integrating security into the application development process

Integrating Security into the Application Development Process

Jerod Brennen, CISSPCTO & Principal Security Consultant, Jacadis

Agenda

• Seek First to Understand• Source Code Security• AppSec and SQA• Analyzing Deployed Applications• Other Considerations• Resources

How to Write Good Code

From http://xkcd.com/844/

SEEK FIRST TO UNDERSTAND

Development Methodologies

• Agile with Scrum• Capability Maturity Mode Integrated

– 1 (Waterfall)– 3 (Iterative)– 5 (Spiral)

• Extreme Programming (XP)• Object-Oriented Development• Pair Programming With Iterative• Proofs of Correctness with Waterfall• Rational Unified Process (RUP)• Team Software Process (TSP)

List from http://www.infoq.com/articles/evaluating-agile-software-methodologies

Programming Languages

• ASP.NET• C / C++ / C# / Objective-C• HTML5• Java• PHP• Python• Ruby• What else?

Risk/Security Frameworks

• COBIT (ISACA)• COSO (SOX)• HITRUST CSF (HIPAA)• ISO/IEC 27002:2005• NIST• OCTAVE (CERT)• STRIDE/DREAD

– Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege

– Damage, Reproducibility, Exploitability, Affected users, Discoverability

Project Phase-Gate Model

• Scoping• Build Business Case• Development• Testing and Validation• Launch

The OWASP Top Ten (Web)

• A1 – Injection• A2 – Broken Authentication and Session Management• A3 – Cross-Site Scripting (XSS)• A4 – Insecure Direct Object References• A5 – Security Misconfiguration• A6 – Sensitive Data Exposure• A7 – Missing Function Level Access Control• A8 – Cross-Site Request Forgery (CSRF)• A9 – Using Components with Known Vulnerabilities• A10 – Unvalidated Redirects and Forwards

The OWASP Top Ten (Mobile)

• M1 – Insecure Data Storage• M2 – Weak Server Side Controls• M3 – Insufficient Transport Layer Protection• M4 – Client Side Injection• M5 – Poor Authorization and Authentication• M6 – Improper Session Handling• M7 – Security Decisions Via Untrusted Inputs• M8 – Side Channel Data Leakage• M9 – Broken Cryptography• M10 – Sensitive Information Disclosure

Prep Checklist

• What development methodologies do we follow?• What programming languages do we use?• What risk/security frameworks do we follow?• What third-party libraries do we use?• What stages in the development process require

approval from the security team?

SOURCE CODE SECURITY

Code Reviews

• Benefits– Find flaws– Reduce fraud

• Peer Reviews in Software, by Karl Wiegers– Ad hoc review– Passaround– Pair programming– Walkthrough– Team Review– Inspection

OWASP Code Review Project

• Methodology (v1.1, current)– Preparation– Security Code Review in the SDLC– Security Code Review Coverage– Application Threat Modeling– Code Review Metrics

• Methodology (v2.0, due in January 2014)– Preparation– Application Threat Modeling– Understanding Code Layout/Design/Architecture– Reviewing by Technical Control– Reviewing by Vulnerability– Security Code Review for Agile Development

Code Review Tools

• NIST SAMATE– Software Assurance Metrics and Tool

Evaluation

• Tools– Source Code Security Analyzers– Byte Code Scanners– Binary Code Scanners

Code Review Tools (cont’d)

• Checkmarx ($; multiple languages)• DevInpsect ($; Java, .NET)• FindBugs / FindSecurityBugs (free; Java)• FxCop (free; .NET)• IDA Pro ($; Windows/Linux executables)• LAPSE (free; Java)• PMD (free; Java)• Rational AppScan ($; multiple languages)• RATS (free; C, C++, Perl, PHP, Python)

APPSEC AND SQA

The SQA Process

• Initiation• Planning• Tracking• Training• Reviews• Issue Resolution• Testing• Audit• Process Improvement

List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx

Positive and Negative Testing

• Positive Test Cases– Does the app do what it’s supposed to

do?

• Negative Test Cases– Does the app do anything it’s not

supposed to do?

