Download Meeting Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Standard Waterfall model
  • Download Meeting Presentation

    1. 1. Software Security and the Software Development Lifecycle Stan Wisseman [email_address] Booz Allen Hamilton 8251 Greensboro Drive McLean VA 22102
    2. 2. Software security: Why care? <ul><li>Software is ubiquitous. </li></ul><ul><li>We rely on software to handle the sensitive and high-value data on which our livelihoods, privacy, and very lives depend. </li></ul><ul><li>Many critical business functions in government and industry depend completely on software. </li></ul><ul><li>Software—even high-consequence software—is increasingly exposed to the Internet. </li></ul><ul><ul><li>Increased exposure makes software (and the data it handles) visible to people who never even knew it existed before. </li></ul></ul><ul><ul><li>Not all of those people are well- intentioned (to say the least!). </li></ul></ul>
    3. 3. Security as a property of software <ul><li>Secure software is software that can’t be intentionally forced to perform any unintended function. </li></ul><ul><li>Secure software continues to operate correctly even under attack. </li></ul><ul><li>Secure software can recognize attack patterns and avoid or withstand recognized attacks. </li></ul><ul><li>At the whole-system level, after an attack, secure software recovers rapidly and sustains only minimal damage. </li></ul>
    4. 4. Exploitable defects in software lead to vulnerabilities <ul><li>Inherent deficiencies in the software’s processing model (e.g., Web, SOA, Email) and the model’s associated protocols/technologies </li></ul><ul><ul><li>Example: Trust establishment in web applications is only one-way (client authenticates server) </li></ul></ul><ul><li>Shortcomings in the software’s security architecture </li></ul><ul><ul><li>Example: Exclusive reliance on infrastructure components to filter/block dangerous input, malicious code, etc. </li></ul></ul><ul><li>Defects in execution environment components (middleware, frameworks, operating system, etc.), </li></ul><ul><ul><li>Example: Known vulnerabilities in WebLogic, J2EE, Windows XP, etc. </li></ul></ul>
    5. 5. Exploitable defects cont’d <ul><li>Defects in the design or implementation of software’s interfaces with environment- and application-level components </li></ul><ul><ul><li>Example: Reliance on known-to-be-insecure API, RPC, or communications protocol implementations </li></ul></ul><ul><li>Defects in the design or implementation of the software’s interfaces with its users (human or software process) </li></ul><ul><ul><li>Example: Web application fails to establish user trustworthiness before accepting user input. </li></ul></ul><ul><li>Defects in the design or implementation of the software’s processing of input </li></ul><ul><ul><li>Example: C++ application does not do bounds checking on user-submitted input data before writing that data to a memory buffer. </li></ul></ul>
    6. 6. So what do you do with these exploitable defects? Exploit them! <ul><li>Session hijacking – A hacker will claim the identity of another user in the system </li></ul><ul><li>Command Injection (e.g. SQL Injection) – A hacker will modify input causing a database to return other users’ data, drop tables, shutdown the database </li></ul><ul><li>Cross Site Scripting (XSS) – A hacker will reflect malicious scripts off a web server to be executed in another user’s browser to steal their session, redirect them to a malicious site, steal sensitive user data, or deface the webpage </li></ul><ul><li>Buffer Overflows – A hacker will overflow a memory buffer or the stack, causing the system to crash or to load and execute malicious code, thereby taking over the machine </li></ul><ul><li>Denial of Service – A hacker will cause individual users or the entire system the inability to operate </li></ul>
    7. 7. Topology of an Application Attack Network Layer OS Layer Application Layer (End-user interface) Network Layer OS Layer Application Layer Custom Application Back-end Database Application Traffic
