digital armour: adding security to software development
DESCRIPTION
Digital Armour: Adding Security to Software Development. Terry Labach IST Information Security Services. "Amateurs produce amateur security, which costs more in dollars, time, liberty, and dignity while giving us less -- or even no -- security." - Bruce Schneier. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/1.jpg)
Digital Armour: Adding Security to Software Development
Terry LabachIST Information Security Services
![Page 2: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/2.jpg)
#watitis2012
"Amateurs produce amateur security, which costs more in dollars, time, liberty, and dignity while giving us less -- or even no -- security."
- Bruce Schneier
![Page 3: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/3.jpg)
Introduction• Secure Application Development
– what is it?– why should you care?– rules of thumb
• Examples• Questions
#watitis2012
![Page 4: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/4.jpg)
Goals of Secure Application Development
• first, that the actual development process is secure: it aims to prevent unsafe code from being created, inserted, misused, or deployed
• second, that the application created is secure: it does not expose user data or allow unauthorized access to computer systems
#watitis2012
![Page 5: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/5.jpg)
Features of Secure Application Development
– combines fundamental good development practices with security knowledge
– principles applicable across development methodologies, technologies, languages, platforms
#watitis2012
![Page 6: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/6.jpg)
Why care about secure development?
We have duties outlined by the University and the government• Policy 8
– Information Security Policy for University of Waterloo
• FIPPA– Freedom of Information and Protection of
Privacy Act
#watitis2012
![Page 7: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/7.jpg)
Why care about secure development?
• professional responsibility– Our code should work as intended– Robust enough to deal with unforeseen
situations
#watitis2012
![Page 8: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/8.jpg)
Why isn’t secure development practised?
• developers don’t realize importance• not sure what is required
– no training– no mentorship
• “shoot from the hip” approach to coding– experienced coders and co-ops alike
• no mandate from management
#watitis2012
![Page 9: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/9.jpg)
What causes security flaws in applications?
• Development– coding errors– process errors
• incomplete testing– failure to account for known threats– failure to build robustness to account for
unknown threats
#watitis2012
![Page 10: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/10.jpg)
What causes security flaws in applications?
• Deployment– process errors– configuration errors
#watitis2012
![Page 11: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/11.jpg)
What are typical security flaws?
• Many enumerations of flaws• Researchers at Fortify have suggested a
taxonomy of software security errors.
#watitis2012
![Page 12: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/12.jpg)
Taxonomy 1-4• Input Validation and Representation• API Abuse• Security Features• Time and State
#watitis2012
![Page 13: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/13.jpg)
Taxonomy 5-8• Errors• Code Quality• Encapsulation• Environment
#watitis2012
![Page 14: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/14.jpg)
Secure Development Process• No magic bullet to prevent security flaws…
#watitis2012
"The 'code' which he suggests is however very contrary to the line of development here, and much more in the American tradition of solving one's difficulties by means of much equipment rather than by thought."
- Alan Turing, criticizing a proposed computer design.
![Page 15: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/15.jpg)
Secure Development Process• …but following simple rules of thumb can
be quite effective at preventing errors, including security errors.
