Ryan Berg Practical Guide To Securing SDLC
A Practical Guide toSecuring the SDLCRyan BergSr. Architect SecurityResearch, Rationalryan.berg@us.ibm.comASC-1340AThe premiere software and product delivery event.June 6–10 Orlando, Florida
Why are we here ? I had some time to fill and this topic looked interesting Application security is the latest insert newest internet relatedbuzzword here Heard there was free food I thought this was a different session but am too embarrassed toleave The “monster at the end of the book”
Application security is more visible Combating Data TheftSecuring OutsourcingSupporting ComplianceSecuring the SDLCManagers & Developers Are Being Asked Difficult Questions What regulations and standards are required? PCI, HIPAA, FISMA What confidential data is at risk? What risk threshold is tolerable?Copyright 2009 Ounce Labs, Inc. All rights reserved.
Web App Vulnerabilities Continue to Dominate 49% of all vulnerabilities are Web applicationvulnerabilities SQL injection and Cross-Site Scripting areneck-and-neck in a race for the top spot 90% of injection attacks are attributed to SQLrelated attacks Automated toolkits continue to flourish in 2009 SQL injection attacks continue to grow up 50%in Q1 2009 vs. Q4 2008 and nearly doubling inQ2 vs. Q1
Is this really necessary? What’s being done isn’t working Security isn’t always included Software Engineer vs. Software Security Engineer Coding guidelines vs. secure coding guidelines “Build Security In” – sounds deceptively simple Starts with training. This class is a good place to start. Requires a commitment to change. If we agree that what we are doing isn’t working than it should beobvious that we need to change what we are doing. Policy is not a four letter word Requirements, Requirements, Requirements Developers need security requirements, if not given don’t assume, demand. Have a plan before you need oneCopyright 2009 Ounce Labs, Inc. All rights reserved.
Follow the path to secure codingLarge-scale design flawstypically trump individualcoding errorsProvide thewhole pictureConsistencyDevelopers mustidentify allvulnerabilities in thecode, then remediatethe greatest risks firstPrioritizeremediationCreate consistentprocesses, policies,and a culture ofimproved securityCopyright 2009 Ounce Labs, Inc. All rights reserved.
Sometimes the answers can only be found in the source code Does the application enforce or evenuse appropriate access controls? In what ways and in what placesdoes the application attempt toconnect to the network? Is there malicious code or backdoors in your applications? Can user inputs or outputs cancorrupt your system ? Is customer credit card informationencrypted? Is sensitive data being storedoutside of your database?
Where to look for vulnerabilities Buffer overflows,result frommismanagementof memory Race conditions,result from calltiming mismatches Authentication Encryption Use of insecure external codetypes Validation of data input andapplication outputCopyright 2009 Ounce Labs, Inc. All rights reserved.
How to look for vulnerabilities Manual Code Review Time-consuming, expensive, errorprone Penetration Testing Useful but can only discern a smallsub-set possible errors Automated Testing Tools“The most effective approach is tointegrate source code vulnerabilityscanners into the applicationdevelopment, integration and testprocess.” (Gartner)Copyright 2009 Ounce Labs, Inc. All rights reserved.
An Interesting AsideFrom Microsoft’s SDL sp “However, one finding will come as no surprise to long-timesecurity researchers: penetration testing is not the way toachieve security. Penetration testing is an element of theFinal Security Review (FSR) for a major software release, butproduct team activities throughout the entire lifecycle focuson threat modeling, code reviews, the use of automatedtools, and fuzz testing rather than penetration testing. Thelatter measures are much more thorough in preventing orremoving security bugs than the classic ad hoc penetrationtesting.”
That wasn’t really helpful It is much more effective to look at the places in the SDLC that you can reduce risk. Requirements Design Implementation Test Deployment
Requirements Identifying security requirements are an integral part of the software design process, and themost neglected Just as good project requirements requires use cases, good security requirements requireabuse cases Must be able to identify all potential assets at risk and outline the required and acceptablemitigation requirements.: Example of a bad requirement: All sensitive data needs to be encrypted; Example of a better requirement: All sensitive data needs to be encrypted both in transit and at rest using no less than 256 bit AES encryption,see addendum A for the list of items that are considered sensitive for this application.
Design: Policy Definition It is important that organizations begin to formalize secure coding guidelines. Avoid the temptation to “grade” an organization, development manager, orindividual contributor’s, ability to deliver secure code without letting them knowwhat is on the test. Policy, in the case of security requirements, is to remove ambiguity as much aspossible. Examples New development projects using C/C must avoid the use of all following api’s: gets(),strcpy(),unbouded use the printf and sprintf family of calls etc. All data transferred from web clients that contain customer specific information must betransported using SSL, and if any personal information is stored using cookies the entireapplication needs to be SSL enabled.
