Deloitte & Touche LLP

The Future of the System Development Life Cycle (SDLC)

March 10, 2010

Andrew Murren

Deloitte & Touche LLP

What is the Systems Development Life Cycle (SDLC)?

- 3 -

SDCL Defined

SDLC is the process of developing information systems through investigation, analysis, design, implementation and maintenance. SDLC is also known as information systems development or application development. SDLC is a systems approach to problem solving and is made up of several phases, each comprised of multiple steps: The software concept: Identifies and defines a need for the new system A requirements analysis: Analyzes the information needs of the end users The architectural design: Creates a blueprint for the design with the

necessary specifications for the hardware, software, people and data resources

Coding and debugging: Creates and programs the final system System testing: Evaluates the system's actual functionality in relation to

expected or intended functionality.

1 http://www.webopedia.com/TERM/S/SDLC.html

- 4 -

The NIST Systems Development Life Cycle (SDLC)

A version from the National Institute for Standards and Technology (NIST)1 defines the phases as: Initiation: During the initiation phase, the need for a system is expressed and

the purpose of the system is documented. Development/Acquisition: During this phase, the system is designed,

purchased, programmed, developed, or otherwise constructed. Implementation / Assessment: After system acceptance testing, the system

is installed or fielded. Operations & Maintenance: During this phase, the system performs its work.

The system is almost always modified by the addition of hardware and software and by numerous other events.

Disposal: Activities conducted during this phase ensure the orderly termination of the system, safeguarding vital system information, and migrating data processed by the system to a new system, or preserving it in accordance with applicable records management regulations and policies.

1 NIST Special Publication 800-64 Revision 2: Security Considerations in the System Development Life Cycle

Initiation Development / Acquisition

Implementation / Assessment

Operations & Maintenance Disposal

Deloitte & Touche LLP

Quiz Time!

Test your knowledge of how vulnerable systems are!

- 6 -

Question 1

1. About how many new malware signatures were added by Symantec in 4Q2009?

a. Over 1.5 million

b. Between 1 million and 1.5 million

c. Between 500,000 and 1 million

d. Less than 500,000

- 7 -

Question 2

2. According to McAfee in 2009 about how many new zombie computers were created per day in 3Q2009?

a. Over 250,000

b. Between 150,000 and 250,000

c. Between 100,000 and 150,000

d. Less than 100,000

- 8 -

Question 3

3. (ISC)2 estimated what percentage of security breaches are related to application related?

a. 80%

b. 70%

c. 60%

d. 50%

- 9 -

Question 4

4. In February 2010, Security Labs collected and tested more than 30,000 live malicious URL samples against the typical tools of third-party URL lists and anti-virus scanners. How many malicious URLs pass unnoticed through anti-virus scanners and URL filtering, even when these two approaches are used together?

a. Between 50% and 70%

b. Between 30% and 50%

c. Between 10% and 30%

d. Less than 10%

Quiz Solutions

- 11 -

Question 1

1. About how many new malicious code signatures were added by Symantec in 4Q2009?

a. Over 1.5 million

b. Between 1 million and 1.5 million

c. Between 500,000 and 1 milliond. Less than 500,000

Symantec added 921,143 new malicious code signatures in 4Q2009.

- 12 -

Question 2

2. According to McAfee in 2009 about how many new zombie computers were created per day in 3Q2009?

a. Over 250,000

b. Between 150,000 and 250,000c. Between 100,000 and 150,000

d. Less than 100,000

McAfee estimates that 148,000 New zombie computers created per day and 40 million in the first three quarters of 2009.

- 13 -

Question 3

3. (ISC)2 estimated what percentage of security breaches are related to application related?

a. 80%b. 70%

c. 60%

d. 50%

(ISC)2 estimates that 80% of security breaches are due to application. As operating systems become more secure attacks are moving to less secure applications and specifically web applications.

- 14 -

Question 4

4. In February 2010, Security Labs collected and tested more than 30,000 live malicious URL samples against the typical tools of third-party URL lists and anti-virus scanners. How many malicious URLs pass unnoticed through anti-virus scanners and URL filtering, even when these two approaches are used together?

a. Between 50% and 70%b. Between 30% and 50%

c. Between 10% and 30%

d. Less than 10%

Security Labs found that in the best case scenario 60% passed through filters and scanning.

Deloitte & Touche LLP

Quiz Time

How did you do?

- 16 -

Key Components to Secure SDLC

Security Architecture and Code Review

Security Architecture review focuses on indentifying weakness in the design, implementation and security controls of the application, including: Authentication & Authorization

Session management

Secure communications

Sensitive data management (Privacy of information)

Parameter validation

Configuration management

Database access management

Exception management

Audit Log management

- 17 -

Key Components to Secure SDLC (cont)

Security Architecture and Code Review Audit Log management

Code quality

Cache Management, Pooling, and Reuse

System Calls

Automated line by line review of source code along with manual code reviews

Detection of vulnerabilities in security design and/or flaws of the application

Identification of security vulnerabilities in the Source code of the application

Evaluation of secured application development processes

- 18 -

Key Components to Secure SDLC (cont.)

