Secure SDLC for Software

Session E2 Secure SDLC for Software Assurance Date: Monday, 19 April 2010 Time: 1:30pm - 3pm Shreeraj Shah Founder and Director, Blueinfy; Author, Web 2.0 Security and Web Hacking: Attacks and Defense

Who Am I? Founder & Director Blueinfy Solutions Pvt. Ltd. (Brief) SecurityExposure.com Past experience Net Square, Chase, IBM & Foundstone Interest Web security research Published research Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc. Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc. Advisories - .Net, Java servers etc. Books (Author) Web 2.0 Security – Defending Ajax, RIA and SOA Hacking Web Services Web Hacking http://shreeraj.blogspot.com [email_address] http://www.blueinfy.com

SOFTWARE/APPLICATION SECURITY (STATE)

Root cause of Vulnerabilities CSI Security Survey : Vulnerability Distribution misconfiguration, other problems 36% programming errors 64% misconfiguration, other problems programming errors

Source Code Issues 1 Security defect per 10,000 lines Reported 30,000+ at CVE 6000+ at IBM X-Force 70% developers are working on application coding 4 in top 5 vulnerabilities are on application layer Expensive to fix them.

Vulnerable State Expected State Exception Handler Decision Integer/ Number Special Characters A-Z Characters Input Potential Exploitation Enterprise level bugs

Threats and Controls Source – Web Application Security Consortium

CVE/CWE - Errors Insecure Interaction Between Components These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. CWE-20 : Improper Input Validation CWE-116 : Improper Encoding or Escaping of Output CWE-89 : Failure to Preserve SQL Query Structure (aka 'SQL Injection') CWE-79 : Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') CWE-78 : Failure to Preserve OS Command Structure (aka 'OS Command Injection') CWE-319 : Cleartext Transmission of Sensitive Information CWE-352 : Cross-Site Request Forgery (CSRF) CWE-362 : Race Condition CWE-209 : Error Message Information Leak Source – CWE/CVE - http://cwe.mitre.org/top25/index.html

CVE/CWE - Errors Risky Resource Management The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources. CWE-119 : Failure to Constrain Operations within the Bounds of a Memory Buffer CWE-642 : External Control of Critical State Data CWE-73 : External Control of File Name or Path CWE-426 : Untrusted Search Path CWE-94 : Failure to Control Generation of Code (aka 'Code Injection') CWE-494 : Download of Code Without Integrity Check CWE-404 : Improper Resource Shutdown or Release CWE-665 : Improper Initialization CWE-682 : Incorrect Calculation Source – CWE/CVE - http://cwe.mitre.org/top25/index.html

CVE/CWE - Errors Porous Defenses The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored. CWE-285 : Improper Access Control (Authorization) CWE-327 : Use of a Broken or Risky Cryptographic Algorithm CWE-259 : Hard-Coded Password CWE-732 : Insecure Permission Assignment for Critical Resource CWE-330 : Use of Insufficiently Random Values CWE-250 : Execution with Unnecessary Privileges CWE-602 : Client-Side Enforcement of Server-Side Security Source – CWE/CVE - http://cwe.mitre.org/top25/index.html

Enterprise SDLC 1. Analysis and Assessment 2. Design Specification 3. Software Development 4. Implementation 5. Support 6. Performance Monitoring

Missing in SDLC SDLC is independent of security concerns Analysis without security perspective Vulnerabilities discovered after deployment and development Hard and difficult to fix Very costly to fix bugs Industry is moving towards security aware SDLC

Application Security Cycle Architecture Blackbox Whitebox Defense Architecture Review Design Review Technology Review Threat modeling Assessment Audit controls Penetration tests Deployment tests Configuration review Deployment review Code review Threat correlation Secure coding Configuration lockdown Content filtering Threat mitigation

SAMM Software Assurance Maturity model (SAMM) OWASP is running with new project Defining maturity of security in the organization Specific domain based and activity driven It is new approach Need to see industry’s adaptation to it http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model

SAMM in nutshell Governance Strategy and Metrics Policy and Compliance Education and Guidance Construction Threat Assessment Security Requirement Secure Architecture Verification Design Review Code Review Security Testing Deployment Vulnerability Management Environment Hardening Operational Enablement

