Secure by design and secure software development

IINFOSECFORCENFOSECFORCE

1

Application SecurityApplication Security

BILL ROSS

Application SecurityBILL ROSS

15 Sept 2008


“ “ Balancing security controls to business requirements “Balancing security controls to business requirements “

IINFOSECFORCENFOSECFORCE SecuritySecurity and Project Lifecycles

Security and Lifecycle Management Process

(SLCMP)

Said “slickum”

A “practitioner’s” view …..

Bill Ross

IINFOSECFORCENFOSECFORCE Slickum brief objectivesSlickum brief objectives

Purpose:

- Discuss application security issues

- Describe web application information security

- To describe a process by which software is securely developed

Expected outcome:

- An increased awareness of how to prevent web application attacks

- How to implement the SLCMP process into the SDLC

- More securely built applications and infrastructure


What You Need to KnowWhat You Need to Know

4Symantec Internet Security Threat Report, Volume XIV


Less rigor in Web programming, an increasing variety of software, and

restrictions on Web security testing have combined to make flaws in Web software

the most reported security issues, according to the Common Vulnerabilities

and Exposures (CVE) project.

Web and business applications are increasingly compromised around the

world causing businesses to loose millions of dollars through data compromise

Hacking is no longer for fun …… it is for profit …. Internal or external hackers

exploit weaknesses in application code to achieve their objectives.

Symantec 2008 Cyber report indicates there are 1,656, 227 number of new

threats in the wild

Operational reportOperational report


1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.

2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic. Malware A generic term for a number of different types of malicious code.

3. Spam Electronic junk mail or junk newsgroup postings.

4. Worms. A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.

5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored

9. Denial of service. The prevention of authorized access to a system resource or the delaying of system operations and functions

10. Web application attacks

Common attack toolsCommon attack tools

IINFOSECFORCENFOSECFORCE “ “ the Cyber Battle Field”the Cyber Battle Field”

Computer attacks on Google that the search giant said originated in China were part of a concerted political and corporate espionage effort that exploited security flaws in e-mail attachments to sneak into the networks of major financial, defense and technology companies and research institutions in the United States, security experts said. (New York Times)

Google China cyber attack part of vast espionage campaign, experts say

Washington (DC) - Yesterday, the FBI announced it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). JAN 2009


• In 2008, Symantec blocked an average of more than 245 million attempted malicious code attacks worldwide each month.

• Over 60% of Symantec’s malicious code signatures were created in 2008.

• Over 90% of threats discovered in 2008 are threats to confidential information.

Malicious code is installedMalicious code is installed

Symantec Internet Security Threat Report


Cyber criminals want YOUR information

• Focus on exploits targeting end-users for financial gain

Web-based malicious activity has accelerated

• Primary vector for malicious activity

• Target reputable, high-traffic websites

Increased sophistication of the Underground Economy

• Well-established infrastructure for monetizing stolen information

Rapid adaptation to security measures

• Relocating operations to new geographic areas

• Evade traditional security protection

Symantec Internet Security Threat Report

“The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response.The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity.It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.”

Key trendsKey trends

IINFOSECFORCENFOSECFORCE Key Trends – Global ActivityKey Trends – Global Activity

• Data breaches can lead to identity theft

• Theft and loss top cause of data leakage for overall data breaches and identities exposed

• Threat activity increases with growth in Internet/Broadband usage

• Documented vulnerabilities up 19% (5491)

• Top attacked vulnerability: Exploits by Downadup

• 95% vulnerabilities attacked were client-side

• Trojans made up 68 percent of the volume of the top 50 malicious code

• 66% of potential malicious code infections propagated as shared executable files

• 76% phishing lures target Financial services (up 24%)

• Detected 55,389 phishing website hosts (up 66%)

• Detected 192% increase in spam across the Internet with 349.6 billion messages

• 90% spam email distributed by Bot networks

Internet Security Threat Report


11

Website compromiseWebsite compromise

• Attackers locate and compromise a high-traffic site through a vulnerability specific to the site or in a Web application it hosts

• Once the site is compromised, attackers modify pages so malicious content is served to visitors

Web application vulnerabilities

Site-specific vulnerabilities

11

Internet Security Threat Report,

IINFOSECFORCENFOSECFORCE Impact of Security DefectsImpact of Security Defects

Bad Business

• On average, there are 5 to 15 defects in every 1,000 lines of code

US Dept. of Defense and the Software Engineering Institute

Slow Business

• It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each

5 Year Pentagon Study

• Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours

Intel White paper, CERT, ICSA Labs

Loss of Business

• A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week

Gartner Group


The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 30 times the cost of fixes performed during the design phase.