    8. 8. Software Security Vulnerabilities Reported 1995-1999 2000-2005 Total vulnerabilities reported (1995-2Q,2005): 19,600 CERT/CC 417 262 311 345 171 Vulnerabilities 1999 1998 1997 1996 1995 Year 2,874 3,780 3,784 4,129 2,437 1,090 Vulnerabilities 1Q-2Q,2005 2004 2003 2002 2001 2000 Year
    9. 9. Cost of Software Security Vulnerabilities <ul><li>NIST estimates costs of $60 Billion a year due to software vulnerabilities </li></ul><ul><li>Security fixes for implementation flaws typically cost $2000-$10,000 when done during testing phase. However, they may cost more than 5-10 times when fixed after the application has been shipped. </li></ul><ul><li>The cost of fixing architectural flaws is significantly higher than fixing implementation flaws. </li></ul><ul><li>Gartner Group says system downtime caused by software vulnerabilities will triple from 5% to 15% by 2008 for firms that don't take proactive security steps </li></ul>
    10. 10. What to Do About These Serious Vulnerabilities? <ul><li>Integrate Software Security into the </li></ul><ul><li>Software Development Lifecycle </li></ul>
    11. 11. When to Address Software Security? <ul><li>As early as possible AND throughout the development lifecycle </li></ul>
    12. 12. The Software Project Triangle <ul><li>Software assurance affects every side of the triangle, and any changes you make to any side of the triangle are likely to affect software assurance </li></ul>
    13. 13. Challenges to Developing Secure Software <ul><li>SDLC often does not have security as a primary objective </li></ul><ul><li>SDLC often is not robust enough to handle complex development needs For example, how does your SDLC handle: </li></ul><ul><ul><li>Inherent vulnerabilities in the technologies you’re using </li></ul></ul><ul><ul><li>Use of code from untrusted (and open) sources </li></ul></ul><ul><ul><li>Increase is features and complexity make security harder </li></ul></ul><ul><ul><li>Time to market pushes security out </li></ul></ul><ul><ul><li>Vendors that don’t warrant the trustworthiness of their software </li></ul></ul><ul><ul><li>Software developers that aren’t trained in secure development </li></ul></ul><ul><ul><li>Component assemblies, COTS integration, etc. </li></ul></ul><ul><ul><li>Time, money constraints </li></ul></ul><ul><ul><li>COTS upgrades and patches </li></ul></ul>
    14. 14. Security Enhancing the Software Development Lifecycle
    15. 15. Software Security Problems are Complicated <ul><li>IMPLEMENTATION BUGS </li></ul><ul><li>Buffer overflow </li></ul><ul><ul><li>String format </li></ul></ul><ul><ul><li>One-stage attacks </li></ul></ul><ul><li>Race conditions </li></ul><ul><ul><li>TOCTOU (time of check to time of use) </li></ul></ul><ul><li>Unsafe environment variables </li></ul><ul><li>Unsafe system calls </li></ul><ul><ul><li>System() </li></ul></ul><ul><li>Untrusted input problems </li></ul><ul><li>ARCHITECTURAL FLAWS </li></ul><ul><li>Misuse of cryptography </li></ul><ul><li>Compartmentalization problems in design </li></ul><ul><li>Privileged block protection failure (DoPrivilege()) </li></ul><ul><li>Catastrophic security failure (fragility) </li></ul><ul><li>Type safety confusion errors </li></ul><ul><li>Broken or illogical access control (RBAC over tiers) </li></ul><ul><li>Method over-riding problems (subclass issues) </li></ul><ul><li>Signing too much code </li></ul>
    16. 16. The Challenge: Find Security Problems Before Deployment
    17. 17. Software Security SDLC Touchpoints Source: Gary McGraw Requirements and use cases Design Test plans Code Test results Field feedback Abuse cases Security requirements External review Risk analysis Risk-based security tests Security breaks Static analysis (tools) Risk analysis Penetration testing
    18. 18. Security Throughout the Application Lifecycle
    19. 19. Requirements Phase
    20. 20. Requirements Phase <ul><li>You may have built a perfectly functional car, but that doesn’t mean it’s gas tank won’t blow up. </li></ul><ul><li>System requirements usually include functional requirements </li></ul><ul><li>But omit security requirements! </li></ul>