Methodology, Scan and Attacks Footprinting & Discovery Enumeration & Crawling Attacks and Scanning Config Scanning Web Firewall Secure Coding Assets Secure Assets Black White Defense Code Scanning

Black vs. White Architecture Review Scoping Footprinting Discovery Enumeration & Profiling Security Controls & Cases Vulnerability Assessment Threat Modeling Mitigation strategies Reporting Sample Security Control Categories – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Architecture Review Scoping Threat Modeling Code Enumeration Security Controls & Cases Entry Point Discoveries Class, Function & Variable Tracing Code Mapping and Functionality Vulnerability Detection Mitigation Controls Reporting Black White

White vs. Black Scope of coverage Blackbox method uses crawling and spidering to determine all possible resources Application assets are residing in JavaScript and various other tags in HTML, it makes asset detection very difficult and blackbox approach fails in many cases. If one is using whitebox approach then not a single line of code will get missed and scope can be covered at 100%. Whitebox can do much better job when comes to covering the scope of the source.

White vs. Black Discovery and Detection Blackbox testing uses signature analysis for vulnerability detection. Example, it looks for ODBC error for SQL injection and so on. If errrors are missing … Blackbox fails in those cases Whitebox good to go

White vs. Black Accuracy of Vulnerability Accuracy of vulnerability is very important as well. Blackbox is inaccurate in some cases Came up false +/-

White vs. Black Cause Identification One of the major challenges is to identify actual cause of the vulnerability. Blackbox shows symptoms Whitebox can pin point the cause

Limitations Blackbox Vulnerabilities get missed Not full coverage Vuln found? But where is the source of it? Developer’s question – where should I go and fix? – Location WAF – easy to bypass Missing rules Too much to put on WAF, may not work …

Domain centric approach - MUSTs Authentication Authorization Error Handling Input Validations Data Validation Crypto and Secret Handling Business Logic Handling Session and Identity Handling Client Side Controls Auditing and Logging

Two components SDLC should have two important components from software security perspective Threat modeling Source code analysis

QueryString POST name and value pairs XML/JSON etc. HTTP variables Cookie etc. File attachments uploads etc. Feeds and other party information Open APIs and integrated streams HTTP Response variables JSON/XML streams API - steams Entry Point Review

Mapping Key Parameters Steps Input Output Identify Application objectives Business Requirements List of Key Objectives Overview of the Application Architecture Architecture diagrams Functional specifications List of Key Technologies End to End Architecture implementation details In - depth Application Analysis: Data Flow diagrams Technical specifications Trust boundaries Entry points Exit points Data flows Identify threats & vulnerabilities Well Known Threats/ Knowledge of the same from the Internet Threat Trees Threat & Vulnerabilities list

Static Code Analysis Static code analysis is very old technique to determine code quality. Analyzing compiled and object code All analysis we can do without actually executing the application can be called static code analysis. Static application code analysis with security perspective is one of the most powerful tools for whitebox analysis. In this case there is no object code available but applications are in clear text in source only.

Traditional checks void temp( char *pszIn ) { char szBuff[10]; strcpy(szBuff, pszIn); . . . }

Application challenges Application entry points are scattered and multiple, number of entry points are coming over HTTP traffic and some times tricky to detect. Web 2.0 applications are running with Web Services using protocols like SOAP, XML-RPC or REST. Application layer tracing is also difficult and challenging since it is across multiple pages along with some intermediate framework code. Source code analysis has different technologies and modules involved in the process and it makes very difficult. One important aspect is client side coding and modules like Ajax, JavaScript, Flash and Silverlight. Static code analysis needs some expertise in doing binary and object code analysis as well over application code.

