Ensure Software Security already during development

Ensure Software Security
already during development
Lucas v. Stockhausen
Software Security Consultant
lvonstockhausen@hp.com
+49-1520 1898430
HP Enterprise Security
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Some Explanations


Definition Hacker (Wikipedia)
Hacker:
A person who enjoys exploring the details of
(programmable) systems and stretching their
capabilities, as opposed to most users, who
prefer to learn only the minimum necessary.

3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Heise Newsletter 25.1.2012

3 % of the public available IP adresses
~5000 open Video Systems.
Continous exploit from there.

http://www.h-online.com/security/news/item/Video-conferencing-systems-as-spying-tools-1421346.html
4

No “Defence in Depth” means….


Heise Newsletter 26.1.2012

Attack from 3 IP Adresses to US railway.
No big damage – just 15 min delay.

http://www.h-online.com/security/news/item/Hackers-may-have-disrupted-railway-computers-and-schedules-1422666.html
6

How can HP Fortify help?
By 2016 40% of enterprises will make proof of
independent security testing a precondition
for using any type of cloud services


Today’s approach > expensive, reactive

IT deploys the
insecure
2
1 3
software
We are breached or
Somebody builds pay to have someone
insecure software tell us our code is

4
insecure

We convince &
pay the developer
to fix it


Software Development Today

Small coding errors can have a
big effect on security
Typical software development
practices don’t address the
problem
As a group, developers tend to
make the same security
mistakes over and over

Why it doesn’t work
30x more costly to secure in production
30X

15X
Cost

10X

5X
2X

Requirements Coding Integration/ System Production
component testing testing

After an application is released into Production, it costs 30x more than during design.
Source: NIST


The right approach > systematic, proactive

Embed security into SDLC
development process
1 2
Leverage Security Gate to validate
resiliency of internal or external
In-house Outsourced Commercial Open source code before Production

3
Monitor and protect software
Improve SDLC policies running in Production

This is application security

Software must be Fortify'd
Fortify Source Code Fortify Security Fortify RTA
Analysis Scope
HP WebInspect
Source Code Security Audits Run-Time Protection

PLAN DESIGN CODE FUNCTIONAL ACCEPTANCE DEPLOY
TEST TEST

Software Inventory Collaboration Module

Governance Module

Fortify SSC Server
Software Security Metrics and Reporting

Static Analysis


Example Process
Development Teams Security

2. Audit
AWB Monitor CM
Defect Tracking System

Project Security CISO
Lead Source Code Repository(s)

3. Assign 5. Validate
Central Build Server(s)
CM AWB
AWB
Build Tool Fortify SCA
Development Security Auditor
Manager 1. Identify

Fortify CM
4. Fix
Fortify SSC Server
IDE

Developer

Auditing – Different Possibilities

Auditworkbench Collaboration Module
IDE - VS , Eclipse (Web-base Auditworkbench)

Clicking on the issue and being guided through
the source code is VERY important for
understanding and fixing a vulnerability


Auditing (AWB and IDE) - Overview Functions and
Rulewriting wizard (only
Filtering in AWB)
Priorization Categorization

Overview

Issue -
Groups


Auditing (AWB and IDE) – Trace the issue

Sourcecode
Diagram
Analysis Trace


Auditing (AWB and IDE) – Training on the job

Detailed description of the issue


Auditing (AWB and IDE) – Training on the job

Detailed recommendation to fix the issue


Auditing (AWB and IDE) - Result

Store Analysis See other comments and make
comments yourself

File a bug


Dynamic Analysis


23
INTRODUCTION TO WEBINSPECT
WebInspect is a comprehensive Dynamic
Application Security Testing (DAST) solution used
by IT Security auditors and penetration testers to
detect, classify and report discrete application
vulnerabilities.
WebInspect dynamically interacts with your
application enumerating application parameters
and server configuration characteristics which can
be exploited by a malicious attacker.
WebInspect employs “ethical” attack methods
which discover and confirm vulnerabilities without
actually exploiting them.