    21. 21. Principles of the Requirements Phase <ul><li>You can’t assume security will be addressed by the developers </li></ul><ul><li>To adequately identify and specify security requirements, a threat-based risk assessment must be performed to understand the threats that the system may face when deployed. The development needs to understand that the threats to the system may change while the system is under development and when it is deployed </li></ul><ul><li>If it’s not a requirement, it doesn’t get implemented and doesn’t get tested </li></ul>
    22. 22. Security Requirements <ul><li>Reuse Common Requirements </li></ul><ul><ul><li>Most IT systems have a common set of security requirements </li></ul></ul><ul><ul><li>Some examples: </li></ul></ul><ul><ul><ul><li>Username/password </li></ul></ul></ul><ul><ul><ul><li>Access control checks </li></ul></ul></ul><ul><ul><ul><li>Input validation </li></ul></ul></ul><ul><ul><ul><li>Audit </li></ul></ul></ul><ul><ul><li>Dozens of common security requirements have been collected and perfected by security professionals…use these to get your requirements right </li></ul></ul><ul><li>Security Requirements should include negative requirements </li></ul><ul><li>Requirement Tools should include misuse and abuse cases as well as use cases to capture what the system isn’t suppose to do </li></ul>
    23. 23. Requirements Phase: Misuse and Abuse Cases <ul><li>Use cases formalize normative behavior (and assume correct usage) </li></ul><ul><li>Describing non-normative behavior is a good idea </li></ul><ul><ul><li>Prepare for abnormal behavior (attack) </li></ul></ul><ul><ul><li>Misuse or abuse cases do this </li></ul></ul><ul><ul><li>Uncover exceptional cases </li></ul></ul><ul><li>Leverage the fact that designers know more about their system than potential attackers do </li></ul><ul><li>Document explicitly what the software will do in the face of illegitimate used </li></ul>
    24. 24. Design Phase
    25. 25. Principles of Secure Design <ul><li>Based on premise that correctness is NOT the same as security </li></ul><ul><li>Defense-in-depth: layering defenses to provide added protection. Defense in depth increases security by raising the cost of an attack by placing multiple barriers between an attacker and critical information resources. </li></ul><ul><li>Secure by design, secure by default, secure in deployment </li></ul><ul><li>Avoid High Risk Technologies </li></ul>
    26. 26. Principles of Secure Design (cont.) <ul><li>Isolate and constrain less trustworthy functions </li></ul><ul><li>Implement least privilege </li></ul><ul><li>Security through obscurity is wrong except to make reverse engineering more difficult </li></ul><ul><li>Using good software engineering practices doesn’t mean the software is secure </li></ul>
    27. 27. Security in the Design Phase <ul><li>Have security expert involved when designing system </li></ul><ul><li>Design should be specific enough to identify all security mechanisms </li></ul><ul><ul><li>Flow charts, sequence diagrams </li></ul></ul><ul><ul><li>Use cases, misuse case and abuse cases </li></ul></ul><ul><ul><li>Threat models </li></ul></ul><ul><li>Sometimes an independent security review of the design is appropriate </li></ul><ul><ul><li>Very sensitive systems </li></ul></ul><ul><ul><li>Inexperienced development team </li></ul></ul><ul><ul><li>New technologies being used </li></ul></ul><ul><li>Design your security mechanisms to be modular </li></ul><ul><ul><li>Allows reuse! </li></ul></ul><ul><ul><li>Allows for centralized mechanism </li></ul></ul>
    28. 28. Threat Analysis <ul><li>You cannot build secure applications unless you understand threats </li></ul><ul><ul><li>Adding security features does not mean you have secure software </li></ul></ul><ul><ul><li>“We use SSL!” </li></ul></ul><ul><li>Find issues before the code is created </li></ul><ul><li>Find different bugs than code review and testing </li></ul><ul><ul><li>Implementation bugs vs. higher-level design issues </li></ul></ul><ul><li>Approx 50% of issues come from threat models </li></ul>