The SDL Reduces the Total Cost The SDL Reduces the Total Cost of Developmentof Development


Broken access control

SUN

Top 10 Web Security ThreatsTop 10 Web Security Threats

Unvalidated input

Improper error handling

Insecure storage

Application denial-of-service

Insecure configuration management

Injection flaws

Buffer overflows

Cross-site scripting (XSS)Broken authentication

IINFOSECFORCENFOSECFORCE Web Application Security ThreatsWeb Application Security Threats

1. Unvalidated input (Mother of all Web Tiered Attacks)

Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL, Cookies, Form Fields, Hidden Fields, Headers )

2. Broken Access Control

Insecured IDs, Poor file permissions, Service account exploit, Path Traversal

3. Broken Authentication and Session Management

Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected, attacker can assume the identity of user

4. Cross site scripting

Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash and etc)


5. Buffer Overflow Errors

Attackers use buffer overflows to corrupt the execution stack of a web application By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code. Present in both the web server or application server products or the web application itself

6. Injection Flaws

Injection flaws allow attackers to relay malicious code through a web application to another system. When a web application passes information from an HTTP request through as part of an external request, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information

7 . Improper Error Handling

The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to a potential hacker . These messages reveal implementation details that should never be revealed.

8. Application DOS

Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or application specific resources. Application level resources impacting

Web Application Security Threats 2Web Application Security Threats 2


Source: IBM

Hacker targetsHacker targets

• From observed hacker malicious activity statistics, we know that hackers are now seldom interested in defeating the network or the infrastructure low-level defenses. The adversaries today are well aware of the fact that applications are typically less defended

than the rest of the IT infrastructure.

Attack vector analysesAttack vector analyses

A Garner report states “ that over 75% of attacks against websites and web-based applications come at the application layer and not lower infrastructure and

network layers.”

IINFOSECFORCENFOSECFORCE Application security paradoxApplication security paradox

SOURCE: SPIDYNAMICS

Internet DMZ Trusted Inside

Corporate Inside

HTTP(S)IMAP, FTP

SSH , TELNET

POP3, XML

Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.

Any – Web Server: 80

Firewall only allows applications on the web server to talk to

application server.

Firewall only allow application server to talk to database server.

IIS

SunOne

Apache

ASP.NET

WebSphereJava

SQL

Oracle

DB2

Applications, data and business processes are

vulnerable even when a robust network and

infrastructure security program is in place.


Is nothing sacred anymore ????

Super Bowl exploits

“ At last week's RSA Conference in San Francisco, just days after the Super Bowl attack, I sat down with Thompson. On his laptop, he showed me the simple line of Javascript code that pointed Super Bowl site visitors to a known criminal hacker exploit server. Apparently, there was a cross-site scripting error on the official Super Bowl Web site that allowed some criminal hackers to inject a poisoned iFrame command. And it wasn't just the Super Bowl site--it turns out there were several others, mostly healthcare related, including the U.S. Centers for Disease Control “

SourceRobert Vamosi Senior editor, CNET Reviews

Hacking the Super BowlHacking the Super Bowl

IINFOSECFORCENFOSECFORCE How did this happen ?How did this happen ?

Business engines fueled by multiple and powerful applications


Microsoft’s vision for secure

and

Easy

“ anywhere access ”

Bill Gates, 2007 RSA

Expanding “e-com” perimeterExpanding “e-com” perimeter


Microsoft’s vision for secure

and

Easy

“ anywhere access ”

Bill Gates, 2007 RSA

Expanding “e-com” perimeterExpanding “e-com” perimeter

Social networks, I-Pod, I-PAD as a network, peripheral-geddon&

“THE CLOUD”

IINFOSECFORCENFOSECFORCE Security coding errorsSecurity coding errors

IINFOSECFORCENFOSECFORCE Prevent & fortifyPrevent & fortify

IINFOSECFORCENFOSECFORCE This ….. IBM believesThis ….. IBM believes

Application Security Strategies

Engineering security into application systems is a critical discipline

and should be a key component in multi-disciplinary, concurrent or

distributed development teams. This applies to the development,

integration, operation, administration, maintenance and evolution of

e-Business application systems as well as to the development,

delivery, and evolution of software-based products.

