Software Security

The Bigger Picture

Rudolph Araujo
Senior Principal, Foundstone Professional
Services
rudolph@foundstone.com
6th OWASP www.codesecurely.org
AppSec
Conference Copyright 2007 - The OWASP Foundation
Milan - May 2007 Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

http://www.owasp.org/
Who am I?

Developer for over 10 years

Foundstone / McAfee
Morgan Stanley
BindView
Microsoft Visual Developer Security - MVP
Masters from Carnegie Mellon University
Computer Science / Information Security
Areas of expertise: C / C++ / C#, Windows /
Unix

6th OWASP AppSec Conference Milan May 2007

Agenda

State of Software Security

Defining a Security Frame
Security Requirements Engineering
Security Acceptance Testing
Security Knowledge Management
Parting Thoughts
Q&A

3
6th OWASP AppSec Conference Milan May 2007
STATE OF SOFTWARE
SECURITY
6th OWASP AppSec Conference Milan May 2007 4
The Stages of Software Security

6th OWASP AppSec Conference Milan May 2007

Innocence

No formal security requirements

Security flaws are identified through:

Penetration Testing
Security Incidents

6th OWASP AppSec Conference Milan May 2007

Application Security Awareness

Penetrate & Patch

Bug fixing late in the lifecycle is extremely expensive
and time consuming
Reactive approach

Application Security
Identifies and corrects instances of security issues in
applications
Tactical, near-term approach to securing an
application

6th OWASP AppSec Conference Milan May 2007

Application Security Enlightenment

Push security earlier in the lifecycle

Threat Model the Application

Structured approach for identifying, evaluating and
mitigating risks to system security
Models the system as an attacker would see it
with the advantage of knowing the internals

Code Review the Application

6th OWASP AppSec Conference Milan May 2007

Software Security Awareness

Application Security is expensive and

time consuming
Vulnerabilities are still found year after
year

Application Security Enlightenment is

false enlightenment
Addressing the symptoms and not the
disease

6th OWASP AppSec Conference Milan May 2007

Software Security Awareness

Root cause analysis determines the

sources of insecure software
People
Lack of security knowledge and
motivation
Process
Reactive approach to security
issues
Technology
Lack of appropriate tools

6th OWASP AppSec Conference Milan May 2007

Software Security Enlightenment

Create a holistic Software Security program

Integrate security into all phases of the SDLC
High-ROI activities first

Not all software security programs are identical

Build a program to meet your needs

6th OWASP AppSec Conference Milan May 2007

State of Software Security

6th OWASP AppSec Conference Milan May 2007 12

DEFINING A SECURITY
FRAME
6th OWASP AppSec Conference Milan May 2007 13
Defining a Security Frame

6th OWASP AppSec Conference Milan May 2007 14

Foundstone Software Security Frame

Configuration Management
Data Protection in Storage & Transit
Authentication
Authorization
User & Session Management
Data Validation
Error Handling & Exception Management
Logging & Auditing

6th OWASP AppSec Conference Milan May 2007 15

SECURITY REQUIREMENTS
ENGINEERING
6th OWASP AppSec Conference Milan May 2007 16
Security Requirements Engineering

Lack of / bad software requirements leads to

bad software
Lack of security requirements leads to insecure
software
No benchmarks for QA to perform testing
No traceability!
Problem: Requirements are often written by
business analysts or product management that
may not be technical
AES-256-CBC WTF is that?

6th OWASP AppSec Conference Milan May 2007 17

Organizational Drivers

Regulatory compliance Industry regulations

SOX 404 and standards
HIPAA FFIEC
PCI OWASP Top 10 /
GLBA Guides
CA SB1386 / State SCADA Security
Notification Laws
OASIS
BASEL II
FISMA
ISO 17799
EU Data Protection
Directive

6th OWASP AppSec Conference Milan May 2007 18
Organizational Drivers

Company policies / Security features

documents Authentication
Privacy policy Authorization
Coding standards Administrative
Patching policy interfaces
Data classification policy User management
Infosec policies

Acceptable use policies
Export control
Results from previous
security audits

6th OWASP AppSec Conference Milan May 2007 19
 Requirements Pre Process

1. Work with legal / 1. Build application vs.

internal audit to driver matrix
identify drivers
Define an
organizational superset
2. Convert each driver to
a superset of technical
requirements
Use your security
frame as a guide
Eliminate duplicates
6th OWASP AppSec Conference Milan May 2007 20
Requirements Process

1. Based on features / data elements determine

which drivers apply
Leverage data classification / privacy policy
2. Copy-paste requirement(s) from superset
defined earlier

Consider building a thin requirements

application
Perhaps an Excel template?

