Promoting Application Security Within Federal Government

Promoting Application Securitywithin Federal GovernmentAppSec DCDr. Sarbari Gupta, CISSP, t-inc.com703-437-9451 ext 12November 13, 2009The OWASP Foundationhttp://www.owasp.org

Application Security is NOT A JOKE!Courtesy of http://www.securitywizardry.comOWASP2

Problem StatementFederal government takes information system securityand assurance very seriouslyFocus areas for Federal security efforts include: Platform Security Network Security Perimeter Security Personnel Security Physical Security Acquisition Security, and so on HOWEVER, APPLICATION SECURITY HAS RECEIVEDMEAGER ATTENTION!!OWASP3

AgendaApplication Security Best PracticesFederal IT Security LandscapeMapping AppSec Best Practices to FISMAObservationsWrap-UpOWASP4

Application Security Best PracticesApplication Security Training for Developers/ManagersDocumented Secure Coding StandardsFormalized SDLC ProcessesApplication Threat ModelingDocumented Security Design/ArchitectureAutomated Security TestingManual Code ReviewVulnerability and Penetration AnalysesContinuous Monitoring for New Vulnerabilities OWASP Top Ten Vulnerabilities SANS Top 25 Coding Vulnerabilities NVD, Other lists OWASP5

AgendaApplication Security Best PracticesFederal IT Security LandscapeMapping AppSec Best Practices to FISMAObservationsWrap-UpOWASP6

Information Security – Federal LandscapeFederal Practices in Information Security is driven byREGULATORY COMPLIANCECompliance with What? Title III of E-Government Act of 2002 Federal Information Security Management Act (FISMA) Privacy Act of 1974 OMB Circular A-130, Appendix III Homeland Security Presidential Directives HSPD-7, HSPD-12, etc. OMB Memos FISMA ReportingPrivacyData EncryptionFDCC, etc.OWASP7

FISMA DocumentationNIST Standards and Guidelines FIPS 199 – Standards for Security Categorization ofFederal Information and Information Systems SP 800-37 Rev 1 – DRAFT Guide for SecurityAuthorization of Federal Information Systems: ASecurity Lifecycle Approach SP 800-53 Rev 3 – Recommended Security Controlsfor Federal Information Systems and Organizations SP 800-53A - Guide for Assessing the SecurityControls in Federal Information SystemsOWASP8

NIST Special Pub 800-53 Revision 3IDFAMILYCLASSACAccess ControlTechnicalATAwareness and TrainingOperationalAUAudit and AccountabilityTechnicalCASecurity Assessment and AuthorizationManagementCMConfiguration ManagementOperationalCPContingency PlanningOperationalIAIdentification and AuthenticationTechnicalIRIncident ResponseOperationalMAMaintenanceOperationalMPMedia ProtectionOperationalPEPhysical and Environmental el SecurityOperationalRARisk AssessmentManagementSASystem and Services AcquisitionManagementSCSystem and Communications ProtectionTechnicalSISystem and Information IntegrityOperationalPMProgram ManagementManagementTitle: Recommended SecurityControls for Federal InformationSystems and OrganizationsPublished: August 2009Approach: Risk ManagementFramework Categorize Information SystemSelect Security ControlsImplement Security ControlsAssess Security ControlsAuthorize Information SystemMonitor Security Controls18 families of SecurityControlsOWASP9

AgendaApplication Security Best PracticesFederal IT Security LandscapeMapping AppSec Best Practices to FISMAObservationsWrap-UpOWASP10

AppSec Best Practices – Map to FISMA ControlsApplication Security Best PracticesNIST 800-53 Rev3 ControlsApplication Security Training forDevelopers/ManagersAT-3: Security TrainingSA-8: Security Engineering PrinciplesDocumented Secure Coding StandardsSI-3: Malicious Code ProtectionFormalized SDLC ProcessesSA-3: Life Cycle SupportSA-8: Security Engineering PrinciplesSA-13: TrustworthinessApplication Threat ModelingRA-3: Risk AssessmentDocumented Security ArchitectureSA-5: Information System DocumentationAutomated TestingSA-11: Developer Security TestingCA-2: Security AssessmentsSource Code ReviewRA-5: Vulnerability ScanningSA-5: Information System DocumentationVulnerability and Penetration AnalysesCA-2: Security AssessmentsRA-5: Vulnerability ScanningContinuous MonitoringCA-7: Continuous MonitoringOWASP11

