Running a Software Security Program with Open Source Tools

© 2015 Denim Group – All Rights Reserved
Running a Software Security
Program on Open Source Tools!
Dan Cornell
CTO, Denim Group
@danielcornell

2

My Background!
•  Dan Cornell, founder and CTO of
Denim Group
•  Software developer by background
(Java, .NET, etc)
•  OWASP San Antonio

Denim Group Background!
•  Secure software services and products company
•  Builds secure software
•  Helps organizations assess and mitigate risk of in-house developed and third party
software
•  Provides classroom training and e-Learning so clients can build software securely
•  Software-centric view of application security
•  Application security experts are practicing developers
•  Development pedigree translates to rapport with development managers
•  Business impact: shorter time-to-fix application vulnerabilities
•  Culture of application security innovation and contribution
•  Develops open source tools to help clients mature their software security programs
•  Remediation Resource Center, ThreadFix
•  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI
•  World class alliance partners accelerate innovation to solve client problems
3

Agenda!
•  So You Want To Roll Out a Software Security
Program?
•  Software Assurance Maturity Model
(OpenSAMM)
•  Components Of Your Software Security
Program
•  Governance
•  Construction
•  Verification
•  Deployment
•  Conclusions / Questions
4

So You Want To Roll Out a
Software Security Program?!
•  Great!
•  What a software security program ISN’T
•  Question: “What are you doing to address software
security concerns?”
•  Answer: “We bought scanner XYZ”
•  What a software security program IS
•  People, process, tools (naturally)
•  Set of activities intended to repeatedly produce
appropriately-secure software
5

Challenges Rolling Out Software
Security Programs!
•  Resources
•  Raw budget and cost issues
•  Level of effort issues
•  Resistance: requires organizational change
•  Apparently people hate this
•  Open source tools
•  Can help with raw budget issues
•  May exacerbate problems with level of effort
•  View the rollout as a multi-stage process
•  Not one magical effort
•  Use short-term successes and gains to fuel further change
6

Software Assurance Maturity Model
(OpenSAMM)!
•  Open framework to help organizations formulate and
implement a strategy for software security that is tailored to
the specific risks racing the organization
•  Useful for:
•  Evaluating an organization’s existing software security practices
•  Building a balanced software security program in well-defined
iterations
•  Demonstrating concrete improvements to a security assurance
program
•  Defining and measuring security-related activities within an
organization
•  Main website:
•  http://www.opensamm.org/
7

Using OpenSAMMYou Can…

•  Evaluate an organization s existing software security practices

•  Build a balanced software security assurance program in well-
deﬁned iterations

•  Demonstrate concrete improvements to a security assurance
program

•  Deﬁne and measure security-related activities throughout an
organization

[This slide content © Pravir Chandra]

Drivers for a Maturity Model

•  An organization s behavior changes slowly over time

•  Changes must be iterative while working toward long-term goals

•  There is no single recipe that works for all organizations

•  A solution must enable risk-based choices tailor to the
organization

•  Guidance related to security activities must be prescriptive

•  A solution must provide enough details for non-security-people

•  Overall, must be simple, well-deﬁned, and measurable


Therefore, aViable Model Must...

•  Define building blocks for an assurance program

•  Delineate all functions within an organization that
could be improved over time

•  Define how building blocks should be combined

•  Make creating change in iterations a no-brainer

•  Define details for each building block clearly

•  Clarify the security-relevant parts in a widely applicable
way (for any org doing software dev)


Understanding the Model


SAMM Business Functions

• Start with the core
activities tied to any
organization
performing software
development

• Named generically, but
should resonate with
any developer or
manager


SAMM Security Practices

•  From each of the Business Functions, 3
Security Practices are deﬁned

•  The Security Practices cover all areas
relevant to software security assurance

•  Each one is a silo for improvement


Discussion: Tools!
•  Commercial tools in use?
•  Free / open source tools in use?
•  What tool implementations have been successful?
•  What tool implementations have been less
successful?
•  Why?
•  What is your interest in using open source tools for
software security?
14

Why Use Free / Open Source
Tools?!
•  They’re FREE!
•  No per-user license fees
•  Can be customized
•  Don’t like the way a feature works – improve
it!
15

As a Project Maintainer…!

