BUSTED! How to Find Security Bugs Fast!

Parasoft Copyright © 2015 1
2015-06-24
Busting Software Bugs to Boost
Application Security
Arthur “Code Curmudgeon” Hicken
May 2015

Open and hide your control panel
Join audio:
• Choose “Mic & Speakers” to use
VoIP
• Choose “Telephone” and dial
using the information provided
Submit questions and comments via
the Questions panel
Note: Today’s presentation is being
recorded and will be provided within
48 hours.
Your Participation
GoToWebinar Housekeeping

Your Presenter
Arthur Hicken has been involved in automating
various practices at Parasoft for over 20 years.
He has worked on projects including database
development, the software development lifecycle,
web publishing and monitoring, and integration
with legacy systems.
Arthur has worked with IT departments in
companies such as Cisco, Vanguard, and
Motorola to help improve their software
development practices.

Agenda
 How security processes are like quality
processes
 How software bugs are security vulnerabilities
 How static analysis can prevent defects and
improve security

Internet of Things Vulnerabilities

One weak spot is all it takes

Poll 1
 Is software security the same as application
security?
 Yes
 No
 That’s a silly question

Software Security Defined
 Software security is the idea of engineering
software so that it continues to function
correctly under malicious attack.
 Software security is about building secure
software: designing software to be secure,
making sure that software is secure, and
educating software developers, architects and
users about how to build secure things.
(Gary McGraw, Cigital)
https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security

Application Security Defined
 Put succinctly, application security is based
primarily on finding and fixing known security
problems after they’ve been exploited in
fielded systems. Software security… identifies
and expunges problems in the software itself.
 Although the notion of protecting software is
an important one, it’s just plain easier to
protect something that is defect-free than
something riddled with vulnerabilities.
(Gary McGraw, Cigital)

SEI Research
 Predicting Software Assurance Using Quality
and Reliability Measures
 Security and Reliability are go hand-in-hand
 You can predict security based on defects
 Static Analysis is integral to improvement
 Most critical defects are coding mistakes
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589

Security problems
 ½ are design flaws
 Missing authorization
 Improper encryption
 Improper password handling
 Allowing data to be tainted
 …
 ½ are code defects
 Buffer overflow
 Data leakage
 …

Security Belongs to Quality
 If you have a quality problem,
you have a security problem.
 Modern systems are complex and defects
don’t always manifest when systems are used
the same as they are tested
 Number of possible conditions my be infinite
 Security and reliability have to be designed
and engineered in. You can’t test them in.

Poll 2
 Our security group:
 Is part of DevOps
 Is part of QA
 Stands on it’s own
 Our what now?
Copyright XKCD http://xkcd.com/538/

Quality Processes
Policy Management & Enforcement
Peer Code Review
Unit Testing / Continuous Regression
Runtime Error Detection
Hybrid Analysis
Static Code Analysis
Prevention over reaction
Reporting / Analytics

Software Security Best Practices
Software Security, Gary McGraw, Copyright 2003 © Cigital
Reprinted from the March/April 2004 issue of IEEE Security & Privacy.

Important Steps
 Train developers in secure development so
that they can prevent – or at least find and fix
– security problems
 Design and build your system with a
deliberate focus on quality and security
 Collect/measure defect data (quality AND
security) and use it to assess and improve
your development practices

Poll 3
 Do bugs in open-source code represent
security vulnerabilities?
 Yes
 I’m not sure
 No
 I never thought about it
Copyright XKCD http://imgs.xkcd.com/comics/golden_hammer.png

Bugs are vulnerabilities
 Heartbleed example

HEARTBLEED BUSTED
MISRA C 2004 20.3
• “The validity of values passed to library functions shall be checked”
CWE-20
• “Improper input validation”
CWE-114
• “Process control”
CWE-125
• “Out-of-bounds read”
CWE-130
• “Improper handling of length parameter inconsistency”

One “simple” quality problem
 Buffer Security Issues in CWE
 CWE 119 Improper Restriction of Operations
within the Bounds of a Memory Buffer
 CWE 120 Buffer Copy w/o Checking Size of Input
 CWE 121 Stack-based Buffer Overflow
 CWE 122 Heap-based Buffer Overflow
 CWE 125 Out-of-bounds Read
 CWE 131 Incorrect Calculation of Buffer Size
 CWE 680 Integer Overflow to Buffer Overflow

Buffer Impact
 CWE Technical Impacts:
 Read memory;
 Modify memory;
 DoS:
 crash / exit / restart;
 resource consumption (CPU);
 resource consumption (memory)
 Execute unauthorized code or commands

Are there more
 Run the same coding standard on the rest of
the file

Risk management – OWASP style
• Likelihood of an Application Having
that VulnerabilityPrevalence
• Likelihood of an Attacker Discovering
that VulnerabilityDetectability
• Likelihood of An Attacker Successfully
Exploiting that VulnerabilityExploitability
• Typical Technical Impact if that
Vulnerability is Successfully ExploitedImpact

Key Points
 Static code analysis eases the burden on QA
allowing for development work to continue in
parallel with manual testing efforts.
 Root cause analysis of defects can influence the
development policy in order to prevent making
the same mistake again.

