Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Running a Software Security Program with Open Source Tools

1,905 views

Published on

Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely available tools that can be used to help implement the activities involved in such a program.

The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on exposure to a variety of freely-available tools that they can use to implement portions of these programs.

Published in: Technology
  • Download over *12,000* fully detailed shed plans and start building your next shed easily and quickly. ❤❤❤ https://url.cn/B7NWTgCr
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Grab 5 Free Shed Plans Now! Download 5 Full-Blown Shed Plans with Step-By-Step Instructions & Easy To Follow Blueprints! ★★★ https://url.cn/I86oXShh
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Download over *12,000* fully detailed shed plans and start building your next shed easily and quickly. ❤❤❤ https://url.cn/sIEM11KJ
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • There are over 16,000 woodworking plans that comes with step-by-step instructions and detailed photos, Click here to take a look ■■■ http://t.cn/A6hKwqcb
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Positions Available Now! We currently have several openings for social media workers. ♣♣♣ http://t.cn/AieXipTS
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Running a Software Security Program with Open Source Tools

  1. 1. © 2015 Denim Group – All Rights Reserved Running a Software Security Program on Open Source Tools! Dan Cornell CTO, Denim Group @danielcornell
  2. 2. © 2015 Denim Group – All Rights Reserved 2   My Background! •  Dan Cornell, founder and CTO of Denim Group •  Software developer by background (Java, .NET, etc) •  OWASP San Antonio
  3. 3. © 2015 Denim Group – All Rights Reserved Denim Group Background! •  Secure software services and products company •  Builds secure software •  Helps organizations assess and mitigate risk of in-house developed and third party software •  Provides classroom training and e-Learning so clients can build software securely •  Software-centric view of application security •  Application security experts are practicing developers •  Development pedigree translates to rapport with development managers •  Business impact: shorter time-to-fix application vulnerabilities •  Culture of application security innovation and contribution •  Develops open source tools to help clients mature their software security programs •  Remediation Resource Center, ThreadFix •  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI •  World class alliance partners accelerate innovation to solve client problems 3  
  4. 4. © 2015 Denim Group – All Rights Reserved Agenda! •  So You Want To Roll Out a Software Security Program? •  Software Assurance Maturity Model (OpenSAMM) •  Components Of Your Software Security Program •  Governance •  Construction •  Verification •  Deployment •  Conclusions / Questions 4  
  5. 5. © 2015 Denim Group – All Rights Reserved So You Want To Roll Out a Software Security Program?! •  Great! •  What a software security program ISN’T •  Question: “What are you doing to address software security concerns?” •  Answer: “We bought scanner XYZ” •  What a software security program IS •  People, process, tools (naturally) •  Set of activities intended to repeatedly produce appropriately-secure software 5  
  6. 6. © 2015 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs! •  Resources •  Raw budget and cost issues •  Level of effort issues •  Resistance: requires organizational change •  Apparently people hate this •  Open source tools •  Can help with raw budget issues •  May exacerbate problems with level of effort •  View the rollout as a multi-stage process •  Not one magical effort •  Use short-term successes and gains to fuel further change 6  
  7. 7. © 2015 Denim Group – All Rights Reserved Software Assurance Maturity Model (OpenSAMM)! •  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization •  Useful for: •  Evaluating an organization’s existing software security practices •  Building a balanced software security program in well-defined iterations •  Demonstrating concrete improvements to a security assurance program •  Defining and measuring security-related activities within an organization •  Main website: •  http://www.opensamm.org/ 7  
  8. 8. © 2015 Denim Group – All Rights Reserved Using OpenSAMMYou Can… •  Evaluate an organization s existing software security practices •  Build a balanced software security assurance program in well- defined iterations •  Demonstrate concrete improvements to a security assurance program •  Define and measure security-related activities throughout an organization [This slide content © Pravir Chandra]
  9. 9. © 2015 Denim Group – All Rights Reserved Drivers for a Maturity Model •  An organization s behavior changes slowly over time •  Changes must be iterative while working toward long-term goals •  There is no single recipe that works for all organizations •  A solution must enable risk-based choices tailor to the organization •  Guidance related to security activities must be prescriptive •  A solution must provide enough details for non-security-people •  Overall, must be simple, well-defined, and measurable [This slide content © Pravir Chandra]
  10. 10. © 2015 Denim Group – All Rights Reserved Therefore, aViable Model Must... •  Define building blocks for an assurance program •  Delineate all functions within an organization that could be improved over time •  Define how building blocks should be combined •  Make creating change in iterations a no-brainer •  Define details for each building block clearly •  Clarify the security-relevant parts in a widely applicable way (for any org doing software dev) [This slide content © Pravir Chandra]
  11. 11. © 2015 Denim Group – All Rights Reserved Understanding the Model [This slide content © Pravir Chandra]
  12. 12. © 2015 Denim Group – All Rights Reserved SAMM Business Functions • Start with the core activities tied to any organization performing software development • Named generically, but should resonate with any developer or manager [This slide content © Pravir Chandra]
  13. 13. © 2015 Denim Group – All Rights Reserved SAMM Security Practices •  From each of the Business Functions, 3 Security Practices are defined •  The Security Practices cover all areas relevant to software security assurance •  Each one is a silo for improvement [This slide content © Pravir Chandra]
  14. 14. © 2015 Denim Group – All Rights Reserved Discussion: Tools! •  Commercial tools in use? •  Free / open source tools in use? •  What tool implementations have been successful? •  What tool implementations have been less successful? •  Why? •  What is your interest in using open source tools for software security? 14  
  15. 15. © 2015 Denim Group – All Rights Reserved Why Use Free / Open Source Tools?! •  They’re FREE! •  No per-user license fees •  Can be customized •  Don’t like the way a feature works – improve it! 15  
  16. 16. © 2015 Denim Group – All Rights Reserved As a Project Maintainer…!