Application Vulnerability Testing

Consists of a controlled security test of the application environment to identify potential external exposures. Application testing includes the following: Black-box (un-credentialed) and grey-box (credentialed) testing

Insecure configuration Testing (e.g., missing patches, improper file or directory permissions, default accounts, excessive services, unnecessary coding files)

Manipulation testing (e.g., Injection flaws, privilege escalation, insecure direct object reference, cross-site scripting, forceful browsing)

Aggregation Testing (e.g., error messages, support data, legacy code, Developer comments)

Iteration Testing (e.g., “brute force” techniques can be used for timing attacks or to bypass session/state management)

- 19 -

Source Code Analysis Tools Ounce 6 - automatically delivers confirmed vulnerabilities directly to the

developer's IDE as part of the SDLC build process.

Fortify 360 - integrates source code analysis, program trace analysis and real-time analysis to identify the most comprehensive and accurate list of vulnerabilities

Veracode - provides code analysis and web application security testing through a software-as-a-service delivery model

Coverity – offers integrated static and dynamic code analysis, build analysis and architecture analysis

- 20 -

Web Application Assessment Tools IBM AppScan - automates Web application security assessments.

Automatically validates and provides fix advisories for both Common Web Vulnerabilities (CWVs) and application-specific vulnerabilities, such as cross-site scripting, and SQL injection

Nikto - Web server scanner that performs comprehensive tests, including more than 3,550 potentially dangerous files/CGIs, versions on more than 115 products/CGIs, and reports details on more than 180 products/CGIs.

Whisker - CGI scanner.

Web Sphinx - A fully customizable web crawler that browses and processes Web pages automatically.

NGS OraScan - A security tool designed to automate the process of assessing an Oracle web front end and its online applications.

- 21 -

What Changes are Happening?

Virtualization Pervasive, Always On Connectivity Cloud Computing Breakdown of the Traditional Perimeter Social Networking / Web 2.0 New Laws and Regulations

• Privacy

• Due Diligence

Increased Sophistication and Capability of Attackers• Criminal Organizations

• Government Agencies

• Non-Nation/State Political Actors

- 22 -

Current SDLC Issues / Trends “The most obvious issue is that security defects come in two flavors –

implementation bugs found at the code level and architectural flaws found at the design level. Each of these accounts for roughly half of the defects in practice.” - Gary McGraw, CTO Cigital

Application breaches today are primarily the result of poor coding, yet security embedded in SDLC processes continues to be an afterthought

Simply maintaining patches on COTS can address a number of vulnerabilities, however, few organizations stay ahead of the curve

Most security groups state that security resources are not involved early and often enough in the SDLC process, yet when asked to participate, security groups do not always dedicate the time/resources required

To address above, organizations are moving towards:

• More formalized security integration into SDLC

• Code scanning during SDLC process

- 23 -

Emerging Security Considerations

Virtualization

• Multiple Virtual Machines (VM) on One Physical Host

• Security Zones

• Inter-VM communications

Cloud Computing

• Trusted Connections

• Legal & regulatory compliance of actual hosting location

• Shared physical hosts

Embedded & Mobile Applications

• Multiple methods of connecting (Bluetooth, IR, Wireless)

• Always on

Data Protection

• Backup

• Data Loss Protection

- 24 -

Microsoft’s Security Development Lifecycle (SDL)

Stage 0: Education and Awareness Stage 1: Project Inception Stage 2: Define and Follow Design

Best Practices Stage 3: Product Risk Assessment Stage 4: Risk Analysis Stage 5: Creating Security Documents,

Tools, and Best Practices for Customers

Stage 6: Secure Coding Policies Stage 7: Secure Testing Policies Stage 8: The Security Push Stage 9: The Final Security Review Stage 10: Security Response Planning Stage 11: Product Release Stage 12: Security Response

Execution

The Trustworthy Computing Security Development Lifecycle (or SDL) is the process that Bill Gates announce in Jan 2002 and Microsoft adopted for the development of software after a number of high profile security attacks that embarrassed the company.

It was added on top of Microsoft’s existing SDLC. It is designed for Microsoft’s SDLC and is considered by many smaller organizations too complex and heavy. In Feb 2010 Microsoft released a simpler version for organizations that don’t have the same resources as Microsoft.