What Details: Threat Modeling Threat modeling is an important aspect in developing good security requirements as well as designinggood mitigation strategies Aspects of threat modeling should occur in several phases of the SDLC During Requirements Phase 1: Identifying assets at risk and business objectives Phase 2: Generate use and abuse cases During Design Phase 3: Identify components responsible for controlling access to and from assets identified in Phase1. Phase 4: Identify the threats posed by Phase 2 against the components outlined in Phase 3. During Implementation & Test Phase 5: Review application to identify weaknesses against the threats identified in Phase 4 about and reviewmitigation and remediation efforts. Additional resources .aspx http://www.projects.ncassr.org/threatmodeling/
Design: Security Design Review The security design review is a critical step in the SDLC. The primary goal of thisstep is to verify that the policies identified in the requirements and phases 1-4 ofthe threat modeling exercise have the appropriate mitigation strategies identifiedin the application architecture. Identify any gaps, this may include identifying new threats. This should be done as early in the process as possible, for an agile developmentprocess every feature iteration that impacts security as identified by therequirements needs to perform this step.
Application Vulnerability Assessment Think of this as the verification step. This is to verify that all policy requirements andthreats have the appropriate mitigation in the final product. This also enables unintended or new threats to have another chance of being foundprior to deployment. Leverage tools as much as possible to reduce costs.
What To Look For: The ChecklistSecurity-related functionsInput/Output validation and encodingerrorsError handling and loggingvulnerabilitiesInsecure ComponentsCoding errors“Detecting and correcting securityvulnerabilities early in theapplication development life cycle,prior to deployment andoperations, results in significantrisk and cost reduction.”Gartner
Security-related FunctionsWeak or Nonstandard CryptographyNon-Secure NetworkCommunicationsAccess Control Vulnerabilities9 MD5 is no longer considered secure for highly sensitive and business criticalapplications, SHA1 is also considered broken though no practical attacks have beenidentified.“Microsoft is banning certain cryptographic functions from new computer code, citing increasinglysophisticated attack”, p9 The following example was from a content management systems password resetfunction.The biggest failure in encryption is not/**often the algorithm used but more often* Generates a random 10 characters password.than not it is the failure to properly*identify what data needs to be* @return the generated password.encrypted and making sure that the*/appropriate encryption is alwaysutilized.public static synchronized String generate(){return Long.toString(Math.abs(random.nextLong()) % MAX RAN D O M LEN GTH, Character.MAX RADIX);}
Input/Output Validation and Encoding ErrorsSQL Injection VulnerabilitiesCross-Site Scripting VulnerabilitiesOS Injection VulnerabilitiesCustom Cookie/Hidden FieldManipulationHave we not learned to NEVER trust the user, all input needs to be validated?What is the problem with the code below?public void doGet( HttpServletRequestreq, HttpServletResponse res )throws IOException, ServletException{String pageNa me getParameter(“pageNa me”) ! null ? “”:getParameter(“pageNa me”);log.info("Requestfor page: " pageNa me);String forward "/" pageNa me "?“ req.getQueryString();RequestDispatcher disp req.getRequestDispatcher(forward);disp.forward( req, res );}It is not all about SQL Injectionand XSS (though those are still ahuge problem).
Error Handling & Logging VulnerabilitiesInsecure Error HandlingInsecure or Inadequate LoggingConsider the following code example:public void doPost( HttpServletRequestreq, HttpServletResponse res )throws IOException, ServletException{RequestDispatcher disp null;String user getParameter(“user”)! null ? “”: getParameter(“user”);String pwd getParameter(“pwd”) ! null ? “”: getParameter(“pwd”);if(!validUser(user,pwd)) {log.warn(“Invalidlogin received from: “ user “ password:” pwd);disp ��);} else {log.info(“Successfullogin attempt from: “ user);disp );}disp.forward( req, res );}There really are two majorissues with logging:1.2.Lacking a consistentlogging framework.Logging the wrong data orbreaking company policyand regulations (think: PCI)
Insecure ComponentsUnsafe Native MethodsUnsupported APIImproper Use of 3rd Party ApplicationFrameworksDevelopers need to understand where the utilities provided by the framework begin and end whenrelated to security. Consider the following code from a .NET web application. head title Registration Form Please Sign-In /title /head % String loader Request.Params[“loader”]; % body onload “ % loader% ” /body Even if you have Microsoft’s page validation enabled (the default) you are still vulnerable.As we focus our efforts to fix the low hanging fruit, the attacks are moving to the application layer.There are many undocumented APIs that exist as public interfaces in the JDK or the .NETframeworkMany of these interfaces may bypass internal member data validation that if used directly couldcrash the JVM (or lead to more serious vulnerabilities -win-03-schoenfeld.pdf
Coding ErrorsBuffer OverflowVulnerabilitiesFormat StringVulnerabilitiesDenial of Service ErrorsRace ConditionsUse of native libraries (System.loadLibrary, [DllImport]) can alsoexpose your web application to this more traditional style of attack.What’s wrong with this code?protected void e response) {InputStreamReaderinStr new InputStream Reader(request.getInputStream());BufferedReaderin new BufferedReader(inStr);while(in.readline()! null){//process the request }}http://documents.iss.net/whitepapers/IBM X-Force WP final.pdfMost modern day webapplications are immune tothe more traditional“overflow” style of attacks,but anytime the user is ableto control data that reachesan internal system thepossibility exists.