Simple presentation ASP.NET <%@ Page Language="C#" AutoEventWireup="true" CodeFile=" Cmdexec.aspx.cs " Inherits="Cmdexec" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title>Untitled Page</title> </head> <body style="font-size: 12pt"> <form id="form1" runat="server"> <div> Enter the filename to view your contract: <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox> <asp:Button ID="Button1" runat="server" OnClick="Button1_Click1" Text="Submit" /><br /> <br /> <asp:Label ID="Label1" runat="server" Height="355px" Text="Label" Width="544px"></asp:Label></div> </form> </body> </html>

Code behind calls using System; … … using System.IO; public partial class Cmdexec : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { Label1.Visible = false; } protected void Calendar1_SelectionChanged(object sender, EventArgs e) { } protected void Button1_Click1(object sender, EventArgs e) { Label1.Visible = true; Label1.Text = ""; System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics.ProcessStartInfo(); psi.FileName = @"C:\WINDOWS\system32\cmd.exe"; psi.Arguments = @"/c type c:\\contracts\\" + TextBox1.Text + @" > c:\\contracts\\contract.txt"; psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; System.Diagnostics.Process.Start(psi); System.Threading.Thread.Sleep(3000); TextReader textRead = new StreamReader("c:\\contracts\\contract.txt"); Label1.Text = textRead.ReadToEnd(); textRead.Close(); } }

Running on Object Code D:\cmddeploy>dir /S Volume in drive D has no label. Volume Serial Number is 0859-A6D9 Directory of D:\cmddeploy 12/09/2008 01:58 PM <DIR> . 12/09/2008 01:58 PM <DIR> .. 12/09/2008 01:58 PM <DIR> bin 12/09/2008 01:58 PM 86 Cmdexec.aspx 12/09/2008 01:58 PM 50 PrecompiledApp.config 2 File(s) 136 bytes Directory of D:\cmddeploy\bin 12/09/2008 01:58 PM <DIR> . 12/09/2008 01:58 PM <DIR> .. 12/09/2008 01:58 PM 7,680 App_Web_t_pyp492.dll 12/09/2008 01:58 PM 341 cmdexec.aspx.cdcab7d2.compiled 2 File(s) 8,021 bytes Total Files Listed: 4 File(s) 8,157 bytes 5 Dir(s) 282,451,968 bytes free

Running on reverse engineering D:\cmddeploy\bin>ildasm /TEXT App_Web_t_pyp492.dll | grep System.Diagnostics.Pro cess .locals init (class [System]System.Diagnostics.ProcessStartInfo V_0, IL_001c: newobj instance void [System]System.Diagnostics.ProcessStartIn fo::.ctor() IL_0028: callvirt instance void [System]System.Diagnostics.ProcessStartIn fo::set_FileName(string) IL_0048: callvirt instance void [System]System.Diagnostics.ProcessStartIn fo::set_Arguments(string) IL_004f: callvirt instance void [System]System.Diagnostics.ProcessStartIn fo::set_WindowStyle(valuetype [System]System.Diagnostics.ProcessWindowStyle) IL_0055: call class [System]System.Diagnostics.Process [System]System .Diagnostics.Process::Start(class [System]System.Diagnostics.ProcessStartInfo)

Object vs. Source Source code is in natural languages like C#, Java or PHP, while object code is lowered and optimized in intermediate or machine understandable languages. Source code is easier to grasp and can help in identifying developer’s intent, logic and approach. Object code just is not enough for security analysis, say for example we know there is simple vulnerability but we need to link to the actual source code line number. Object code is easier to analyze as far as resolving perspective is concern. Source code analysis needs powerful parser and it is very dependent on language to language. Source code is actual code written by developers and full information is in it like comment or other intentions. Also, for some one to share it is easier to ship object code compared to source code. (IP issues)

Techniques Data flow analysis Tainted flow analysis Signature analysis Code Mapping and Layering

Attack Surface Source Code is having probable attack surface Attack surface is defined by entry points Entry points are exploited by attackers Attacker passes payload from these points and try to exploit the system Attack surface determination and entry point identification are very critical

GET/POST GET /login.aspx? username=shah HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive POST http://example.com/cgi-bin/search.cgi HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10 Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png, */*;q=0.5 Keep-Alive: 300 Referer: http://example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 17 search=searchtext

XML-RPC POST /trade-rpc/getquote.rem HTTP/1.0 TE: deflate,gzip;q=0.3 Connection: TE, close Host: xmlrpc.example.com Content-Type: text/xml Content-Length: 161 <?xml version="1.0"?> <methodCall> <methodName>stocks.getquote</methodName> <params> <param><value><string> MSFT </string></value></param> </params> </methodCall>