  17. 17. © 2015 Denim Group – All Rights Reserved Potential Disadvantages of Free Tools! •  Often less mature than commercial analogs •  Application and software security are new when compared to other disciplines •  Open source tools lag in a number of areas •  Task-focused rather than program-focused •  Geared toward testing a single application rather than a portfolio of applications 17  
  18. 18. © 2015 Denim Group – All Rights Reserved Discussion: Organizational Concerns! •  Does your organization allow the use of open source tools? •  What restrictions are placed on the use of free / open source tools? •  Only certain licenses allowed •  Each tool / library must have a sponsor 18  
  19. 19. © 2015 Denim Group – All Rights Reserved Open Source Tool Usage – Best Practices! •  Maintain a relationship with the project lead / development community •  How responsive are they? •  Good to have a relationship for escalating issues •  Consider commercial support •  If available •  When it makes sense •  Give back •  Installation instructions for your platform(s) •  Other documentation opportunities •  Code updates – if possible / desirable 19  
  20. 20. © 2015 Denim Group – All Rights Reserved ThreadFix - Overview! •  ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. •  Freely available under the Mozilla Public License (MPL) •  Hosted at GItHub: https://github.com/denimgroup/threadfix 20  
  21. 21. © 2015 Denim Group – All Rights Reserved OpenSAMM: Governance! •  Strategy and Metrics •  Policy and Compliance •  Education and Guidance 21  
  22. 22. © 2015 Denim Group – All Rights Reserved Governance: Strategy and Metrics! •  Overall strategic direction of the assurance program •  How are processes instrumented? •  How are measurements taken? 22  
  23. 23. © 2015 Denim Group – All Rights Reserved ThreadFix: Reporting! •  Can be done at multiple levels: •  Enterprise-wide •  Team •  Individual application •  Reports for: •  Vulnerability count trending •  Progress – vulnerability resolution and timelines •  Scanner effectiveness •  Frequency of scanning across the portfolio •  Will revisit ThreadFix reporting later in the course for examples 23  
  24. 24. © 2015 Denim Group – All Rights Reserved Governance: Policy and Compliance! •  What compliance regimes are your organizations and applications subject to? •  PCI •  HIPAA •  SOX •  What policies will you put in place to meet these obligations? 24  
  25. 25. © 2015 Denim Group – All Rights Reserved SimpleRisk! •  Governance Risk and Compliance (GRC) •  http://www.simplerisk.org/ •  Created by Josh Sokol 25  
  26. 26. © 2015 Denim Group – All Rights Reserved Governance: Education and Guidance! •  Software security requires the input of a variety of stakeholders •  Software security is a relatively new area of study •  Many of the involved parties (i.e. software developers) have never been exposed •  You cannot hold people responsible if they have not been properly trained 26  
  27. 27. © 2015 Denim Group – All Rights Reserved Governance: Education and Guidance! •  Variety of potential consumers •  Executives / Management •  Developers •  Quality Assurance (QA) •  Security Testers •  Need for information at several levels •  Introduction / overview •  Topic-specific •  Technology-specific •  Several ways to deliver guidance and training •  Self-serve portal •  Instructor-led training •  E-Learning 27  
  28. 28. © 2015 Denim Group – All Rights Reserved OWASP Development Guide! •  Provides guidance to developers on how to build secure applications •  Attempts to cover broad topics with some technology-specific examples •  Several translations: English, Spanish, Japanese •  Originally released in 2001, revised in 2005 •  Somewhat dated •  Currently undergoing a significant rewrite •  Main site: https://www.owasp.org/index.php/OWASP_Guide_Project 28  
  29. 29. © 2015 Denim Group – All Rights Reserved OWASP Cheat Sheets! •  Provide targeted, consumable guidance on specific topics or technologies •  Authentication •  Transport layer protection •  Input validation •  Session management •  And so on… •  Tend to be “fresher” than the related sections in the Development Guide •  Also easier to provide to developers for use •  Main site: https://www.owasp.org/index.php/Cheat_Sheets 29  