Prevention

Flavor of the month
 The only way to find the Heartbleed bug with
today’s leading tools is to write custom rules
or overrides, which means that you have to
anticipate that this code is bad in the
first place. You’d be better off spending your
time reviewing or testing the code more
carefully instead.
Jim Bird – Building Real Software Blog

Purpose of Coding Standards
 “Proven programming practices leading to safe,
reliable, testable, and maintainable code”
 “Address potentially unsafe C language features,
and provide programming rules to avoid those
pitfalls”
 “By providing “safer” alternatives to “unsafe”
facilities, known problems … are avoided. In
essence, programs are written in a “safer” subset
of a superset.”

Standard Standards
Misra
ISO 26262
FDA
HIPPA
Section 508
OWASP Top 10
JSF
DISA STIG
CWE

Simple Prevention Process – an example
Detect the error
•Load testing shows leaking connections to the database
Find the cause
•Open connections aren’t being closed, causing resource leaks
Locate the point in production that caused the error
•Developer has forgotten to close db connections upon client termination
Implement preventative process
•Use a coding standard to ensure each open connection is closed before
exit
Monitor the process
•Use static analysis to enforce the standard
Add regression test
•Add a test to see the problem was fixed and doesn’t return

Preventative standards examples
Object-Oriented
•Avoid "public"/"protected"/package-private instance fields
•Do not override an instance "private" method
•Do not hide inherited fields
•…
Best Practices
•Avoid returning "handles" to internal data from const member functions.
•Declare at least one constructor to prevent the compiler from doing so.
•Declare reference parameters as const references whenever possible
•…
Unused Code
•Avoid unused local variables
•Avoid unused "private" fields
•…
Class Metrics
•Follow the limit for Cyclomatic Complexity (default<30)
•Follow the limit for number of “<type>" fields (private,etc.)
•Follow the limit on class hierarchy depth
•…
…

Pattern-Based Static Analysis
What:
• Identify specific patterns in the code
Why:
• Find dangerous practices
• Prevents defects
• Ensure inclusion of required items
• Security
• Authentication
• Encryption

Data Flow Analysis
What:
• Simulate execution to find patterns
• Analyze paths
• Analyze data usage
Why:
• Find real bugs
• Find security vulnerabilities

Penetration Testing
 Verify that security policy is working
 Tests from the outside in
 Variety of scenarios such as
 Parameter fuzzing
 SQL and Xpath injection
 Cross Site Scripting
 XML Bombs
 …

IAST Defined
 IAST – Interactive Application Security Testing
 SAST – Static Application Security Testing
 DAST – Dynamic Application Security Testing
 IAST combines SAST and DAST techniques
 IAST Improves accuracy
 IAST determines which code is related to a
vulnerability found in testing

Hybrid Security Analysis - IAST
 Penetration testing to automatically generate
and run penetration attack scenarios
 Runtime error detection to monitor the back-
end during test execution to determine
whether security is actually compromised
 Correlates each runtime error with the
functional test being run—allowing you to
trace each reported error to the specific use
case

Conclusion
 Standards and static analysis applied properly
prevent errors
 Integrated results provides control,
measurement, and traceability
 Cost of solid prevention methodology is less
than the cost of dealing with bad software

Coming up
June 2-4
•Device Developer
Conference
June
10-12
•QCon Conference
June
10-11
•Better Software
Conference West
http://www.parasoft.com/media/events

Security Resources
CWE – Common Weakness Enumeration
• http://cwe.mitre.org
OWASP - Open Web Application Security Project
• http://www.owasp.org
PCI – Payment Card Industry Security Standards
• https://www.pcisecuritystandards.org
Hack.me – Community based security learning project
• https://hack.me
Build Security In – Collaborative security effort
• https://buildsecurityin.us-cert.gov

 Web
 http://www.parasoft.com/jsp/resources
 Blog
 http://alm.parasoft.com
Social
 Facebook: https://www.facebook.com/parasoftcorporation
 Twitter: @Parasoft @MustRead4Dev @CodeCurmudgeon
 LinkedIn: http://www.linkedin.com/company/parasoft
 Google+ Community: Static Analysis for Fun and Profit

BUSTED! How to Find Security Bugs Fast!

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to BUSTED! How to Find Security Bugs Fast!

Similar to BUSTED! How to Find Security Bugs Fast! (20)

More from Parasoft

More from Parasoft (19)

Recently uploaded

Recently uploaded (20)

BUSTED! How to Find Security Bugs Fast!