Source: IBM


Frequent

• 3 out of 4 business websites are vulnerable to attack (Gartner)

Pervasive

• Majority of hacks occur at the Application level (Gartner)

Undetected

• QA testing tools not designed to detect security defects in applications

Security Defects MatterSecurity Defects Matter

SOURCE: Seagate Technology

Security Business CaseSecurity Business Case

Expensive

• Bugs and software defects costs the national economy $60 billion annually … delivering quality applications to the market has become a mandatory requirement … the cost of fixing defects after deployment is almost 100 times greater than detecting and eliminating them during development.

1000 application sample ‘Healthchecks’ with AppScan – 98% vulnerable: all had firewalls and encryption solutions in place…

=

IINFOSECFORCENFOSECFORCE Best practice solutionsBest practice solutions Application security requirements define the high level specifications for securely developing and deploying applications

Application Planning

Data Classification – Classify data according to the sensitivity of the data.

Risk Assessment – Conduct preliminary risk assessment before development begins and after planning is complete. Security Requirements – Identify and document the security requirements of the application early in the development lifecycle.

Security Design – Use the Data Classification process to determine specific security services needed by the application

SDLC – Address security within all stages of the SDLC.

Application DevelopmentMinimal set of coding practices

Input Validation – Validate input from all sources.

Default deny – Access control should be based on specific permission rather than exclusion.

By default all access should be denied.

Principle of Least Privilege – Perform all processes with the least set of required privileges

Quality Assurance – Quality assurance identifies and eliminates software vulnerabilities.

Perform internal testing – Use source code auditing, pen testing, manual code review, or automated source code review

Prod and Maintenance

Applications shall be hosted on

servers compliant with the corporate

Security requirements for IT system

hardening

Applications classified as

sensitive shall at a minimum have

annual vulnerability assessments,

when a significant change to the

application has occurred, or

depending on the data sensitivity

and risk.


TARGET THESE AREAS

Minimize attack surface area

Secure defaults

Principle of least privilege

Principle of defense in depth

Fail securely

External systems are insecure

Separation of duties

Do not trust security through obscurity

Simplicity

Fix security issues correctly

SUN

Principles of Secure ProgrammingPrinciples of Secure Programming

IINFOSECFORCENFOSECFORCE Application security risk analysesApplication security risk analyses

Hardened infrastructure (will not block port 80 attacks)Relevant controls

HighRisk summary

HighOverall risk rating

HighRisk Impact rating

HighLikelihood rating

Multiple avenues of attack on organizational vital information assets

Risk

Numerous threats such as:- SQL injection, cross site scripting, buffer overflow

Threat

Not having a dedicated security program that trains developers to build secure applications, not embedding security into the SDLC, not conducting security testing on applications during and after development, and not having application firewalls

Vulnerability

Follow application security planning, development and production best practices. Build security into all SDLC phases.

Risk mitigation

IINFOSECFORCENFOSECFORCE SLCMP SLCMP

Embed information security in the SDLC Embed information security in the SDLC

and PLCMP by applying the practices and PLCMP by applying the practices

and procedures defined in SLCMPand procedures defined in SLCMP


“ “ Building highly secure software is nothing less than Building highly secure software is nothing less than

an eloquently choreographed dance that calls upon an eloquently choreographed dance that calls upon

the talent and skills of the developer, project the talent and skills of the developer, project

manager and information security teaming to ensure manager and information security teaming to ensure

that an application securely glides with grace across that an application securely glides with grace across

the technical stage ”the technical stage ”

An art form

IINFOSECFORCENFOSECFORCE SLCMP SLCMP and theand the SDLC … SDLC …“The Dance” “The Dance”

Statement of need for new business process, application or technology

Functional requirements document designed

Design and technical architecture developed

Code development

1 st phase prod testing

QA

Initiate Design/Develop Implement

Pre prod Prod Post Prod

Production

INFOSEC participation in feasibility analyses, no documentation required

Build the System Security Plan based on NIST 800-53 control guidelines. Preliminary risk and vulnerability assessment done. Measures requirements against policy and provides functional adjustments. Security requirements stated based on preliminary risk and vulnerability assessments. If necessary, requirements document adjusted

INFOSEC architecture document created based on data security categorization, policy, application functionality and risk and vulnerability assessments

Integrate controls and create detailed application security test plan defining testing tools, timelines, remedial action processes and testers. Gain approval from project manager.