  30. 30. © 2015 Denim Group – All Rights Reserved OWASP Secure Coding Practices Quick Reference Guide! •  Technology agnostic set of general software security coding practices •  Consumable •  ~17 pages long •  Checklist format •  Main site: https://www.owasp.org/index.php/ OWASP_Secure_Coding_Practices_- _Quick_Reference_Guide 30  
  31. 31. © 2015 Denim Group – All Rights Reserved OWASP WebGoat - Overview! •  Deliberately insecure JEE web application •  Presented as a series of lessons •  SQL injection •  Cross-site Scripting (XSS) •  Cross-site Request Forgery (CSRF) •  Hidden form manipulation •  And so on… •  Main site: https://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project 31  
  32. 32. © 2015 Denim Group – All Rights Reserved OpenSAMM: Construction! •  Threat Assessment •  Security Requirements •  Secure Architecture 32  
  33. 33. © 2015 Denim Group – All Rights Reserved Construction: Threat Assessment! •  Identify and characterize potential attacks •  These will determine investment level and required countermeasures •  WHO do you need to be worried about? •  Nation-states •  Chaotic actors •  Organized crime •  And so on… 33  
  34. 34. © 2015 Denim Group – All Rights Reserved Construction: Security Requirements! •  Up-front determination of required security properties of the system •  Drive future activities 34  
  35. 35. © 2015 Denim Group – All Rights Reserved Construction: Secure Architecture! •  Use the design process to: •  Build in security controls •  Avoid injecting security issues •  Threat modeling •  Architectural risk analysis 35  
  36. 36. © 2015 Denim Group – All Rights Reserved ESAPI - Overview! •  Enterprise Security API (ESAPI) •  Open source web application security control library •  Several languages available: JavaEE, .NET, PHP, Classic ASP, etc •  WIDE variation in maturity and support •  Stick to Java unless you are very brave (and even then) •  Main site: https://www.owasp.org/index.php/ Category:OWASP_Enterprise_Security_API 36  
  37. 37. © 2015 Denim Group – All Rights Reserved Microsoft Web Protection Library - Overview! •  Set of .NET assemblies which help protect web applications •  AntiXSS encoding library •  Encoding functions for HTML, HTML attributes, XML, etc •  HTML sanitization routines (for “safely” accepting rich content) •  Security Runtime Engine (SRE) •  Provides runtime protection against SQL injection and Cross-Site Scripting (XSS) •  Sites: •  http://wpl.codeplex.com/ •  https://www.microsoft.com/en-us/download/details.aspx? id=28589 37  
  38. 38. © 2015 Denim Group – All Rights Reserved OpenSAMM: Verification! •  Design Review •  Code Review •  Security Testing 38  
  39. 39. © 2015 Denim Group – All Rights Reserved Verification: Design Review! •  Incorporate security into review of architecture/design materials •  Were the previous assurance activities successful? 39  
  40. 40. © 2015 Denim Group – All Rights Reserved Microsoft Threat Analysis and Modeling Tool - Overview! •  Create threat models for your applications •  Identify potential issues •  Plan for mitigations •  Requires Visio 2007 or 2010 •  Main site: http://www.microsoft.com/security/sdl/adopt/ threatmodeling.aspx 40  
  41. 41. © 2015 Denim Group – All Rights Reserved Mapping Threats to Data Flow Asset Types Threat  Type   External   Interactor   Process   Data  Flow   Data  Store   S  –  Spoofing   Yes   Yes   T  –  Tampering   Yes   Yes   Yes   R  –  Repudia>on   Yes   Yes   Yes   I  –  Informa>on  Disclosure   Yes   Yes   Yes   D  –  Denial  of  Service   Yes   Yes   Yes   E  –  Eleva>on  of  Privilege   Yes   41
  42. 42. © 2015 Denim Group – All Rights Reserved Verification: Code Review! •  Review software artifacts “at-rest” •  Can be both automated and manual •  Reach and frequency •  How much of your software is subject to review? •  How thorough is the analysis? •  How often is it performed? 42  
  43. 43. © 2015 Denim Group – All Rights Reserved Static Analysis •  Source Code Scanning •  Manual Code Reviews •  Advantages •  Identifies flaws during integration, when it is easier to address issues •  Developers can identify flaws in their own code before checking it in •  Many projects already have a code review process in-place •  Disadvantages •  Freeware tools often do not address security well (specifically dataflow analysis) •  Licensed tools are a significant investment •  Manual review can be unstructured and time-consuming without licensed tools •  Not ideal for discovering logical vulnerabilities 43