6th OWASP AppSec Conference Milan May 2007 21

SECURITY ACCEPTANCE
TESTING
6th OWASP AppSec Conference Milan May 2007 22
Security Acceptance Testing

QA folks test software!

How many test for security?
Plus unit tests, build verification tests, test driven
development
Penetration testing can often be too late
But

6th OWASP AppSec Conference Milan May 2007 23

Security Acceptance Testing

The Mindset
Training and exposure
Consider Foundstone Hacme* / WebGoat
Testers need to help define the threat model
Use threat model to prioritize and scope effort
Define attack libraries of test cases
Based on vulnerabilities and the security frame
Based on phase of testing
Choose which ones to apply to this rev

6th OWASP AppSec Conference Milan May 2007 24

Unit Testing

Data validation
Fuzzing
SQL injection
Buffer overflows
Cross site scripting
Authorization
Method level permissions

6th OWASP AppSec Conference Milan May 2007 25

Build Verification Testing

Integrate source code analysis

Simple regular expression based scans
Commercial tools
Build custom rule sets
Define exit criteria for build acceptance

6th OWASP AppSec Conference Milan May 2007 26

QA Testing

Integrate with existing bug tracking systems

No high / medium / low!
Go with Severity / Priority ratings
Follow the existing process
Treat security bugs no different than other bugs
Well maybe a little different ;)

6th OWASP AppSec Conference Milan May 2007 27

QA Testing

Tag security bugs

Maybe used to ensure developer assigned to fix is
security conscious
Classify by security frame
Allows root cause and other statistical analyses
Classify by nature
Bugs
Flaws
Commendations
Informational
Mark for regression testing
6th OWASP AppSec Conference Milan May 2007 28
SECURITY KNOWLEDGE
MANAGEMENT
6th OWASP AppSec Conference Milan May 2007 29
Why Knowledge Management?

Well, learn from others mistakes!

Within your team / organization / community
Guidance on an ongoing basis

6th OWASP AppSec Conference Milan May 2007 30

Software Security Portal

Document repository
Threat modeling artifact repository
Leverage commonality across similar applications
Metrics reporting

6th OWASP AppSec Conference Milan May 2007 31

Software Security Wiki

Security architectures and infrastructure

components
Reviewed and tested code snippets for
commonly used tasks
Links to additional information about software
security on the Internet
Lessons learned from previous security issues
identified in applications

6th OWASP AppSec Conference Milan May 2007 32

Security Knowledge Management
Benefits
Wide distribution of best
practices
Prevention of repetition
of similar issues
Improved productivity
Overall better software
quality
6 OWASP AppSec Conference Milan May 2007
th
Gotchas!
Dont disclose too soon
even if it is internal only!
Anonymize the examples
and code if necessary
Share not only the issue but
how the issue was
discovered and fixed
Root cause analysis
Tweaking the SSDLC
Make sure the fix is bug
free!
33
Special Case: Third Party Components
Open Source / COTS
OpenSSL
zlib
Who is tracking updates / patches?
The average developer???
Which of our applications are affected?
Whats the plan to rollout patches?
Back again to matrices!
Role: Software Security Architect
Subscribe to mailing lists
Patch reliability
Notify application owners
34

6th OWASP AppSec Conference Milan May 2007

PARTING THOUGHTS

6th OWASP AppSec Conference Milan May 2007 35

It takes a village to raise software security!

6th OWASP AppSec Conference Milan May 2007 36

6th OWASP AppSec Conference Milan May 2007