Potential Disadvantages of Free
Tools!
•  Often less mature than commercial
analogs
•  Application and software security are new
when compared to other disciplines
•  Open source tools lag in a number of areas
•  Task-focused rather than program-focused
•  Geared toward testing a single application
rather than a portfolio of applications
17

Discussion: Organizational
Concerns!
•  Does your organization allow the use of
open source tools?
•  What restrictions are placed on the use of
free / open source tools?
•  Only certain licenses allowed
•  Each tool / library must have a sponsor
18

Open Source Tool Usage – Best
Practices!
•  Maintain a relationship with the project lead / development
community
•  How responsive are they?
•  Good to have a relationship for escalating issues
•  Consider commercial support
•  If available
•  When it makes sense
•  Give back
•  Installation instructions for your platform(s)
•  Other documentation opportunities
•  Code updates – if possible / desirable
19

ThreadFix - Overview!
•  ThreadFix is a software vulnerability
aggregation and management system that
helps organizations aggregate vulnerability
data, generate virtual patches, and interact
with software defect tracking systems.
•  Freely available under the Mozilla Public
License (MPL)
•  Hosted at GItHub:
https://github.com/denimgroup/threadfix
20

OpenSAMM: Governance!
•  Strategy and Metrics
•  Policy and Compliance
•  Education and Guidance
21

Governance: Strategy and Metrics!
•  Overall strategic direction of the assurance
program
•  How are processes instrumented?
•  How are measurements taken?
22

ThreadFix: Reporting!
•  Can be done at multiple levels:
•  Enterprise-wide
•  Team
•  Individual application
•  Reports for:
•  Vulnerability count trending
•  Progress – vulnerability resolution and timelines
•  Scanner effectiveness
•  Frequency of scanning across the portfolio
•  Will revisit ThreadFix reporting later in the course for
examples
23

Governance: Policy and
Compliance!
•  What compliance regimes are your
organizations and applications subject to?
•  PCI
•  HIPAA
•  SOX
•  What policies will you put in place to meet
these obligations?
24

SimpleRisk!
•  Governance Risk and Compliance (GRC)
•  http://www.simplerisk.org/
•  Created by Josh Sokol
25

Governance: Education and
Guidance!
•  Software security requires the input of a
variety of stakeholders
•  Software security is a relatively new area of
study
•  Many of the involved parties (i.e. software
developers) have never been exposed
•  You cannot hold people responsible if they
have not been properly trained
26

Governance: Education and
Guidance!
•  Variety of potential consumers
•  Executives / Management
•  Developers
•  Quality Assurance (QA)
•  Security Testers
•  Need for information at several levels
•  Introduction / overview
•  Topic-specific
•  Technology-specific
•  Several ways to deliver guidance and training
•  Self-serve portal
•  Instructor-led training
•  E-Learning
27

OWASP Development Guide!
•  Provides guidance to developers on how to build secure
applications
•  Attempts to cover broad topics with some technology-specific
examples
•  Several translations: English, Spanish, Japanese
•  Originally released in 2001, revised in 2005
•  Somewhat dated
•  Currently undergoing a significant rewrite
•  Main site:
https://www.owasp.org/index.php/OWASP_Guide_Project
28

OWASP Cheat Sheets!
•  Provide targeted, consumable guidance on specific topics or
technologies
•  Authentication
•  Transport layer protection
•  Input validation
•  Session management
•  And so on…
•  Tend to be “fresher” than the related sections in the
Development Guide
•  Also easier to provide to developers for use
•  Main site: https://www.owasp.org/index.php/Cheat_Sheets
29

OWASP Secure Coding Practices
Quick Reference Guide!
•  Technology agnostic set of general software
security coding practices
•  Consumable
•  ~17 pages long
•  Checklist format
•  Main site:
https://www.owasp.org/index.php/
OWASP_Secure_Coding_Practices_-
_Quick_Reference_Guide
30

OWASP WebGoat - Overview!
•  Deliberately insecure JEE web application
•  Presented as a series of lessons
•  SQL injection
•  Cross-site Scripting (XSS)
•  Cross-site Request Forgery (CSRF)
•  Hidden form manipulation
•  And so on…
•  Main site:
Category:OWASP_WebGoat_Project
31

OpenSAMM: Construction!
•  Threat Assessment
•  Security Requirements
•  Secure Architecture
32

Construction: Threat Assessment!
•  Identify and characterize potential attacks
•  These will determine investment level and
required countermeasures
•  WHO do you need to be worried about?
•  Nation-states
•  Chaotic actors
•  Organized crime
•  And so on…
33

Construction: Security
Requirements!
•  Up-front determination of required security
properties of the system
•  Drive future activities
34

Construction: Secure Architecture!
•  Use the design process to:
•  Build in security controls
•  Avoid injecting security issues
•  Threat modeling
•  Architectural risk analysis
35

ESAPI - Overview!
•  Enterprise Security API (ESAPI)
•  Open source web application security control library
•  Several languages available: JavaEE, .NET, PHP,
Classic ASP, etc
•  WIDE variation in maturity and support
•  Stick to Java unless you are very brave (and even then)
•  Main site:
Category:OWASP_Enterprise_Security_API
36