  44. 44. © 2015 Denim Group – All Rights Reserved Static Analysis Tools •  Commercial Tools •  Fortify (now HP) •  Ounce (now IBM Rational) •  Checkmarx •  Veracode (SaaS) •  Freeware Tools •  RATS/Flawfinder - C/C++, Python, PHP •  Findbugs – Java •  PMD - Java •  FxCop - .NET •  Brakeman – Ruby on Rails 44
  45. 45. © 2015 Denim Group – All Rights Reserved FindBugs - Overview! •  Freely-available binary static analysis tool for Java •  Main site: http://findbugs.sourceforge.net/ 45  
  46. 46. © 2015 Denim Group – All Rights Reserved FxCop - Overview! •  Free static analysis tool from Microsoft •  Integrated into Visual Studio •  Similar capabilities to FindBugs (but for .NET) •  Blog: http://blogs.msdn.com/b/codeanalysis/ 46  
  47. 47. © 2015 Denim Group – All Rights Reserved CAT.NET - Overview! •  Free static analysis tool from Microsoft •  Does dataflow analysis (rare among the free tools) •  Version 1: http://www.microsoft.com/en-us/download/details.aspx?id=19968 •  Version 2: http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat- net-2-0-beta.aspx •  Dinis Cruz has done some interesting work with CAT.NET and O2 •  https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/ CAT.NET •  Plans for future development are not clear 47  
  48. 48. © 2015 Denim Group – All Rights Reserved Brakeman - Overview! •  Security scanner for Ruby on Rails applications •  Static analysis •  Finds things like SQL injection and XSS •  Also checks for certain CVE-type vulnerabilities •  Main site: http://brakemanscanner.org/ 48  
  49. 49. © 2015 Denim Group – All Rights Reserved Agnitio - Overview! •  Tool for supporting manual code reviews •  Set of checklists to verify security controls •  Some grep-like search capabilities •  Main site: http://sourceforge.net/projects/agnitiotool/ 49  
  50. 50. © 2015 Denim Group – All Rights Reserved DependencyCheck – Overview! •  Checks for out-of-date JAR libraries with known CWE issues •  Looks beyond JAR hashes •  We used it to find a vulnerable library used by ThreadFix •  Apache POI library •  http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe %3A%2Fa%3Aapache%3Apoi %3A3.7&page_num=0&cid=1 •  Main site: https://github.com/jeremylong/DependencyCheck 50  
  51. 51. © 2015 Denim Group – All Rights Reserved Verification: Security Testing! •  Runtime testing for security vulnerabilities •  Web applications: automated scanners, web proxies •  Other applications: fuzzing, protocol analysis 51  
  52. 52. © 2015 Denim Group – All Rights Reserved Dynamic Analysis •  Integrate abuse cases into unit and automated testing •  Use application scanning tools •  Perform a dedicated penetration test by security staff or a 3rd party •  Advantages •  Generally more time-efficient than manual code review •  Good for discovering logical vulnerabilities •  Disadvantages •  Requires fully functional features to test •  Security staff may not have application security training or experience •  Scanning tools may have difficulty with unusual applications 52
  53. 53. © 2015 Denim Group – All Rights Reserved Dynamic Analysis Tools •  Automated Tools •  IBM Rational AppScan •  HP WebInspect •  Acunetix Vulnerability Scanner •  Netsparker •  Manual Testing •  Zed Attack Proxy •  Burp •  Google RatProxy •  Browser plugins •  Testing Scripts –Watir •  Load and Performance testing tools – JMeter, Grinder 53
  54. 54. © 2015 Denim Group – All Rights Reserved Arachni - Overview! •  Open source automated web application scanner •  Written in Ruby •  Can be deployed in a “grid” format for faster scanning •  Uses several different types of analysis to identify vulnerabilities •  Fuzzing •  Taint analysis •  Time analysis •  Main site: http://arachni-scanner.com/ 54  
  55. 55. © 2015 Denim Group – All Rights Reserved w3af - Overview! •  Open source automated web application scanner •  Written in Python •  Main site: http://w3af.sourceforge.net/ 55  
  56. 56. © 2015 Denim Group – All Rights Reserved OWASP ZAProxy - Overview! •  Open source web proxy and web application scanner •  Supports both manual and automated assessment •  Fork of Paros Proxy •  Exposes RESTful API •  Main site: http://code.google.com/p/zaproxy/ 56  