Monthly WebInspect Technical Demonstration:
http://www.hp.com/go/techdemos


Live scan visualization Live Scan
Start remediation of vuln’s immediately
Dashboard

Live Scan
Statistics
Site tree

Detailed Attack
Excluded and Table
Allowed Hosts
Section
Vulnerabilities
24 found in application

Grey Box Testing


Integrated Analysis

Application

Real-time link

• Find More
• Fix Faster

Real Time Analysis


Fortify RTA : Components

RTA
Console


SSC
Software Security Center


Fortify SSC Server – Risk Management
Track, measure and understand software security risk
Flexible reporting
Dashboards to details - Metrics that matter
Snapshots and trends - Easy to customize


Fortify SSC Server – Risk Management II
Centralized management of software security
Software security policy - Multiple projects
Real-time alerts - Enterprise Security Rules management


Fortify Server – Risk Management III
Collaborative Auditing and Remediation
Web Base Auditworkbench like interface
User Assignment


How can HP Fortify help?


Software must be Fortify'd
Fortify Source Code Fortify Security Fortify RTA
Analysis Scope
HP WebInspect
Source Code Security Audits Run-Time Protection

PLAN DESIGN CODE FUNCTIONAL ACCEPTANCE DEPLOY
TEST TEST

Software Inventory Collaboration Module

Governance Module

Fortify SSC Server
Software Security Metrics and Reporting

And the knowledge?


526 Categories to Date
SRG updates the Fortify Secure Coding Rulepacks to identify the latest categories of software vulnerabilities on
a quarterly basis
Growth in Vulnerability Categories
2005 – 2012 Examples of Categories
600 •Command Injection
•Cross-Build Injection
500 •Cross-Site Request Forgery
•Cross-Site Scripting
400 •HTTP Response Splitting
•JavaScript Hijacking
300 •LDAP Injection
•Privacy Violation
•Session Fixation
200
•SQL Injection
•System Information Leak
100
•Unhandled Exception
For a complete list, go to
0 http://www.hpenterprisesecurity.com/vulncat/e
n/vulncat/index.html
1

3

1

3

1

3

1

3

1

3

1

3

1

3

1
Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q
05

05

06

06

07

07

08

08

09

09

10

10

11

11

12

21 Languages to Date
SRG leads the industry in support for the broadest array of programming languages

Growth in Language Support
2005 – 2012 Language Support
25
•ABAB •XML/HTML
•Actionscript •Classic ASP
20
•ASP.NET •JSP
•Java •PHP
15 •C •Python
•C++ •VB.NET
10 •C# •VBScript
•COBOL •VB6
5 •Cold Fusion
•T-SQL
0 •Objective C
•PL/SQL
1

3

1

3

1

3

1

3

1

3

1

3

1

3

1
Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q
05

05

06

06

07

07

08

08

09

09

10

10

11

11

12
•JavaScript
/AJAX

710,000+ APIs to Date
SRG builds extensive support for the packages and frameworks used today, resulting in support for over
710,000 APIs over 526 vulnerability categories and 21 languages
Growth in API Support
2005 – 2012 Sample Packages
800.000
•JDK 1.4, 1.5, 1.6
700.000
•Apache Struts 1.x, 2.x
600.000 •Hibernate 2.x, 3.x
500.000 •Spring 1.x, 2.x

400.000 •JSF 1.x
•.NET 1.1, 2.0, 3.0, 3.5
300.000
•Microsoft Practices Enterprise
200.000 Library
100.000 •NHibernate 1.x
0 •Spring MVC
•Google GWT
1

3

1

3

1

3

1

3

1

3

1

3

1

3

1
Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q

Q
05

05

06

06

07

07

08

08

09

09

10

10

11

11

12
•Java Webservices

How to use?


Security in the Development Lifecycle


Maturity Models


Four high-level Disciplines

All security-related activities mapped under 4 Disciplines, each
representing a group of related business functions

Alignment & Requirements & Verification & Deployment &
Governance Design Assessment Operations

Activities related to Activities related to the Activities related to Activities related to
security program product conception and reviewing, testing, and knowledge transfer
management and cross- software design validating software and maintenance of
cutting organizational processes running software
concerns


What’s under each Discipline?
The 4 Disciplines are high-level categories for activities
Three security Functions under each Discipline are the specific silos for improvement within an
organization
Alignment & Requirements & Verification & Deployment &
Governance Design Assessment Operations
Disciplines