Microsoft Web Protection Library -
Overview!
•  Set of .NET assemblies which help protect web applications
•  AntiXSS encoding library
•  Encoding functions for HTML, HTML attributes, XML, etc
•  HTML sanitization routines (for “safely” accepting rich content)
•  Security Runtime Engine (SRE)
•  Provides runtime protection against SQL injection and Cross-Site
Scripting (XSS)
•  Sites:
•  http://wpl.codeplex.com/
•  https://www.microsoft.com/en-us/download/details.aspx?
id=28589
37

OpenSAMM: Veriﬁcation!
•  Design Review
•  Code Review
•  Security Testing
38

Veriﬁcation: Design Review!
•  Incorporate security into review of
architecture/design materials
•  Were the previous assurance activities
successful?
39

Microsoft Threat Analysis and
Modeling Tool - Overview!
•  Create threat models for your applications
•  Identify potential issues
•  Plan for mitigations
•  Requires Visio 2007 or 2010
•  Main site:
http://www.microsoft.com/security/sdl/adopt/
threatmodeling.aspx
40

Mapping Threats to Data Flow
Asset Types
Threat
Type
External

Interactor

Process
Data
Flow
Data
Store

S
–
Spooﬁng
Yes
Yes

T
–
Tampering
Yes
Yes
Yes

R
–
Repudia>on
Yes
Yes
Yes

I
–
Informa>on
Disclosure
Yes
Yes
Yes

D
–
Denial
of
Service
Yes
Yes
Yes

E
–
Eleva>on
of
Privilege
Yes

41

Veriﬁcation: Code Review!
•  Review software artifacts “at-rest”
•  Can be both automated and manual
•  Reach and frequency
•  How much of your software is subject to
review?
•  How thorough is the analysis?
•  How often is it performed?
42

Static Analysis
•  Source Code Scanning
•  Manual Code Reviews
•  Advantages
•  Identifies flaws during integration, when it is easier to address
issues
•  Developers can identify flaws in their own code before checking
it in
•  Many projects already have a code review process in-place
•  Disadvantages
•  Freeware tools often do not address security well (specifically
dataflow analysis)
•  Licensed tools are a significant investment
•  Manual review can be unstructured and time-consuming without
licensed tools
•  Not ideal for discovering logical vulnerabilities
43

Static Analysis Tools
•  Commercial Tools
•  Fortify (now HP)
•  Ounce (now IBM Rational)
•  Checkmarx
•  Veracode (SaaS)
•  Freeware Tools
•  RATS/Flawfinder - C/C++, Python, PHP
•  Findbugs – Java
•  PMD - Java
•  FxCop - .NET
•  Brakeman – Ruby on Rails
44

FindBugs - Overview!
•  Freely-available binary static analysis tool
for Java
•  Main site: http://findbugs.sourceforge.net/
45

FxCop - Overview!
•  Free static analysis tool from Microsoft
•  Integrated into Visual Studio
•  Similar capabilities to FindBugs (but
for .NET)
•  Blog:
http://blogs.msdn.com/b/codeanalysis/
46

CAT.NET - Overview!
•  Free static analysis tool from Microsoft
•  Does dataflow analysis (rare among the free tools)
•  Version 1:
http://www.microsoft.com/en-us/download/details.aspx?id=19968
•  Version 2:
http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-
net-2-0-beta.aspx
•  Dinis Cruz has done some interesting work with CAT.NET and O2
•  https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/
CAT.NET
•  Plans for future development are not clear
47

Brakeman - Overview!
•  Security scanner for Ruby on Rails
applications
•  Static analysis
•  Finds things like SQL injection and XSS
•  Also checks for certain CVE-type
vulnerabilities
•  Main site: http://brakemanscanner.org/
48

Agnitio - Overview!
•  Tool for supporting manual code reviews
•  Set of checklists to verify security controls
•  Some grep-like search capabilities
•  Main site:
http://sourceforge.net/projects/agnitiotool/
49

DependencyCheck – Overview!
•  Checks for out-of-date JAR libraries with known CWE
issues
•  Looks beyond JAR hashes
•  We used it to find a vulnerable library used by
ThreadFix
•  Apache POI library
•  http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe
%3A%2Fa%3Aapache%3Apoi
%3A3.7&page_num=0&cid=1
•  Main site:
https://github.com/jeremylong/DependencyCheck
50

Veriﬁcation: Security Testing!
•  Runtime testing for security vulnerabilities
•  Web applications: automated scanners,
web proxies
•  Other applications: fuzzing, protocol
analysis
51

Dynamic Analysis
•  Integrate abuse cases into unit and automated testing
•  Use application scanning tools
•  Perform a dedicated penetration test by security staff or a 3rd
party
•  Advantages
•  Generally more time-efficient than manual code review
•  Good for discovering logical vulnerabilities
•  Disadvantages
•  Requires fully functional features to test
•  Security staff may not have application security training or
experience
•  Scanning tools may have difficulty with unusual applications
52