- 25 -

Microsoft’s Trustworthy Computing effort has four major benefits: 1) risk reduction, 2) cost reduction, 3) improved time-to-market, 4) enhanced functionality

Microsoft reduced the number of security incidents by half using their Security Development Lifecycle (SDL)

On average, a critical vulnerability costs Microsoft $100k

Cost of any defect increase exponentially throughout the SDLC

Unsecured applications raise the operational cost by constantly reacting to operational security issues

Pre-SDL

Post-SDL

Microsoft Research Faculty Summit 2005: The Trustworthy ComputingSecurity Development Lifecycle by Steve Lipner

Microsoft’s Changes to their SDLC

Security review costs are reduced significantly using SDL

Time to market improves after the initial investment

Componentized software security with clearly defined interfaces and guidelines encourages reuse which results in cost savings and faster time to market

Deloitte & Touche LLP

Quiz Time Again!

Test your knowledge of some system vulnerabilities!

- 27 -

Question 1

1. According to Symantec what application was the top target of web attacks in 2009?

a. Microsoft Internet Explorer

b. Adobe Acrobat

c. Microsoft Movie Maker

d. Mozilla’s Firefox

- 28 -

Question 2

2. What percentage of applications evaluated by Veracode got a passing score for security the first time tested?

a. Between 50% and 70%

b. Between 30% and 50%

c. Between 10% and 30%

d. Less than 10%

- 29 -

Question 3

3. What is the Number 1 programming error on The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list?

a. SQL Injection

b. Buffer Overflow

c. OS Command Injection

d. Cross-site Scripting

- 30 -

Question 4

4. How much was stolen by cybercriminals from small to medium sized businesses in 3Q2009?

a. Over $20 million

b. Between $10 and $20 million

c. Between $5 and $10 million

d. Less than $5 million

Deloitte & Touche LLP

Quiz Solutions

- 32 -

Question 1

1. According to Symantec what application was the top target of web attacks in 2009?

a. Microsoft Internet Explorer

b. Adobe Acrobatc. Microsoft Movie Maker

d. Mozilla’s Firefox

The Acrobat PDF file download vulnerability accounted for 47% of all web attacks. When various attacks against Microsoft IE were combined they accounted for 37% of attacks.

- 33 -

Question 2

2. What percentage of applications evaluated by Veracode got a passing score for security the first time tested?

a. Between 50% and 70%

b. Between 30% and 50%c. Between 10% and 30%

d. Less than 10%

Open Source applications passed 39%

Commercial applications passed 38%

Internally Developed applications passed 31%

Applications were evaluated against the CWE/SANS Top 25 Most Dangerous Programming Errors.

- 34 -

Question 3

3. What is the Number 1 programming error on The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list?

a. SQL Injection

b. Buffer Overflow

c. OS Command Injection

d. Cross-site ScriptingCWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')

“Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. “ XSS is an easy to detect and fix design flaw.

Top 5 were: Cross-site Scripting SQL Injection Classic Buffer Overflow Cross-Site Request Forgery (CSRF) Improper Access Control (Authorization)

- 35 -

Question 4

4. How much was stolen by cybercriminals from small to medium sized businesses in 3Q2009?

a. Over $20 millionb. Between $10 and $20 million

c. Between $5 and $10 million

d. Less than $5 million

According to FBI statistics cybercriminals stole over $25 million in the 3Q2009. During the same period traditional bank robberies stole less than $9.5 million.

Deloitte & Touche LLP

Quiz Time Again

How did you do?

- 37 -

Models for Securing SDLC

Microsoft’s Security Development Lifecycle

• Adds activities on top of existing SDLC

• Used by many large software developers

• Can be expensive

Cigital’s Touch Points

• Seven activities that can be added into existing SDLC

• Designed to be phased in and minimal impact

• Adopted by DHS and DoD

The Open Web Application Security Project (OWASP) Comprehensive, Lightweight Application Security Process (CLASP) Set of process pieces that can be integrated into any software development

process

Designed to be easy to adopt and effective

Freely available for organizations to obtain and adopt

- 38 -

Trends in SDLC

Adopting all or parts of the Secure Development models

Use of Source Code Analysis (SCA) tools such as Fortify and Ounce

Increased Risk Analysis throughout the SDLC

Adding Threat Modeling, Abuse Cases and Security Requirements to the initial design requirements

External reviews

Incorporating Web Application Firewalls and other application layer security devices to the network

Vulnerability Assessments and Penetration Testing as part of the application testing and acceptance

Adding checklists of do’s and don’ts to development policies

Movement to add security assurances to software acquisition contracts

- 39 -

Take Aways

SLDC is the process to develop and maintain software

Applications are now the prime targets of attackers as the OS layer gets more secure

The diffusion of the client environment makes securing applications more critical

Virtualization and Cloud Computing will make designers and developers adapt due to less certainty of the hosting environment

Current network and host based defenses are not enough

Legal issues are becoming increasingly important, with increased visibility by lawyers

Rewards for cyber theft significantly higher than for traditional theft

Deloitte & Touche LLP

Questions?