    29. 29. Threat Modeling Process <ul><li>Create model of app (DFD, UML etc) </li></ul><ul><ul><li>Build a list of assets that require protection </li></ul></ul><ul><li>Categorize threats to each attack target node </li></ul><ul><ul><li>Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege </li></ul></ul><ul><li>Build threat tree for each threat </li></ul><ul><ul><li>Derived from hardware fault trees </li></ul></ul><ul><li>Rank threats by risk </li></ul><ul><ul><li>Risk = Potential * Damage </li></ul></ul><ul><ul><li>Damage potential, Reproducibility, Exploitability, Affected Users, Discoverability </li></ul></ul>
    30. 30. Design Phase: Architectural Risk Analysis <ul><li>The system designers should not perform the assessment </li></ul><ul><li>Build a one page white board design model </li></ul><ul><li>Use hypothesis testing to categorize risks </li></ul><ul><ul><li>Threat modeling/Attack patterns </li></ul></ul><ul><li>Rank risks </li></ul><ul><li>Tie to business context </li></ul><ul><li>Suggest fixes </li></ul><ul><li>Multiple iterations </li></ul>
    31. 31. Risk Analysis Must be External to the Development Team <ul><li>Having outside eyes look at your system is essential </li></ul><ul><ul><li>Designers and developers naturally have blinders on </li></ul></ul><ul><ul><li>External just means outside of the project </li></ul></ul><ul><ul><li>This is knowledge intensive </li></ul></ul><ul><li>Outside eyes make it easier to “assume nothing” </li></ul><ul><ul><li>Find assumptions, make them go away </li></ul></ul><ul><li>Red teaming is a weak form of external review </li></ul><ul><ul><li>Penetration testing is too often driven by outside  in perspective </li></ul></ul><ul><ul><li>External review must include architecture analysis </li></ul></ul><ul><li>Security expertise and experience really helps </li></ul>
    32. 32. Risk Assessment Methodologies <ul><li>These methods attempt to identify and quantify risks, then discuss risk mitigation in the context of a wider organization </li></ul><ul><li>A common theme among these approaches is tying technical risks to business impact </li></ul><ul><li>Commercial </li></ul><ul><li>STRIDE from Microsoft </li></ul><ul><li>ACSM/SAR from Sun </li></ul><ul><li>Standards-Based </li></ul><ul><li>ASSET from NIST </li></ul><ul><li>OCTAVE from SEI </li></ul>
    33. 33. Implementation Phase
    34. 34. Secure Implementation Concepts <ul><li>Developer training </li></ul><ul><ul><li>Essential that developers learn how to implement code securely </li></ul></ul><ul><ul><li>Subtleties and pitfalls that can only be addressed with security training </li></ul></ul><ul><li>Reuse of previously certified code that performs well for common capabilities, especially </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Input Validation </li></ul></ul><ul><ul><li>Logging </li></ul></ul><ul><ul><li>Much of “custom” software uses previously developed code </li></ul></ul><ul><li>Coding standards, style guides </li></ul><ul><li>Peer review or peer development </li></ul>
    35. 35. Validating Inputs <ul><li>Cleanse data </li></ul><ul><li>Perform bounds checking </li></ul><ul><li>Check </li></ul><ul><ul><li>Configuration files </li></ul></ul><ul><ul><li>Command-line parameters </li></ul></ul><ul><ul><li>URLs </li></ul></ul><ul><ul><li>Web content </li></ul></ul><ul><ul><li>Cookies </li></ul></ul><ul><ul><li>Environment variables </li></ul></ul><ul><ul><li>Filename references </li></ul></ul>
    36. 36. Secure Coding Guides <ul><li>Provide guidance on code-level security </li></ul><ul><ul><li>Thread safety </li></ul></ul><ul><ul><li>Attack patterns </li></ul></ul><ul><ul><li>Technology-specific pitfalls </li></ul></ul><ul><li>Booz Allen has developed internal secure coding guides </li></ul><ul><ul><li>Java (J2EE general) </li></ul></ul><ul><ul><li>C/C++ </li></ul></ul><ul><ul><li>Software Security Testing </li></ul></ul>
    37. 37. Code Review <ul><li>Code review is a necessary evil </li></ul><ul><li>Better coding practices make the job easier </li></ul><ul><li>Automated tools help catch common implementation errors </li></ul><ul><li>Implementation errors do matter </li></ul><ul><ul><li>Buffer overflows can be uncovered with static analysis </li></ul></ul><ul><ul><li>C/C++ rules </li></ul></ul><ul><ul><li>Java rule </li></ul></ul><ul><ul><li>.NET rules </li></ul></ul><ul><li>Tracing back from vulnerable location to input is critical </li></ul><ul><ul><li>Software exploits </li></ul></ul><ul><ul><li>Attacking code </li></ul></ul>