Follow The Path: The Checklist Security-related functions Insecure Components Weak or Nonstandard Cryptography Unsafe Native Methods Non-Secure Network Communications Unsupported Methods Application Configuration Vulnerabilities Improper use of 3rd Party Access Control Vulnerabilities Input/Output validation and encodingerrorsApplication Frameworks Coding errors Buffer Overflow Vulnerabilities SQL Injection Vulnerabilities Format String Vulnerabilities Cross-Site Scripting Vulnerabilities Denial of Service Errors OS Injection Vulnerabilities Race Conditions Custom Cookie/Hidden FieldManipulation Error handling and loggingvulnerabilities Insecure Error Handling Insecure or Inadequate Logging
Where? Baking security into requirements: gathering securityrequirements/needs, abuse cases, and threat modeling Baking security into design: security design patterns, securityreviews and threat modeling Baking security into development: secure coding guidelines, tools,and audit Baking security into testing: negative testing, thinking like the badguy and “red teams” Baking security into deployment: secure deployment guidelines,secure update mechanisms (patching) and much, much more!
When? As often as is practical–––Prioritize the most criticalapplicationsSeparate legacy from newdevelopmentCustomer facing vs. internal
How: Objectives for Practical Security Improve existing development process, not create new one Maximize security impact of personnel and technologies Use models as initial framework and tailor to individualorganization Select model with consideration for future requirements
IBM Secure Engineering InitiativeProvides structure,execution and accountabilityfor software and solutiondevelopment projectsGuidelines and bestpractices for securesoftware in design,development ringFrameworkContinuousSecurityImprovementSupply Chain SecurityLink to Security Engineering stracts/redp4641.html?Open27Continually improve thesecurity characteristics ofsoftware offerings throughKey Performance IndicatorsBuilds and Maintains trustedrelationships with suppliers,distribution channels,import/export and customersupport
Sample Secure Development Framework
Core ResponsibilitiesSet security requirements: A manager or security expert definesvulnerabilities and how to judge criticalityConfigure analysis: The source code analysis tool is customized toaddress internal policies.Scan source code: The analysis tool is run against the targetapplication to pinpoint vulnerabilities.Triage results:Security-minded staff study results to prioritizeremediation workflow.Remediate flaws: Vulnerabilities are eliminated by rewriting code,removing flaws, or adding security functions.Verify fixes:The code is rescanned to assure vulnerabilities areeliminated.
Model I: IndependentBenefits Developer-onlyimplementation Low initial investmentChallenges Scalability Redundancy of work Reporting/tracking progress Enforcing policy Expertise requirementshttp://xkcd.com/303/
Model I: IndependentBenefits Developer-onlyimplementation Low initial investmentChallenges Scalability Redundancy of work Reporting/tracking progress Enforcing policy Expertise requirementsBest Practices Establish centralized securityrequirements Conduct security reviews amongdevelopers Establish a security-capabledeveloper as a mentor
Model II: DistributedQA/Release Engineer TeamManagers Refine securityrequirements Track developmentprogress and reviewassessment dataQA/Release Engineer Team Configure scanner forbuild integration Sync code at eachmilestone Scan entire app with newmilestone components Provide raw data todevelopmentDevelopers Triage analysis results Perform necessaryremediation Verify fixes beforechecking code back in
Model II: DistributedQA/Release Engineer TeamBenefits Deployment flexibility Integration with buildenvironment Policy enforcement Central reportingChallenges Scalability Redundancy of work Expertise requirements
Model II: DistributedBenefits Deployment flexibility Integration with buildenvironment Policy enforcement Central reportingChallenges Scalability Redundancy of work Expertise requirementsBest Practices Scan early in life cycle Assign developers specificcomponents to review Establish a security-capabledeveloper as a mentor
Model III: CentralizedSecurity Analysis Team Configure scanner forbuild integration Retrieve code foranalysis Scan entire application Triage results Assign vulnerabilities todevelopersManagers Refine securityrequirements Track developmentprogress, reviewvulnerability data,and monitorremediation resultsDevelopers Perform necessaryremediation Check in code
Model III: CentralizedBenefits Deployment flexibility Separation of duties Central management Long-term valueChallenges Resource requirements High-level commitment
Model III: CentralizedBenefits Deployment flexibility Separation of duties Central management Long-term valueChallenges Resource requirements High-level commitmentBest Practices Plan process with development and security Focus on training and guidance for security team Integrate with existing technologies
99 Centralized managementand remediation strategy99 Centralized analysisconfiguration99Cross-enterprisereporting of results andprogress99 99BenefitsEffectively reducessecurity vulnerabilitiesSupports distributeddevelopment teams9-Supports smalldevelopment and auditprojects9 Prioritized remediationassigned to developersLow level of managementcommitementScales to largeapplications anddevelopment teams9999
For More Information To learn more about using IBM’s secure dpieces/abstracts/redp4641.html?Open
40
41Daily iPod touch giveawaySPONSORED BY Complete your session surveys online each dayat a conference kiosk or on your Innovate 2010 Portal! Each day that you complete all of that day’s sessionsurveys, your name will be entered to win the dailyIPOD touch! On Wednesday be sure to complete your full conference evaluationto receive your free conference t-shirt!
