitigate risks SCA can help detect and help strengthen weaknesses
26© 2015 Rogue Wave Software, Inc. All Rights Reserved. 26 • US government repository of standards-based vulnerability data • Over 70,000 vulnerabilities • Updated continuously from companies and security experts • https://nvd.nist.gov/ National Vulnerability Database Mitre • Standardized categorization of cybersecurity vulnerabilities • Common Weakness Enumeration (CWE): http://cwe.mitre.org/ • Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/
27© 2015 Rogue Wave Software, Inc. All Rights Reserved. 27

Recommended

Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
Parasoft
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 

Recommended

Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
iAppSecure Solutions
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
Parasoft
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
Mahaut Gouhier
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Secure develpment 2014
Secure develpment 2014Secure develpment 2014
Secure develpment 2014
Ariel Evans
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
Arthur Hicken
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Cigital
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Obika Gellineau
 
Accelerating innovation with software supply chain management
Accelerating innovation with software supply chain management Accelerating innovation with software supply chain management
Accelerating innovation with software supply chain management
matthewabq
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
Katherine Golovinova
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Parasoft
 
Deploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test EnvironmentsDeploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test Environments
Parasoft
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design Flaws
Hdiv Security
 
Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process
Sandi Ardyansyah
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
Parasoft
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Rogue Wave Software
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 

More Related Content

What's hot

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Parasoft
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design Flaws
Hdiv Security
 

What's hot (20)

Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Secure develpment 2014
Secure develpment 2014Secure develpment 2014
Secure develpment 2014
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Accelerating innovation with software supply chain management
Accelerating innovation with software supply chain management Accelerating innovation with software supply chain management
Accelerating innovation with software supply chain management
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
Deploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test EnvironmentsDeploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test Environments
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design Flaws
 
Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process Starting Involving Security In SDLC Process
Starting Involving Security In SDLC Process
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
 

Similar to Find & fix the flaws in your code

Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Rogue Wave Software
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control Costs
IBM Security
 
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i SecuritySecurity Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
HelpSystems
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 

Similar to Find & fix the flaws in your code (20)

Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Gimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source codeGimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source code
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoT
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Best practices for API Integration - Bearer.sh
Best practices for API Integration - Bearer.shBest practices for API Integration - Bearer.sh
Best practices for API Integration - Bearer.sh
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
 
Cutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control CostsCutting Through the Software License Jungle: Stay Safe and Control Costs
Cutting Through the Software License Jungle: Stay Safe and Control Costs
 
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i SecuritySecurity Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
Security Alert - Expert Uncovers the "Dirty Little Secret" of IBM i Security
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 

More from Rogue Wave Software

Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
Rogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
Rogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
Rogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
Rogue Wave Software
 

More from Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Recently uploaded

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Recently uploaded (20)

