integrating security into the application development process
Post on 07-Dec-2014
493 Views
Preview:
DESCRIPTION
TRANSCRIPT
Integrating Security into the Application Development Process
Jerod Brennen, CISSPCTO & Principal Security Consultant, Jacadis
Agenda
• Seek First to Understand• Source Code Security• AppSec and SQA• Analyzing Deployed Applications• Other Considerations• Resources
How to Write Good Code
From http://xkcd.com/844/
SEEK FIRST TO UNDERSTAND
Development Methodologies
• Agile with Scrum• Capability Maturity Mode Integrated
– 1 (Waterfall)– 3 (Iterative)– 5 (Spiral)
• Extreme Programming (XP)• Object-Oriented Development• Pair Programming With Iterative• Proofs of Correctness with Waterfall• Rational Unified Process (RUP)• Team Software Process (TSP)
List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
Programming Languages
• ASP.NET• C / C++ / C# / Objective-C• HTML5• Java• PHP• Python• Ruby• What else?
Risk/Security Frameworks
• COBIT (ISACA)• COSO (SOX)• HITRUST CSF (HIPAA)• ISO/IEC 27002:2005• NIST• OCTAVE (CERT)• STRIDE/DREAD
– Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege
– Damage, Reproducibility, Exploitability, Affected users, Discoverability
Project Phase-Gate Model
• Scoping• Build Business Case• Development• Testing and Validation• Launch
The OWASP Top Ten (Web)
• A1 – Injection• A2 – Broken Authentication and Session Management• A3 – Cross-Site Scripting (XSS)• A4 – Insecure Direct Object References• A5 – Security Misconfiguration• A6 – Sensitive Data Exposure• A7 – Missing Function Level Access Control• A8 – Cross-Site Request Forgery (CSRF)• A9 – Using Components with Known Vulnerabilities• A10 – Unvalidated Redirects and Forwards
The OWASP Top Ten (Mobile)
• M1 – Insecure Data Storage• M2 – Weak Server Side Controls• M3 – Insufficient Transport Layer Protection• M4 – Client Side Injection• M5 – Poor Authorization and Authentication• M6 – Improper Session Handling• M7 – Security Decisions Via Untrusted Inputs• M8 – Side Channel Data Leakage• M9 – Broken Cryptography• M10 – Sensitive Information Disclosure
Prep Checklist
• What development methodologies do we follow?• What programming languages do we use?• What risk/security frameworks do we follow?• What third-party libraries do we use?• What stages in the development process require
approval from the security team?
SOURCE CODE SECURITY
Code Reviews
• Benefits– Find flaws– Reduce fraud
• Peer Reviews in Software, by Karl Wiegers– Ad hoc review– Passaround– Pair programming– Walkthrough– Team Review– Inspection
OWASP Code Review Project
• Methodology (v1.1, current)– Preparation– Security Code Review in the SDLC– Security Code Review Coverage– Application Threat Modeling– Code Review Metrics
• Methodology (v2.0, due in January 2014)– Preparation– Application Threat Modeling– Understanding Code Layout/Design/Architecture– Reviewing by Technical Control– Reviewing by Vulnerability– Security Code Review for Agile Development
Code Review Tools
• NIST SAMATE– Software Assurance Metrics and Tool
Evaluation
• Tools– Source Code Security Analyzers– Byte Code Scanners– Binary Code Scanners
Code Review Tools (cont’d)
• Checkmarx ($; multiple languages)• DevInpsect ($; Java, .NET)• FindBugs / FindSecurityBugs (free; Java)• FxCop (free; .NET)• IDA Pro ($; Windows/Linux executables)• LAPSE (free; Java)• PMD (free; Java)• Rational AppScan ($; multiple languages)• RATS (free; C, C++, Perl, PHP, Python)
APPSEC AND SQA
The SQA Process
• Initiation• Planning• Tracking• Training• Reviews• Issue Resolution• Testing• Audit• Process Improvement
List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
Positive and Negative Testing
• Positive Test Cases– Does the app do what it’s supposed to
do?
• Negative Test Cases– Does the app do anything it’s not
supposed to do?