42www.ibm.com/software/rational Copyright IBM Corporation 2010. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall havethe effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBMsoftware. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilitiesreferenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to futureproduct or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and servicesare trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product,or service names may be trademarks or service marks of others.
Baking security into requirements: gathering security requirements/needs, abuse cases, and threat modeling Baking security into design: security design patterns, security reviews and threat modeling Baking security into development: secure coding guidelines, tools, and audit Baking security into testing: negative testing, thinking like the bad
BERG XL X-ITE BFR-3 07.20.17.00 EAN-CODE: 8715839072785 Inspiring Active Play BERG has designed the BERG XL X-ite especially for lovers of cool go-karts. The graphics are inspired by off-road motorcycles and give the go-kart its cool appearance. Details, such as the extra cool sticker on the frame, make the go-kart complete. The BERG XL X-ite has a
BERG trampolines. Instructions for use BERG trampolines use springs to propel the user to unaccustomed heights, allowing a variety of body movements. The spring resistance of the BERG trampoline, touching the springs, the frame, or landing incorrectly on the BERG trampoline, can cause serious injury. In order to avoid this, it is
Marlies van Bemmel, Jan Berends, Jaap Berends, Alf Berendse, Daan Berg, Weik van den Berg, Richard van de Berg, Ronald van den Berg, prof Tracy Bergemann (biostatistiek Univ. Minnesota), prof Martijn P.F. Berger (statistiek in de sociale wet.), Paul van den Bergh, E.G. Berink, Qurie de Berk sr (namens de f
BERG trampolines. Instructions for use BERG trampolines use springs to propel the user to unaccustomed heights, allowing a variety of body movements. The spring resistance of the BERG trampoline, touching the springs, the frame, or landing incorrectly on the BERG trampoline, can cause serious injury. In order to avoid this, it is
Lesco Renovator 20 Lesco ride on spreader; Misc. blower parts; Pump, motor, tank, 2 reels; Ryan LA28; Ryan LA IV; Ryan LawnAire 28; Ryan Lawn Aire V; Ryan Mataway Overseeder; Check back often. Updates are made frequently up until auction day. All items subject to prior sale. Selling many more items than listed. Brouwer Sod Cutter on Ford Tractor 1989 Jacobsen Turfcat C420G with sweeper .
o Productivity of all staff time charged to Ryan White must be for carrying out specific activities approved in the competitive Request for Grant Application, contrac t, and Implementation Plan. Staff time can only be charged to Ryan White for serving Ryan White eligible clients. o Time and effort of staff working on Ryan White must be documented.
Solution-Focused Brief Therapy group treatment is based on over twenty years of theoretical development, clinical practice, and empirical research (e.g., de Shazer et al.,1986; Berg & Miller, 1992; Berg, 1994; De Jong & Berg (2008); de Shazer, Dolan et al., 2006). Solution-Focused Brief Therapy is different in many ways from traditional approaches to treatment. It is a competency-based model .
Bard Music Festival 2010: Berg and His World Bard College Annandale-on-Hudson, New York August 13–15 and August 20–22, 2010 Music 71 A NEW LOOK AT PIVOTAL MODERNIST COMPOSER ALBAN BERG SEPTEMBER Paper 29.95S 978-0-691-14856-4 Cloth 75.00S 978-0-691-14855-7 392 pages. 6 x 9. MUSIC Alban Berg and His World Edited by Christopher Hailey