    38. 38. Code Review (con’t) <ul><li>Pros of Code Review </li></ul><ul><ul><li>Demonstrate that all appropriate security mechanisms exist </li></ul></ul><ul><ul><ul><li>(e.g. LOGGING cannot be verified by pen testing) </li></ul></ul></ul><ul><ul><li>Can be performed throughout the development </li></ul></ul><ul><ul><li>Complete traceability to show that security mechanisms are implemented correctly </li></ul></ul><ul><ul><li>Able to find risks that are not evident in live application </li></ul></ul><ul><ul><ul><li>(explicit comments, race conditions, missing audit, class-level security, etc.) </li></ul></ul></ul><ul><li>Cons of Code Review </li></ul><ul><ul><li>Labor intensive </li></ul></ul><ul><ul><ul><li>(Static analysis tools reduce labor, expand completeness) </li></ul></ul></ul><ul><ul><li>Requires expert </li></ul></ul><ul><ul><li>Only using automated tools isn’t sufficient </li></ul></ul>
    39. 39. Testing Phase
    40. 40. Testing Phase <ul><li>Software security testing objective is to determine that software: </li></ul><ul><ul><li>Contains no defects that can be exploited to force the software to operate incorrectly or to fail </li></ul></ul><ul><ul><li>Does not perform any unexpected functions </li></ul></ul><ul><ul><li>Source code contains no dangerous constructs (e.g., hard-coded passwords) </li></ul></ul><ul><li>The methodology for achieving these objectives will include: </li></ul><ul><ul><li>Subjecting the software to the types of intentional faults associated with attack patterns </li></ul></ul><ul><ul><ul><li>Question to be answered: Is the software’s exception handling adequate? </li></ul></ul></ul><ul><ul><li>Subjecting the software to the types of inputs associated with attack patterns </li></ul></ul><ul><ul><ul><li>Question to be answered: Is the software’s error handling adequate? </li></ul></ul></ul>
    41. 41. Software Security Testing is Different than ST&E <ul><li>ST&E testing is functional in nature </li></ul><ul><ul><li>Goal of ST&E is to verify correct behavior, not to reveal defects or cause unintended behavior </li></ul></ul><ul><ul><li>Only 3 NIST 800-53 controls refer to software security </li></ul></ul><ul><li>ST&E testing not targeted towards vulnerabilities </li></ul><ul><li>Software Security testing is purely technical (no managerial or operational testing) </li></ul><ul><li>Software Security testing seeks out defects and vulnerabilities and attempts to exploit or reveal them. </li></ul><ul><ul><li>Defects and vulnerabilities are in context of software platform or architecture </li></ul></ul><ul><li>Software Security testing goes into detail, where ST&E leaves off. </li></ul>
    42. 42. How Software Security Testing is Different <ul><li>Software Security Testing is focused, in-depth security testing of the software </li></ul><ul><ul><li>Minimizes gap between potential exploits </li></ul></ul>- Level of Detail + Focused Coverage Broad Coverage ST&E Sw Security Testing Recommended by NIST Guidance Potential Sophistication of Attackers
    43. 43. Testing strategy <ul><li>Think like an attacker and a defender. </li></ul><ul><ul><li>Seek out, probe, and explore unused functions and features. </li></ul></ul><ul><ul><li>Submit unexpected input. </li></ul></ul><ul><ul><li>Enter obscure command line options. </li></ul></ul><ul><ul><li>Inspect call stacks and interfaces. </li></ul></ul><ul><ul><li>Observe behavior when process flow is interrupted. </li></ul></ul><ul><li>Verify all properties, attributes, and behaviors that are expected to be there. </li></ul><ul><li>Verify use of secure standards and technologies and secure implementations of same. </li></ul><ul><li>Be imaginative, creative, and persistent. </li></ul><ul><li>Include independent testing by someone who isn’t familiar with the software. </li></ul>
    44. 44. What parts of software to test <ul><li>The parts that implement: </li></ul><ul><li>The interfaces/interactions between the software system’s components (modules, processes) </li></ul><ul><li>The interfaces/interactions between the software system and its execution environment </li></ul><ul><li>The interfaces/interactions between the software system and its users </li></ul><ul><li>The software system’s trusted and high-consequence functions, such as the software’s exception handling logic and input validation routines </li></ul>