First phase application security testing. Once code begins solidifying, use soft tools such as AppScan or Spi Dynamics for high level testing. Feedback findings to developers for code correction

Second phase app security testing using formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area

Third phase app security test which follows phase one testing process. Used as final verification that code is stable from INFOSEC perspective

Create final risk acceptance document

Application and infrastructure penetration testing

Server cert

2 nd phase prod testing

Ongoing pen tests, vulnerability assessments, risk management

* * Security certification and accreditation should be finalized

IINFOSECFORCENFOSECFORCE SLCMP DeliverablesSLCMP Deliverables

InitiateInitiate DevelopDevelop ImplementImplement ProductionProduction

- Data security categorization

- Preliminary risk assessment

- Security plan

- Risk assessment

- Functional requirements

analyses

- Assurance requirements

- Control selection

- Security control integration- Second phase app security testing - Third phase app security testing - Security certification- Security accreditation

- Threat management

- Configuration

management and control

- Continuous monitoring

- Incident response plan

- Security architecture

- Functional and vulnerability

test plan

- First phase testing

- Additional planning

assignments


Control selection begins. Defines high level technical and security architecture. Detailed technical and security design

Validate designs, validate cost estimates, and implement final solutions and designs

Operations provide operational support for all final solutions and designs implemented as part of the infrastructure.

Demand manger reviews the request and categorizes project type as a small, medium, or larger project.

• Architecture Standards and Convergence • Project Review • Scoping • Solution Design • Cost Estimation

• Security architecture• Design and technical architecture developed • Architecture Review • Detailed Design • Level 4 Support design

• Implementation • Change Management Capacity Monitoring • Day to Day Operations planning

• Define Security requirements• Preliminary risk assessment

• Patch management • Monitoring• Incident response• Security administration• KPI reporting on security metrics

• Data and Infrastructure Categorization• Risk assessment• Functional requirements analyses• Assurance requirements analyses• Control selection and standard integration

• Security architecture• Security test plan design• Control selection and standard integration

• Security control integration• Security penetration and vulnerability testing• Security certification• Security accreditation• Final risk assessment

• Design security controls• Begin organizing security plan development

• Threat management• Ongoing pen and vulnerability testing• Determines validity of security architecture• Determines security process shortfalls• Determines product successful functionality and shortfalls• Security administration• Security monitoring

INPUTSECURITY PLANFEEDBACK

SLCMP and the PLCMPSLCMP and the PLCMP

Initiate Design/Develop Implement Production

IINFOSECFORCENFOSECFORCE SLCMP adopted guidelinesSLCMP adopted guidelines

In system security plan, provides a an overview of the security requirements for

the information system and documents the security controls planned or in place

SP 800-18

Security Control Documentation

Defines category of information system according to potential

impact of loss

FIPS 199 / SP 800-60

Security Categorization

Selects minimum security controls (i.e., safeguards and countermeasures) planned or

in place to protect the information system

FIPS 200 / SP 800-53

Security Control Selection

Determines extent to which the security controls are implemented correctly, operating as intended, and producing desired outcome

with respect to meeting security requirements

SP 800-53A / SP 800-26 / SP 800-37

Security Control Assessment

SP 800-53 / FIPS 200 / SP 800-30

Security Control Refinement

Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements

SP 800-37

System Authorization

Determines risk to agency operations, agency assets, or individuals and, if acceptable,

authorizes information system processing

SP 800-37

Security Control Monitoring

Continuously tracks changes to the information system that may affect security controls and assesses control effectiveness

Implements security controls in new or legacy information

systems; implements security configuration checklists

Security Control Implementation

SP 800-70

Starting Point

SLCMP SLCMP INPUTSINPUTS

Source: NIST

IINFOSECFORCENFOSECFORCE SLCMP BenefitsSLCMP Benefits

Fortified applications or infrastructure projects

Hardened against internal and external attack

Meets regulatory compliance mandates

Enhances IS staff knowledge and capability

Reduces long term costs

SLCMP ROI

IINFOSECFORCENFOSECFORCE ConclusionsConclusions

• 80 % of all attacks on Information Security are directed to the web application layer