Top 10 Negative Test Cases

• Embedded Single Quote• Required Data Entry• Field Type Test• Field Size Test• Numeric Bounds Test• Numeric Limits Test• Date Bounds Test• Date Validity• Web Session Testing• Performance Changes

List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm

SQA Security Tools

• QAInspect• OWASP Zed Attack Proxy (ZAP)• OWASP Mantra

ANALYZING DEPLOYED APPLICATIONS

Application Scanning

• Automated scanners interact with an app like an actual user

• Production vs. Non-Production• Authenticated vs. Non-Authenticated• Don’t forget the app infrastructure

– Host Systems– Web Servers– Backend Databases

Manual App Analysis

• OWASP Testing Guide (v3)– Information Gathering– Configuration Management Testing– Authentication Testing– Session Management Testing– Authorization Testing– Business Logic Testing– Data Validation Testing– Testing for Denial of Service– Web Services Testing– AJAX Testing

• Version 4 in development (some material available)

Scanning vs. Pen Testing

• Scanning– Automated– Look for signature-based flaws– Some heuristics

• Web App Pen Testing– Unconventional thinking– Test application logic

Web App Security Scanners

• Acunetix Web Vulnerability Scanner (WVS)• AppScan• Arachni• Burp Suite• Grendel-Scan• QualysGuard Web Application Scanner (WAS)• SamuraiWTF• Veracode Web Application Security (WAS)• W3AF• WebInspect• WebSecurify

OTHER CONSIDERATIONS

SQA Metrics

• ISO 9126-1 (Software Quality)– Functionality

• Security (unauthorized access)– Reliability– Usability– Efficiency– Maintainability– Portability

• Security – CIA Triad– Confidentiality– Integrity– Availability

SQA Metrics (cont’d)

• OWASP– Cross-site scripting tests run– SQL injection tests run– User input tests run– Cookie or credentials manipulation testing has been performed– Denial of Service scenarios have been checked

• Vulnerabilities detected vs. vulnerabilities remediated

List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics

Developer Training

• OWASP Resources– Top 10 Application Security Risks– Top 10 Mobile Security Risks– WebGoat Project (Java)– Mutillidae (PHP)– Bricks (PHP and MySQL)

• SANS Courses– SEC542: Web App Penetration Testing and Ethical Hacking– DEV522: Defending Web Applications Security Essentials– DEV541: Secure Coding in Java/JEE– DEV544: Secure Coding in .NET

• Web Application Security Consortium

Professional Organizations

• OWASP• ISSA• (ISC)2• InfraGard• ISACA• W3C Web Application Security

Working Group

RESOURCES

Resources• Codecademy

– http://www.codecademy.com/learn

• OWASP Top Ten (2013)– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project– https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_-

_English.pptx• OWASP Code Review Project

– https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

• NIST SAMATE– http://samate.nist.gov/

• Web App Scanner List– http://projects.webappsec.org/w/page/13246988/Web%20Application

%20Security%20Scanner%20List• SecTools

– http://sectools.org/

More Resources• Project Phase Gate Model

– http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model

• ISO 9126 Software Quality Characteristics– http://www.sqa.net/iso9126.html

• Top 10 Negative Test Cases– http://www.sqatester.com/methodology/Top10NegativeTestCases.htm

• OWASP – Software Quality Assurance– https://www.owasp.org/index.php/Software_Quality_Assurance

• OWASP Testing Project– https://www.owasp.org/index.php/OWASP_Testing_Project

• “952” Metrics for Software Quality Assurance (SQA)– http://davidfrico.com/sqa-metrics.pdf

• Web Application Security Working Group– http://www.w3.org/2011/webappsec/

Even More Resources• SQL Injection Tutorial

– http://www.youtube.com/watch?v=qELByGfNJSE

• OWASP Mobile Security Project– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project– http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks

• OWASP WebGoat– https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

• OWASP Mutillidae– https://www.owasp.org/index.php/Category:OWASP_Mutillidae

• OWASP Bricks– https://www.owasp.org/index.php/OWASP_Bricks

Contact Info

Jerod Brennen, CISSPCTO & Principal Security Consultant, Jacadis

LinkedIn: http://www.linkedin/com/in/slandail

Twitter: https://twitter.com/slandail

http://www.jacadis.com/

contact@jacadis.com