    45. 45. Lifecycle timing of security reviews and tests
    46. 46. Software security testing tools Categories of testing tools
    47. 47. Software Security Testing - Conclusions <ul><li>Combined code review combined with application-level vulnerability scanning or penetration testing is the most effective </li></ul><ul><ul><li>Analysts have the ability to more clearly see and understand the interfaces of the application </li></ul></ul><ul><ul><li>Analysts have the ability to verify or dismiss suspected vulnerabilities </li></ul></ul><ul><ul><li>Security testers can “look under the hood” to fully understand application behavior </li></ul></ul><ul><li>May lead to recommendations that change the requirements specification </li></ul><ul><li>Not guaranteed to find all problems: addressing security throughout the SDLC is more likely to reduce vulnerabilities </li></ul><ul><li>The changing threat environment can still induce vulnerabilities. Some level of testing should be periodically performed </li></ul>
    48. 48. Deployment Phase
    49. 49. Deployment Phase <ul><li>Pre-deployment activities depend on the application but may include: </li></ul><ul><ul><li>Remove developer hooks </li></ul></ul><ul><ul><li>Remove debugging code </li></ul></ul><ul><ul><li>Remove sensitive information in comments, e.g. “FIXME” </li></ul></ul><ul><ul><li>Harden deployment OS, web server, app server, db server, etc. </li></ul></ul><ul><ul><li>Remove default and test accounts </li></ul></ul><ul><ul><li>Change all security credentials for deployed system, e.g. database passwords: to reduce the number of insiders that have direct access to the operational system </li></ul></ul>
    50. 50. Post-Deployment Validation <ul><li>Security of deployed software should be investigated regularly </li></ul><ul><li>Requires observing and analyzing its usage in the field </li></ul><ul><li>Requires automated support </li></ul>
    51. 51. Maintenance Phase
    52. 52. Maintenance Phase Security Activities <ul><li>Monitor for, install patches for COTS in your system </li></ul><ul><li>Individually consider security implications for each bug fix </li></ul><ul><li>Security analysis review for every major release </li></ul><ul><li>Changes to system should not be ad-hoc, should be added to the requirements specification, design specification, etc. </li></ul><ul><li>Monitoring, intrusion detection at the application level </li></ul>
    53. 53. Relevant Process Models <ul><li>Capability Models are designed to improve a process </li></ul><ul><ul><li>CMMI </li></ul></ul><ul><ul><li>SSE-CMM </li></ul></ul><ul><li>Project capability models define a system by: </li></ul><ul><ul><li>Analyzing, quantifying, and enhancing the efficiency and quality of generic processes </li></ul></ul><ul><ul><li>Improve efficiency and adaptability </li></ul></ul><ul><ul><li>Provide a framework to apply a process multiple times with consistency </li></ul></ul>
    54. 54. A Final Caution <ul><li>It is inevitable that unknown security vulnerabilities will be present in deployed software </li></ul><ul><ul><li>Software, users, environments too complex to fully comprehend </li></ul></ul><ul><ul><li>Environment and usage are subject to change </li></ul></ul>
    55. 55. References <ul><li>Application security public cases: </li></ul><ul><ul><li> </li></ul></ul><ul><li>Build Security in Portal </li></ul><ul><ul><li> </li></ul></ul><ul><li>Open Web Application Security Project (OWASP) </li></ul><ul><ul><li> </li></ul></ul><ul><li>Computer Security: Art and Science by M. Bishop </li></ul><ul><li>Secure Coding: Principles and Practices by M. G. Graff and K. R. van Wyk </li></ul><ul><li>Exploiting Software: How to Break Code by G. Hoglund and G. McGraw </li></ul><ul><li>Writing Secure Code by M. Howard and D. LeBlanc </li></ul><ul><li>Attack Modeling for Information Security and Survivability by A.P. Moore, R.J. Ellison, and R.C. Linger </li></ul><ul><li>Building Secure Software by J. Viega and G. McGraw </li></ul>