SOAP <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <getQuotes xmlns="http://tempuri.org/"> <compid>MSFT</compid> </getQuotes> </soap:Body> </soap:Envelope>

REST <?xml version="1.0"?> <p:Laptops xmlns:p="http://laptops.example.com" xmlns:xl="http://www.w3.org/1999/xlink"> <Laptop id="0123" xl:href="http://www.parts-depot.com/laptops/0123"/> < Laptop id="0348" xl:href=" http://www.parts-depot.com laptops /0348 "/> < Laptop id="0321" xl:href="http://www.parts-depot.com/ laptops /0321"/> … … </p:Laptops>

JSON message = { from : "john@example.com", to : "jerry@example.com", subject : "I am fine", body : "Long message here", showsubject : function(){document.write(this.subject)} };

File calls <form name="Form1" method="post" action="ContractUpload.aspx" id="Form1" enctype="multipart/form-data"> It is taking input as file as below, <input name="uplTheFile" type="file" id="uplTheFile" />

RSS - Feed <rss version="2.0"> <channel> <title>Example News</title> <link>http://example.com/</link> <description>News feed</description> <language>en-us</language> <pubDate>Tue, 10 Jun 2006 04:00:00 GMT</pubDate> <lastBuildDate>Tue, 10 Jun 2006 09:41:01 GMT</lastBuildDate> <docs>http://example.com/rss</docs> <generator>Weblog Editor 2.0</generator> <item> <title>Today's title</title> <link>http://example.com/10thjune.asp</link> <description>News goes here</description> <pubDate>Tue, 03 Jun 2006 09:39:21 GMT</pubDate> <guid>http://example.com/news.html#item300</guid> </item> ... </item>

Entry Points – Client Side HTTP response – All headers as well as HTML content JavaScripts coming from server Ajax/RIA calls consuming different structures which we have discussed like JSON, XML, JS-Object etc. Callbacks – Modern days applications are using callback mechanism so data coming from browser can be injected into DOM using script functions. Browser making API calls across domains

HTTP to Source http://192.168.1.50/Searchresult.aspx?ReferenceId=microsoft GET /Searchresult.aspx?ReferenceId=microsoft HTTP/1.1 Host: 192.168.1.50 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cache-Control: max-age=0 protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { bindresult(Request.QueryString["ReferenceId"].ToString()); } }

Interesting… Request.Cookie – To access cookie values Request.Form – Form parameters Request.File – File parameter Request.ServerVariables – Access to server variables

In compiled code IL_0007: callvirt instance class [System]System.Collections.Specialized.NameValueCollection [System.Web]System.Web.HttpRequest::get_QueryString() IL_000c: ldstr "id"

Simple scan… import sys import os import re def scan4request(file): infile = open(file,"r") s = infile.readlines() linenum = 0 print 'Request Object Entry:' for line in s: linenum += 1 p = re.compile(".*.[Rr]equest.*[^\n]\n") m = p.match(line) if m: print linenum,":",m.group() file = sys.argv[1] scan4request(file)

Rules… # Rules file for AppCodeScan # This file is specific for ASP/ASP.NET applications (Just a sample rules) - all regex patterns #Scanning for Request Object Entry Points .*.Request.* #Scanning for ASP.NET app entry points .*.<asp:FileUpload.*?> .*.<asp:TextBox.*?> .*.<asp:HiddenField.*?> .*.<asp:Login.*?> .*.<asp:PasswordRecovery.*?> .*.<asp:ChangePassword.*?>

Java <% if ( request.getParameter("username") != null ) {%> HttpServletRequest doGet doPost Request Struts public class NameAction extends Action {

PHP/Coldfusion PHP $_GET[“var”] $_POST[“var”] $_REQUEST[“var”] Coldfusion #URL.name# - Getting from querystring “name” Similarly we can identify entry points for other aspects like POST or such by following list of key words FORM/form SERVER/server CLIENT/client SESSION/session