Dynamic Analysis Tools
•  Automated Tools
•  IBM Rational AppScan
•  HP WebInspect
•  Acunetix Vulnerability Scanner
•  Netsparker
•  Manual Testing
•  Zed Attack Proxy
•  Burp
•  Google RatProxy
•  Browser plugins
•  Testing Scripts –Watir
•  Load and Performance testing tools – JMeter, Grinder
53

Arachni - Overview!
•  Open source automated web application scanner
•  Written in Ruby
•  Can be deployed in a “grid” format for faster scanning
•  Uses several different types of analysis to identify
vulnerabilities
•  Fuzzing
•  Taint analysis
•  Time analysis
•  Main site: http://arachni-scanner.com/
54

w3af - Overview!
•  Open source automated web application
scanner
•  Written in Python
•  Main site: http://w3af.sourceforge.net/
55

OWASP ZAProxy - Overview!
•  Open source web proxy and web application
scanner
•  Supports both manual and automated
assessment
•  Fork of Paros Proxy
•  Exposes RESTful API
•  Main site: http://code.google.com/p/zaproxy/
56

Skipﬁsh - Overview!
•  Fast web application scanner written in C
•  Maintained by Google
•  Does a lot of file/directory guessing by
default
•  Main site:
•  https://code.google.com/p/skipfish/
57

OpenSAMM: Deployment!
•  Vulnerability Management
•  Environment Hardening
•  Operational Enablement
58

Deployment: Vulnerability
Management!
•  Processing for managing vulnerabilities in
both internal and external software
•  Goal is consistency
•  Use data from vulnerability handling to
improve processes
•  Decrease number and severity of future
vulnerabilities
•  Decrease time-to-fix
59

Turning Vulnerabilities Into
Software Defects!
•  Security teams talk about “vulnerabilities”
•  Software developers talk about “defects”
•  Developers Don’t Speak PDF
•  http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html
•  Why should developers manage 90% of their workload in
defect trackers
•  And the magic, special “security” part of their workload … some
other way?
•  ThreadFix lets you slice, dice and bundle vulnerabilities into
software defects
•  And track their remediation status over time to schedule re-
scans
60

ThreadFix: Defect Tracker
Integration!
•  Turn vulnerabilities that security staff care about into
software bugs that developers know how to handle
•  Bundle multiple vulnerabilities into a single defect
•  How to organize?
•  By severity
•  By type
•  By location in the application
•  Some combination
•  When the defect status changes you can schedule re-
scans
61

Deployment: Environment
Hardening!
•  Attackers do not care about applications –
attacking infrastructure might be just as
effective and valuable for them
•  Controls for operating environments:
•  Reduce vulnerabilities in the infrastructure
•  Enable logging and tracking
62

Microsoft Baseline Security
Analyzer (MBSA) - Overview!
•  Runs standard checks on Windows
Workstations and Servers
•  Internet Explorer
•  IIS
•  SQL Server
•  Checks registry and file settings
•  2.2 Downloads:
http://www.microsoft.com/en-us/download/
details.aspx?id=7558
63

Deployment: Operational
Enablement!
•  How do you install, configure and run your
applications?
•  Also updates and upgrades
•  Runtime checks and logging for intrusion
detection and incident response
•  John Dickson has done some work in this area
•  http://www.slideshare.net/denimgroup/top-
strategies-to-capture-security-intelligence-for-
applications
64

Continuous Integration and
Security Testing!
•  Reduce the time between introducing
security defects and knowing about them
•  Free tools mean that any project can be
instrumented
•  No licensing fees
•  ThreadFix has a REST-based API and
command-line client for scripting
65

mod_security - Overview!
•  Open source web application firewall engine
•  Also has a Core RuleSet (CRS)
•  Traditionally has been Apache-only
•  Runs as an apache module (mod_security)
•  Recently announced both IIS and Nginx support
•  Main site: http://www.modsecurity.org/
66

Recap!
•  A software security program is more than a tool or set of tools
•  But tools help provide automation and facilitate scale
•  OpenSAMM is a maturity model that can be used as a
framework for building and advancing software security
programs
•  Open source tools exist to support many key activities in a
software security program
•  Build and maintain relationships with the open source projects
you use
67

68

Conclusions / Questions!
Dan
Cornell

dan@denimgroup.com

TwiKer:
@danielcornell

www.denimgroup.com

www.denimgroup.com/threadﬁx

code.google.com/p/threadﬁx

(210)
572-‐4400

Running a Software Security Program with Open Source Tools

More Related Content

What's hot

Viewers also liked

Similar to Running a Software Security Program with Open Source Tools

More from Denim Group

Recently uploaded

Running a Software Security Program with Open Source Tools