OWASP Top Ten Vulnerabilities (2007) – Map to FISMA ControlsOWASP Top Ten VulnerabilitiesNIST 800-53 Rev3 ControlsA1 - Cross Site Scripting (XSS)SI-10: Information Input ValidationA2 - Injection FlawsSI-10: Information Input ValidationA3 - Malicious File ExecutionNot specifiedA4 - Insecure Direct Object ReferenceAC-3: Access EnforcementA5 - Cross Site Request Forgery (CSRF)Not specifiedA6 - Information Leakage & Improper ErrorHandlingSI-11: Error HandlingA7 - Broken Authentication and Session MgmtSC-23: Session AuthenticityA8 - Insecure Cryptographic StorageSC-13: Use of CryptographyA9 - Insecure CommunicationsSC-9: Transmission ConfidentialityA10 - Failure to Restrict URL AccessAC-3: Access EnforcementOWASP12

SANS Top 25 (1 of 3) - Insecure InteractionBetween Components – Map to FISMA ControlsTop 25 Coding VulnerabilitiesNIST 800-53 Rev3 ControlsCWE-20: Improper Input ValidationSI-10: Information Input ValidationCWE-116: Improper Encoding or Escaping ofOutputNot specifiedCWE-89: SQL InjectionSI-10: Information Input ValidationCWE-79: Cross-site ScriptingSI-10: Information Input ValidationCWE-78: OS Command InjectionSI-10: Information Input ValidationCWE-319: Clear-text Transmission ofSensitive InformationSC-9: Transmission ConfidentialityCWE-352: Cross-Site Request Forgery(CSRF)Not specifiedCWE-362: Race ConditionNot specifiedCWE-209: Error Message Information LeakSI-11: Error HandlingOWASP13

SANS Top 25 (2 of 3) – Porous Defenses – Map toFISMA ControlsTop 25 Coding VulnerabilitiesNIST 800-53 Rev3 ControlsCWE-285: Improper Access Control(Authorization)AC-3: Access EnforcementCWE-327: Use of a Broken or RiskyCryptographic AlgorithmSC-13: Use of CryptographyCWE-259: Hard-Coded PasswordIA-5: Authenticator ManagementCWE-732: Insecure Permission Assignmentfor Critical ResourceAC-3: Access EnforcementCWE-330: Use of Insufficiently RandomValuesNot specifiedCWE-250: Execution with UnnecessaryPrivilegesAC-6: Least PrivilegeCWE-602: Client-Side Enforcement of ServerSide SecurityNot specifiedOWASP14

SANS Top 25 (3 of 3) - Risky Resource Management– Map to FISMA ControlsTop 25 Coding VulnerabilitiesNIST 800-53 Rev3 ControlsCWE-119: Memory Buffer OverrunSA-8: Security Engineering Principles1CWE-642: External Control of CriticalState DataSA-8: Security Engineering Principles1CWE-73: External Control of File Nameor PathSA-8: Security Engineering Principles1CWE-426: Un-trusted Search PathSA-8: Security Engineering Principles1CWE-94: Code InjectionSA-8: Security Engineering Principles1CWE-494: Download of Code WithoutIntegrity CheckSI-7: Software and Information IntegrityCWE-404: Improper Resource Shutdownor ReleaseSA-8: Security Engineering Principles1CWE-665: Improper InitializationSA-8: Security Engineering Principles1CWE-682: Incorrect CalculationSA-8: Security Engineering Principles11 – Weak MappingOWASP15

OWASP Application Security Verification Std 2009 –Map to FISMA ControlsASVS Security RequirementAreasNIST 800-53 Rev 3 ControlsCoverageV1 - Security Architecture DocumentationRA-31 of 6V2 - Authentication VerificationAC-2, AC-3, AC-5, AC-7, AC-11, AC-14, AU-2, IA-2, IA5, IA-6, IA-8, SC-24, SI-312 of 15V3 - Session Management VerificationAC-11, SC-10, SC-23, SI-39 of 13V4 - Access Control VerificationAC-2, AC-3, AC-6, SI-3, AU-210 of 15V5 - Input Validation VerificationSA-8, SI-3, SI-10, AU-27 of 9

NIST SP 800-53 Rev 2 had little or no support for Application Security practices HOWEVER, NIST SP 800-53 Rev 3 has built a solid level of support for Application Security Application Security requirements are s