Functions


Security Research – Fortify SSA Maturity Model
Initiate Define Design Develop Test Implement Operate
Education & Guidance
Alignment &
Governance Standards & Compliance
Strategic Planning
Threat Modeling
Requirements &
Design Security Requirements
Defensive Design
Architecture Review
Verification &
Code Review
Assessment
Security Testing
Vulnerability
Management
Deployment & Infrastructure
Operations Hardening
Operational Enablement
SCA

WebInspect
Fortify SSC
RTA
47 Fortify SSC Server

SSA Scorecard
Blank Industry Enterprise Prioritized
Scorecard Best Practices Scoring Roadmap
Objective 3

Objective 2 8 4
7 6 2
Objective 1 5
1 3
Objective 0
Education Standard Planning Threat Md Sec Req Def Design Arch Rev Code Rev Sec Testing Vul Mgmt Infr Harden Ops Enable
Governance Requirements Verification Deployment
& Alignment & Design & Assessment & Operations

SSA Best Practice Approach

Key Principles
Rapid identification and remediation of critical vulnerabilities
• Don‟t “forget to fix” or “boil the ocean”
Prevent introduction of new vulnerabilities
• Integrate into existing SDLC with minimal process changes
• Provide flexibility to integrate with new SDL as it rolls-out
Provide support for the developers
• Training in the context of their own code base
• Mentoring as required
Monitor and control
• Automate gathering of vulnerability statistics and publish
• Enforcement via security gate
Continuous Improvement


49

Goals and benefits for Software Security
Assurance SSA

A successful software security initiative leads to:
Measurably reduced risk from existing applications
A controlled process for preventing vulnerabilities in new releases
Reduced costs, delays, and wasted effort from emergency bug fixes and
incident clean-up


Success is foreseeing failure.
58
– Henry Petroski

Thank you
Lucas v. Stockhausen
lvonstockhausen@hp.com
+49-1520 1898430


Backup Slides


RAST is the key to correlation

URL: www.
sales.company.com

File: NewClass.java File: NewClass.java
Line: 27 Line: 27

ID: 234 ID: 234

Source Code: <java.sql.
Connection.xxx>


ROI


The Breach

The biggest ROI is no breach
No regulatory costs
No brand reputation
…

Hard to measure if it never happened to you before.


Fixing Bugs Earlier in the Lifecycle

Cost of Fixing One Vulnerability
Based On The Stage It Was Identified

$15.000
$14,102

$12.000

$9.000
$7,136
$6.000

$3.000

$455 $977
$139
$0
Requirements Design Coding Testing Maintenance

Example: Cost of Fixing Critical Defects

The following case study provides an example of the savings generated by using
source code analysis to find vulnerabilities earlier in the SDLC

• Sample Application Size: 2 Million LOC
Application

• Defects Identified during SCA: 1,600
Vulnerabilities
Identified Using SCA
• Defects Deemed Critical 200


Example: Cost of Fixing Critical Defects
Cost of Fixing Vulnerabilities Early Cost of Fixing Vulnerabilities Later

Critical Bugs Cost of Fixing 1 Cost of Fixing Critical Bugs Cost of Fixing Cost of Fixing
Stage Stage
Identified Bug All Bugs Identified 1 Bug All Bugs

Requirements $139 Requirements $139

Design $455 Design $455

Coding 200 $977 $195,400 Coding $977

Testing $7,136 Testing 50 $7,136 $356,800

Maintenance $14,102 Maintenance 150 $14,102 $2,115,300

Total 200 $195,400 Total 200 $2,472,100

66
Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3MM

Quiz


Quiz

String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = „”
+ itemName + “„”;
ResultSet rs = stmt.execute(query);

Username = lucas
Itemname = x’ or 1=1; --


68

Quiz - Solution

String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ lucas + "' AND itemname = „”
+ x’ or 1=1; -- + “„”;
ResultSet rs = stmt.execute(query);

Username = lucas


69

Quiz - Solution

SELECT * FROM items WHERE owner = „lucas' AND itemname = „x’ or
1=1; -- „”;

Username = lucas


70

Ensure Software Security already during development

More Related Content

What's hot

Viewers also liked

Similar to Ensure Software Security already during development

More from IT Weekend

Recently uploaded

Ensure Software Security already during development

Editor's Notes