Top 10 Negative Test Cases
• Embedded Single Quote• Required Data Entry• Field Type Test• Field Size Test• Numeric Bounds Test• Numeric Limits Test• Date Bounds Test• Date Validity• Web Session Testing• Performance Changes
List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
SQA Security Tools
• QAInspect• OWASP Zed Attack Proxy (ZAP)• OWASP Mantra
ANALYZING DEPLOYED APPLICATIONS
Application Scanning
• Automated scanners interact with an app like an actual user
• Production vs. Non-Production• Authenticated vs. Non-Authenticated• Don’t forget the app infrastructure
– Host Systems– Web Servers– Backend Databases
Manual App Analysis
• OWASP Testing Guide (v3)– Information Gathering– Configuration Management Testing– Authentication Testing– Session Management Testing– Authorization Testing– Business Logic Testing– Data Validation Testing– Testing for Denial of Service– Web Services Testing– AJAX Testing
• Version 4 in development (some material available)
Scanning vs. Pen Testing
• Scanning– Automated– Look for signature-based flaws– Some heuristics
• Web App Pen Testing– Unconventional thinking– Test application logic
Web App Security Scanners
• Acunetix Web Vulnerability Scanner (WVS)• AppScan• Arachni• Burp Suite• Grendel-Scan• QualysGuard Web Application Scanner (WAS)• SamuraiWTF• Veracode Web Application Security (WAS)• W3AF• WebInspect• WebSecurify
OTHER CONSIDERATIONS
SQA Metrics
• ISO 9126-1 (Software Quality)– Functionality
• Security (unauthorized access)– Reliability– Usability– Efficiency– Maintainability– Portability
• Security – CIA Triad– Confidentiality– Integrity– Availability
SQA Metrics (cont’d)
• OWASP– Cross-site scripting tests run– SQL injection tests run– User input tests run– Cookie or credentials manipulation testing has been performed– Denial of Service scenarios have been checked
• Vulnerabilities detected vs. vulnerabilities remediated
List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
Developer Training
• OWASP Resources– Top 10 Application Security Risks– Top 10 Mobile Security Risks– WebGoat Project (Java)– Mutillidae (PHP)– Bricks (PHP and MySQL)
• SANS Courses– SEC542: Web App Penetration Testing and Ethical Hacking– DEV522: Defending Web Applications Security Essentials– DEV541: Secure Coding in Java/JEE– DEV544: Secure Coding in .NET
• Web Application Security Consortium
Professional Organizations
• OWASP• ISSA• (ISC)2• InfraGard• ISACA• W3C Web Application Security
Working Group
RESOURCES
Resources• Codecademy
– http://www.codecademy.com/learn
• OWASP Top Ten (2013)– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project– https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_-
_English.pptx• OWASP Code Review Project
– https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
• NIST SAMATE– http://samate.nist.gov/
• Web App Scanner List– http://projects.webappsec.org/w/page/13246988/Web%20Application
%20Security%20Scanner%20List• SecTools
– http://sectools.org/
More Resources• Project Phase Gate Model
– http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model
• ISO 9126 Software Quality Characteristics– http://www.sqa.net/iso9126.html
• Top 10 Negative Test Cases– http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
• OWASP – Software Quality Assurance– https://www.owasp.org/index.php/Software_Quality_Assurance
• OWASP Testing Project– https://www.owasp.org/index.php/OWASP_Testing_Project
• “952” Metrics for Software Quality Assurance (SQA)– http://davidfrico.com/sqa-metrics.pdf
• Web Application Security Working Group– http://www.w3.org/2011/webappsec/
Even More Resources• SQL Injection Tutorial
– http://www.youtube.com/watch?v=qELByGfNJSE
• OWASP Mobile Security Project– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project– http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks
• OWASP WebGoat– https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• OWASP Mutillidae– https://www.owasp.org/index.php/Category:OWASP_Mutillidae
• OWASP Bricks– https://www.owasp.org/index.php/OWASP_Bricks
Contact Info
Jerod Brennen, CISSPCTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin/com/in/slandail
Twitter: https://twitter.com/slandail
http://www.jacadis.com/
contact@jacadis.com
top related