  57. 57. © 2015 Denim Group – All Rights Reserved Skipfish - Overview! •  Fast web application scanner written in C •  Maintained by Google •  Does a lot of file/directory guessing by default •  Main site: •  https://code.google.com/p/skipfish/ 57  
  58. 58. © 2015 Denim Group – All Rights Reserved OpenSAMM: Deployment! •  Vulnerability Management •  Environment Hardening •  Operational Enablement 58  
  59. 59. © 2015 Denim Group – All Rights Reserved Deployment: Vulnerability Management! •  Processing for managing vulnerabilities in both internal and external software •  Goal is consistency •  Use data from vulnerability handling to improve processes •  Decrease number and severity of future vulnerabilities •  Decrease time-to-fix 59  
  60. 60. © 2015 Denim Group – All Rights Reserved Turning Vulnerabilities Into Software Defects! •  Security teams talk about “vulnerabilities” •  Software developers talk about “defects” •  Developers Don’t Speak PDF •  http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html •  Why should developers manage 90% of their workload in defect trackers •  And the magic, special “security” part of their workload … some other way? •  ThreadFix lets you slice, dice and bundle vulnerabilities into software defects •  And track their remediation status over time to schedule re- scans 60  
  61. 61. © 2015 Denim Group – All Rights Reserved ThreadFix: Defect Tracker Integration! •  Turn vulnerabilities that security staff care about into software bugs that developers know how to handle •  Bundle multiple vulnerabilities into a single defect •  How to organize? •  By severity •  By type •  By location in the application •  Some combination •  When the defect status changes you can schedule re- scans 61  
  62. 62. © 2015 Denim Group – All Rights Reserved Deployment: Environment Hardening! •  Attackers do not care about applications – attacking infrastructure might be just as effective and valuable for them •  Controls for operating environments: •  Reduce vulnerabilities in the infrastructure •  Enable logging and tracking 62  
  63. 63. © 2015 Denim Group – All Rights Reserved Microsoft Baseline Security Analyzer (MBSA) - Overview! •  Runs standard checks on Windows Workstations and Servers •  Internet Explorer •  IIS •  SQL Server •  Checks registry and file settings •  2.2 Downloads: http://www.microsoft.com/en-us/download/ details.aspx?id=7558 63  
  64. 64. © 2015 Denim Group – All Rights Reserved Deployment: Operational Enablement! •  How do you install, configure and run your applications? •  Also updates and upgrades •  Runtime checks and logging for intrusion detection and incident response •  John Dickson has done some work in this area •  http://www.slideshare.net/denimgroup/top- strategies-to-capture-security-intelligence-for- applications 64  
  65. 65. © 2015 Denim Group – All Rights Reserved Continuous Integration and Security Testing! •  Reduce the time between introducing security defects and knowing about them •  Free tools mean that any project can be instrumented •  No licensing fees •  ThreadFix has a REST-based API and command-line client for scripting 65  
  66. 66. © 2015 Denim Group – All Rights Reserved mod_security - Overview! •  Open source web application firewall engine •  Also has a Core RuleSet (CRS) •  Traditionally has been Apache-only •  Runs as an apache module (mod_security) •  Recently announced both IIS and Nginx support •  Main site: http://www.modsecurity.org/ 66  
  67. 67. © 2015 Denim Group – All Rights Reserved Recap! •  A software security program is more than a tool or set of tools •  But tools help provide automation and facilitate scale •  OpenSAMM is a maturity model that can be used as a framework for building and advancing software security programs •  Open source tools exist to support many key activities in a software security program •  Build and maintain relationships with the open source projects you use 67  
  68. 68. © 2015 Denim Group – All Rights Reserved 68   Conclusions / Questions! Dan  Cornell   dan@denimgroup.com   TwiKer:  @danielcornell     www.denimgroup.com   www.denimgroup.com/threadfix   code.google.com/p/threadfix   (210)  572-­‐4400  

×