Web 2.0 Web Services and SOA entry points

Making POST POST /ws/dvds4less.asmx HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433) Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/getProductInfo" Host: 192.168.1.50 Content-Length: 317 Expect: 100-continue Connection: Keep-Alive <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getProductInfo xmlns="http://tempuri.org/"><id>1</id></getProductInfo></soap:Body></soap:Envelope>

Code for Web Services <%@ WebService Language="c#" Class="dvds4less" %> <%@ Assembly name="Microsoft.Data.SqlXml" %> using Microsoft.Data.SqlXml; using System.Xml; using System; using System.Web.Services; using System.Data.SqlClient; using System.IO; public class dvds4less { [WebMethod] public string Intro() { return "DVDs4LESS - Information APIs for web application usage and other business usage"; } [WebMethod] public string getProductInfo(string id) { … . Code for this function }

JSON-RPC <%@ WebHandler Class="JayrockWeb.DemoService" Language="C#" %> namespace JayrockWeb { using System; using System.Configuration; using System.Data; using System.Data.SqlClient; using System.Collections; using System.Collections.Specialized; using System.Web; using System.Web.SessionState; using System.Web.UI; using System.Web.UI.WebControls; using System.Drawing; using Jayrock.Json; using Jayrock.JsonRpc; using Jayrock.JsonRpc.Web; [ JsonRpcHelp("This is a JSON-RPC service that demonstrates the basic features of the Jayrock library.") ] public class DemoService : JsonRpcHandler, IRequiresSessionState { [JsonRpcMethod("getProduct", Idempotent = true)] [ JsonRpcHelp("Returns Product Info") ] public DataSet GetProductSet(string id) { … . Code goes here… }

Java based import org.apache.axis.AxisFault; import org.apache.axis.MessageContext; import org.apache.axis.transport.http.HTTPConstants; public class echo { public String echowebservices(String echo) { return echo; } }

PHP <?php require_once('nusoap/nusoap.php'); // ------ Implemention of method // ---- getLang(langTo) ------------------------------------------------------ function getLang($langTo) { $trText = array( "bonjour" => "french", "ciao" => "italian", "hallo" => "german", "namaste" => "hindi" ); $greeting = ""; $key = array_search($langTo, $trText); $greeting = array_keys($trText[$langTo]); return $greeting; }

Tainted variables If variable or entry point is injected with payload then it can have significant impact Impact analysis needs to be done Impact is dependent on the hit points across application Interesting for vulnerability scanning perspective

Types - Impact Three important aspects of entry points and process towards end point, Data point – entry points are bringing simple new data to the application and based on that it is going to database or file system. Logic point – It has information which get consumed in the business logic and it makes business decisions Event points – Certain information coming from user can trigger an event inside the application. These are event points, like calling LDAP server or such.

Simple tracing… import sys import os import re def scan4trace(file,var): infile = open(file,"r") s = infile.readlines() print 'Tracing variable:'+var linenum=0 for line in s: linenum += 1 p = re.compile(".*."+var+".*") m = p.match(line) if m: print "[",linenum,"]",line file = sys.argv[1] var = sys.argv[2] scan4trace(file,var)

Running… D:\sca-rb>trace.py d:\cmd\Cmdexec.aspx.cs TextBox1 Tracing variable:TextBox1 [ 33 ] psi.Arguments = @"/c type c:\\contracts\\" + TextBox1.Text + @" > c:\\contracts\\contract.txt"; D:\sca-rb>trace.py d:\cmd\Cmdexec.aspx.cs psi Tracing variable:psi [ 31 ] System.Diagnostics.ProcessStartInfo psi = new System.Diagnostics. ProcessStartInfo(); [ 32 ] psi.FileName = @"C:\WINDOWS\system32\cmd.exe"; [ 33 ] psi.Arguments = @"/c type c:\\contracts\\" + TextBox1.Text + @" > c:\\contracts\\contract.txt"; [ 34 ] psi.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; [ 35 ] System.Diagnostics.Process.Start(psi);

Information Leaks .*.StackTrace.*? .*.printStackTrace.*? .*.response.write.*?

CONCLUSION – QUESTIONS! [email_address] http://www.blueinfy.com

Secure SDLC for Software

More Related Content

What's hot

Similar to Secure SDLC for Software

More from Shreeraj Shah

Secure SDLC for Software