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 

Find & fix the flaws in your code

  • 1. 1© 2015 Rogue Wave Software, Inc. All Rights Reserved. 1 Find & fix the flaws in your code Connected Cars Conference London, UK
  • 2. 2© 2015 Rogue Wave Software, Inc. All Rights Reserved. 2 How confident are you in your code? Lots of vulnerabilities in automotive software development Measure your gaps, find your gaps, use the right tools for these gaps
  • 3. 3© 2015 Rogue Wave Software, Inc. All Rights Reserved. 3 The top ten automotive cybersecurity vulnerabilities of 2015 Numeric errors Cryptographic issues Code injection Code Resource management errors Improper access control Improper input validation Information exposure Access Control Memory buffer problems
  • 4. 4© 2015 Rogue Wave Software, Inc. All Rights Reserved. 4 Code CWE-17 : Weaknesses introduced during development including specification, design and implementation 4.4% • Somewhat of a catchall for a number of design or implementation flaws: – mismanaging passwords, storing plaintext passwords, hardcoded passwords – Improper handling of API contracts – Improper or absent error handling – Improperly handling time and state • Also code generation issues, like compiler removing “unneeded” code added for security
  • 5. 5© 2015 Rogue Wave Software, Inc. All Rights Reserved. 5 Example: chrony (NTP) CVE-2015-1822 http://listengine.tuxfamily.org/chrony.tuxfamily.org/ch rony-announce/2015/04/msg00002.html chrony does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.
  • 6. 6© 2015 Rogue Wave Software, Inc. All Rights Reserved. 6 chrony example: fail
  • 7. 7© 2015 Rogue Wave Software, Inc. All Rights Reserved. 7 chrony example: fix
  • 8. 8© 2015 Rogue Wave Software, Inc. All Rights Reserved. 8 Code issues: remediation • Design review – Use well-identified coding patterns – Create consistent API contracts – Track use and storage of encrypted data and passwords • Manual analysis – Identify unclean code—poor quality likely points to unidentified security issues – Handle all errors! Use well-identified coding patterns Design review Create consistent API contracts Track use and storage of encrypted data and passwords
  • 9. 9© 2015 Rogue Wave Software, Inc. All Rights Reserved. 9 What do you need to know?
  • 10. 10© 2015 Rogue Wave Software, Inc. All Rights Reserved. 10 Awareness Awareness of these top ten issues can help with nearly 90% of all vulnerabilities in embedded software 88%
  • 11. 11© 2015 Rogue Wave Software, Inc. All Rights Reserved. 11 Best practices Clean design Methodical process Good tools Careful analysis 1 2 3 4
  • 12. 12© 2015 Rogue Wave Software, Inc. All Rights Reserved. 12 Tools Tools only work when you’re using them Make sure they’re part of your processes Validation Build
  • 13. 13© 2015 Rogue Wave Software, Inc. All Rights Reserved. 13 Black boxes Don’t ignore the black boxes They’re part of the system design too font engines web browsers PDF viewers speech rec engines graphics toolkits Adobe Flash & AIR
  • 14. 14© 2015 Rogue Wave Software, Inc. All Rights Reserved. 14 Bugs can be found in very stable code, so plan on OTA updates to address deployed systems Over-the-air (OTA)
  • 15. 15© 2015 Rogue Wave Software, Inc. All Rights Reserved. 15 Why wait until it’s too late?
  • 16. 16© 2015 Rogue Wave Software, Inc. All Rights Reserved. 16 Security matters 50% of defects are introduced in implementation and build, yet the cost of defects increases exponentially throughout the build cycle. 50% 90% of developers say it is somewhat to very difficult to secure applications in automobiles. 90%
  • 17. 17© 2015 Rogue Wave Software, Inc. All Rights Reserved. 17 What can you do?
  • 18. 18© 2015 Rogue Wave Software, Inc. All Rights Reserved. 18 Start with strong OSS
  • 19. 19© 2015 Rogue Wave Software, Inc. All Rights Reserved. 19 Open source is everywhere 80% of developers admit to having open source software in their code. 80% 70% of development organizations don’t have clear policies, procedures, and tools for using open source code. 70%
  • 20. 20© 2015 Rogue Wave Software, Inc. All Rights Reserved. 20 How do you protect against OSS flaws? OSS Policy Acquisition & approval Support & maintenance Tracking Audit & governanceTraining Legal compliance Community interaction
  • 21. 21© 2015 Rogue Wave Software, Inc. All Rights Reserved. 21 Use all features of SCA
  • 22. 22© 2015 Rogue Wave Software, Inc. All Rights Reserved. 22 SCA – not your same old tool 37% of developers aren’t using automated scanning tools during development 37% 57% of developers don’t think automotive teams have the skills necessary to combat software security threats 57%
  • 23. 23© 2015 Rogue Wave Software, Inc. All Rights Reserved. 23 SCA can detect weaknesses Buffer overflows Un-validated user input Memory and resource leaks Information leakage Cross-site scripting Injection Vulnerable coding practices Banned APIs Infinite loops Concurrency violations Dereferencing NULL pointers Usage of uninitialized data Resource management Memory allocation errors
  • 24. 24© 2015 Rogue Wave Software, Inc. All Rights Reserved. 24 SCA can detect weaknesses CWE CWE/SANS Top 25 MISRA CERT DISA STIG OWASP Or create your own
  • 25. 25© 2015 Rogue Wave Software, Inc. All Rights Reserved. 25 Now you can be confident in your code? Lots of vulnerabilities in automotive software development Measure your gaps, find your gaps, use the right tools for these gaps Attend our upcoming webinar for the top 10 Tools can help make these vulnerabilities less daunting Open source tools can help mitigate risks SCA can help detect and help strengthen weaknesses
  • 26. 26© 2015 Rogue Wave Software, Inc. All Rights Reserved. 26 • US government repository of standards-based vulnerability data • Over 70,000 vulnerabilities • Updated continuously from companies and security experts • https://nvd.nist.gov/ National Vulnerability Database Mitre • Standardized categorization of cybersecurity vulnerabilities • Common Weakness Enumeration (CWE): http://cwe.mitre.org/ • Common Vulnerabilities and Exposures (CVE): http://cve.mitre.org/
  • 27. 27© 2015 Rogue Wave Software, Inc. All Rights Reserved. 27

Editor's Notes

  1. This issue had fixes in a couple of files, but this is probably the most important spot. The problem here is pretty subtle, and you’d need to understand the surrounding context to make a lot of sense of it, but due to the logical OR you can come through this path when issue token is set to one, yet you don’t have a valid time stamp. Meaning, you’re allowing the caller to get the next token without properly checking the request.
  2. The fix changes the code a bit, but fundamentally, it makes the control logic easier to see and much clearer. This is a good practice to get into—don’t use a bunch of tricky nested conditionals or pile up statements with side-effects, or you might not get the result you intended. For the fix, we clear the “issue token” flag at the start, and we only set it if we pass through the conditionals and have a valid timestamp. Now the attacker gets caught if they issue bad requests.
  3. Only 30% of developers believe that software updates should be handled by OTA
  4. Modern SCA discovers issues far deeper in code and then ever before - due to cutting-edge algorithms and faster hardware - allowing tools to go well beyond simple defects into very complex interactions, standards compliance, and custom checkers.
  5. SCA products are now engineered so the tool pushes the chosen security coding standards and their associated checkers and taxonomies to every developer's desktop. Everyone is notified as they write their code if they have violated the standards or introduced any vulnerabilities or defects. Fix any potential software security problems immediately, before code check-in. This frees up valuable developer time to work on more critical assignments.
  6. Most organizations need to comply with multiple coding standards to ensure software security. Klocwork includes built-in checkers to support all of the leading standards. Klocwork ships with hundreds of checkers. Our source code analysis engine can be tailored to enforce the rules for compliance with each standard by enabling or disabling individual checkers or full checker groups to meet the specific needs of your software development environment and processes. We've also worked with some of the largest consumer, military, communications, electronic, mobile and other companies in the world to create a checker API, providing your teams the ability to quickly and easily create customized security checkers.
  7. The statistics we’ve used on the frequency of vulnerability problems is from this data. They provide a fantastic resource, but there’s a huge amount of info there. We’ve tried to boil that vast repository of vulnerability info into the tips that will best help the embedded engineer. We are focused on finding problems that affect software that could be used within an automotive telematics or infotainment system. We screened the vulnerability database to remove web, server, scripting, CRM or anything else that wasn’t embedded, however the types of problems we’re discussing are common to a large number of varying types of embedded systems, not just automotive. All of the examples come from actual source code—we look at some of the real vulnerabilities reported this year and see how they were fixed.