#watitis2012
![Page 16: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/16.jpg)
Development basics• maintain separate environments for
– development– testing– production– repositories
#watitis2012
![Page 17: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/17.jpg)
Development basics• review code• test code
#watitis2012
![Page 18: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/18.jpg)
Testing
#watitis2012
“The system's security must, of course, be tested for invulnerability from frontal attack - but must also be tested for invulnerability from flank or rear attack.” - Boris Beizer
![Page 19: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/19.jpg)
Testing• automatic testing
– unit testing– regression testing– edge cases (boundaries)– fuzz testing
• vulnerability testing (IST)
#watitis2012
![Page 20: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/20.jpg)
Coding basics• validate input• validate output• validate on server, not client• permission, not exclusion• limit error messages to client• check return values• handle anomalous behaviour (exceptions)
#watitis2012
![Page 21: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/21.jpg)
Design basics• protect data
– in transit (network, http, email)– in place (files, database)
• limit user access– passwords– CAS
• layer defenses
#watitis2012
![Page 22: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/22.jpg)
Infrastructure basics• use APIs and libraries rather than rolling
your own• know your software and deployment
environments
#watitis2012
![Page 23: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/23.jpg)
Examples• code and configuration snippets• demonstrate techniques to improve
security• although using particular languages, most
techniques are applicable to many different languages
#watitis2012
![Page 24: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/24.jpg)
Examples: .NET and SQL• programs often create SQL queries by
concatenating text, including user input
string query = "SELECT * FROM items WHERE itemname = '“ + ItemName.Text + "'";
• a user may be able to craft an entry that includes SQL code and allows access to the database
#watitis2012
![Page 25: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/25.jpg)
Examples: .NET and SQL• for input "name' OR 'a'='a“, the generated SQL is
SELECT * FROM items WHERE itemname = 'name' OR 'a'='a';
• this has the result of returning the entire items table
#watitis2012
![Page 26: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/26.jpg)
Examples: .NET and SQL• to avoid this, use a parameter to the SQL
statementusing (SqlConnection conn = new SqlConnection(connString)){ string query = "SELECT * FROM items WHERE itemname =
@Iname"; SqlCommand cmd = new SqlCommand(query, conn); cmd.Parameters.AddWithValue("@Iname",
Request.QueryString["Iname"]); conn.Open(); ... }
#watitis2012
![Page 27: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/27.jpg)
Examples: java• random number generation
• Random– sequence determined by initial seed
• SecureRandom– cryptographically strong random number
generator
#watitis2012
![Page 28: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/28.jpg)
Examples: javaSecureRandom random = new SecureRandom();byte bytes[] = new byte[20];random.nextBytes(bytes);
• don’t bypass internal seeding with non-random value (e.g. time)
• occasionally create new instance
#watitis2012
![Page 29: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/29.jpg)
Examples: php• securing cookies used for session
management– session.cookie_lifetime
• lifetime of the cookie in seconds– session.cookie_secure
• should cookies be sent over secure connections– session.cookie_httponly
• limit to the HTTP protocol
#watitis2012
![Page 30: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/30.jpg)
Examples: php• set configuration in php.ini
session.cookie_lifetime = 7200session.cookie_secure = 1session.cookie_httponly = 1
#watitis2012
![Page 31: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/31.jpg)
Examples: php• php can read HTTP GET values using the
$_GET variable– could allow malicious input– removing dangerous input not trivial
#watitis2012
![Page 32: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/32.jpg)
Examples: php• filter_input (from php 5.2)
– provides many filtering types• to apply filter to $_GET[‘my_string’]
<?php$my_string = filter_input(INPUT_GET, ‘my_string’, FILTER_SANITIZE_STRING); ?>
#watitis2012
![Page 33: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/33.jpg)
Examples: HTTP• GET and POST used to transfer user
requests• GET
– query passed as part of URL– can be cached, stored in browser history
• GET should not be used to transmit sensitive data
#watitis2012
![Page 34: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/34.jpg)
Examples: HTTP• POST
– data passed in body of the HTTP request– encrypted when using SSL connections
#watitis2012
![Page 35: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/35.jpg)
Examples: ruby• filename validation with regular expression
– /^[\w\.\-\+]+$/– Meant to allow only alphanumeric, ., +, -.– ^ and $ match the beginning and end of line
#watitis2012
![Page 36: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/36.jpg)
Examples: ruby• flaw
– However, the above will allow the filename file.txt%0A<script>alert('hello')</script>
– $ matches at %0A (URL-encoded line break)– Should use \A and \z to match entire string– /\A[\w\.\-\+]+\z
#watitis2012
![Page 37: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/37.jpg)
Conclusions“Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.”
- Bruce Schneier
#watitis2012
![Page 38: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/38.jpg)
Conclusions• secure software development is not
necessarily an onerous thing• it does require awareness and discipline• common sense development practices
and a concern with correct operation of the program will prevent many security problems
#watitis2012
![Page 39: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/39.jpg)
Resources• HP Fortify Taxonomy: Software Security Er
rors• Seven Pernicious Kingdoms: A Taxonomy
of Software Security Errors• CSIS: 20 Critical Security Controls Version
4.0
#watitis2012
![Page 40: Digital Armour: Adding Security to Software Development](https://reader035.vdocuments.us/reader035/viewer/2022062520/56815fdd550346895dcee623/html5/thumbnails/40.jpg)
Resources• OWASP Top Ten Project• OWASP Prevention Cheat Sheet Series• 2011 CWE/SANS Top 25 Most Dangerous
Software Errors
• IST Information Security Services
#watitis2012