• 2/3 of all web applications are vulnerable

• Infrastructure security doesn’t directly protect code

• The cost of fixing defects after deployment is almost one hundred times greater than detecting and eliminating them during design

• One of the most significant risk mitigations an organization can implement is to create a consistent end-to-end process such as the SLCMP to embed security and security testing and certification in infrastructure and software development projects


38

QUESTIONS


BACK UP SLIDES

IINFOSECFORCENFOSECFORCE Initiate deliverables Initiate deliverables

Data security Categorization Rate application importance as a low, medium, or high impact

application. This is a business impact analyses which defines impact on

an organization if security controls are breeched. Leads to proper

selection of security controls required.

Preliminary risk assessment Measures application/project requirements against policy and provides

functional adjustments. Security requirements stated based on

preliminary risk and vulnerability assessments. If necessary,

requirements document adjusted. Focuses on early assessment of the

application's requirements for confidentiality, integrity and availability

(CIA)

IINFOSECFORCENFOSECFORCE Develop and designDevelop and design

Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk assessment but more specific. Identifies possible threats/vulnerabilities. Determines impact on organization if threat occurred. Identifies imposed risks on other assets. Additional controls needed to prevent identified risks need to be fed back to the development team

Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk assessments, test requirements, accreditation/assurance and personnel responsibilities are documented.

Functional requirements analyses

Ensure that enterprise security policy and standards are followed. Determine which laws must be followed by the application.

Assurance requirements analyses

Determine what level of certification application requires. For example, government applications might require a FISMA C&A.

IINFOSECFORCENFOSECFORCE Develop …..continuedDevelop …..continued

Control selection Can refer to security control standards or use a NIST-like Information Security Requirements List to define security environment that an application, service, or project should meet.

Security architecture Multi faceted security product linking all controls, standards, policies, governance, platform hooks, data base management, boundary rules and information security science into a cohesive operational CIA security sphere. Likely section of the Security plan.

Functional and vulnerability test plan

Multi phase technical plan designed to ensure security controls work and that business logic and software are impervious to corruption and manipulation. Will also include penetration test plans. Feeds assurance models.

First phase testing Provides developers early high level look at code stability

Additional planning components

RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc

IINFOSECFORCENFOSECFORCE Implement deliverablesImplement deliverables

Security control integration

Security control settings and switches enabled IAW Security plan and architecture

Second phase app security testing

Formalized process to decompile code as much as possible to determine if code has organic exposures violating policy, security design, and the security architecture. Correct findings and provide to developers to fix or define mitigating controls. Aspect security has expertise in this area

Third phase app security testing

Verifies second phase corrections. Use App security test tool following phase one testing process. Used as final verification that code is stable from INFOSEC perspective

Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and certified , control effectiveness, governance attestation

RMP/Security accreditation

End-to-end risk evaluation incorporating all findings in security certification, final information security risk decisions, accreditation document signed

IINFOSECFORCENFOSECFORCE Production deliverablesProduction deliverables

Threat management TM preventive guidance found in security plan. Ongoing oversight of environment entailing constant environmental and risk management vigilance surrounding operational environment.

Configuration management and control

Operational process and plan to ensure environment receives current security patches and other software preventive updates ensuring application or environment integrity is maintained

Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability of the operating environment. Use COSO testing and other vulnerability assessment and control processes to ensure that security processes and procedures work.

Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all security events and incidents.

IINFOSECFORCENFOSECFORCE SDLC/PLCMP DeliverablesSDLC/PLCMP Deliverables

- Security control integration

- Second phase app security testing

- Third phase app security testing

Implement

- Data security categorization - Security Plan

- Preliminary risk assessment

Initiate

- Threat management

- Configuration management and control

- Continuous monitoring

- Incident response plan

Production

- Risk assessment

- Functional requirements analyses

- Assurance requirements

- Control selection

Design and develop

- Security architecture

- Functional and vulnerability

test plan

- First phase testing

- Additional planning

assignments

- Security certification- Security accreditation- Final risk acceptance document

REF: NIST 800-53