ensure software security already during development

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Ensure Software Security already during developmentLucas v. StockhausenSoftware Security [email protected]+49-1520 1898430HP Enterprise Security


Some Explanations

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Hacker: A person who enjoys exploring the details of (programmable) systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.

Definition Hacker (Wikipedia)


Heise Newsletter 25.1.2012

http://www.h-online.com/security/news/item/Video-conferencing-systems-as-spying-tools-1421346.html

3 % of the public available IP adresses~5000 open Video Systems.Continous exploit from there.


5

No “Defence in Depth” means….


Heise Newsletter 26.1.2012

http://www.h-online.com/security/news/item/Hackers-may-have-disrupted-railway-computers-and-schedules-1422666.html

Attack from 3 IP Adresses to US railway.No big damage – just 15 min delay.


How can HP Fortify help?

By 2016 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud services


We convince & pay the

developer to fix it

4

We are breached or pay

to have someone tell us

our code is insecure

3

Today’s approach > expensive, reactive

IT deploys the insecure

software

2Somebody

builds insecure software

1


Software Development Today

Small coding errors can have a big effect on security

Typical software development practices don’t address the problem

As a group, developers tend to make the same security mistakes over and over

10


30X

15X

10X

5X

2X

30x more costly to secure in production

Why it doesn’t work

After an application is released into Production, it costs 30x more than during design.

Cost

Source: NIST

ProductionSystem testing

Integration/ component

testing

CodingRequirements


Embed security into SDLC development process 1

This is application security

The right approach > systematic, proactive

In-house

Outsourced

Commercial

Open source

Leverage Security Gate to validate resiliency of

internal or external code before Production

2

Monitor and protect software running in

Production

3Improve SDLC policies


Fortify RTA

Software Security Metrics and Reporting

Fortify Source Code Analysis

Fortify SSC Server

Fortify Security Scope

HP WebInspect Source Code Security Audits Run-Time Protection

PLAN DESIGN CODE FUNCTIONAL

TEST

ACCEPTANCE

TESTDEPLOY

Software must be Fortify'd

Governance Module

Collaboration ModuleSoftware Inventory


Static Analysis


SecurityDevelopment Teams

Build Tool

Example Process

Fortify SSC Server

CISO

AWB

Project Security Lead

Security Auditor

AWB

Development Manager

IDE

Developer

Fortify SCA

AWB

Fortify CM

AWB

Source Code Repository(s)

Central Build Server(s)

2. Audit

3. Assign

4. Fix

Monitor

5. Validate

1. Identify

Defect Tracking System CM

CM


Auditing – Different Possibilities

Auditworkbench Collaboration Module(Web-base Auditworkbench)

Clicking on the issue and being guided through the source code is VERY important for understanding and fixing a vulnerability

IDE - VS, Eclipse


Auditing (AWB and IDE) - Overview

17

Issue - GroupsIssue - Groups

FilteringFiltering PriorizationPriorization CategorizationCategorization

Functions and Rulewriting wizard (only in AWB)

Functions and Rulewriting wizard (only in AWB)

OverviewOverview


Diagram

Auditing (AWB and IDE) – Trace the issue

Analysis Trace

Sourcecode


Detailed description of the issue

Auditing (AWB and IDE) – Training on the job


Detailed recommendation to fix the issue

Auditing (AWB and IDE) – Training on the job


Store Analysis

Auditing (AWB and IDE) - Result

See other comments and make comments yourself

File a bug


Dynamic Analysis


INTRODUCTION TO WEBINSPECT WebInspect is a comprehensive Dynamic Application Security Testing (DAST) solution used by IT Security auditors and penetration testers to detect, classify and report discrete application vulnerabilities.

WebInspect dynamically interacts with your application enumerating application parameters and server configuration characteristics which can be exploited by a malicious attacker.

WebInspect employs “ethical” attack methods which discover and confirm vulnerabilities without actually exploiting them.

Monthly WebInspect Technical Demonstration: http://www.hp.com/go/techdemos

23

http://www.hp.com/go/techdemos

http://www.hp.com/go/techdemos


Start remediation of vuln’s immediatelyLive scan visualization Live Scan

Dashboard

Site tree

Vulnerabilities found in

application

Excluded and Allowed Hosts

Section

Detailed Attack Table

Live Scan

Statistics


Grey Box Testing


Integrated Analysis

Dynamic Analysis

Application

SecurityScopeReal-time link

• Find More• Fix Faster


Real Time Analysis


Fortify RTA : Components

Console

RTA


SSCSoftware Security Center


Fortify SSC Server – Risk ManagementTrack, measure and understand software security riskFlexible reporting

Dashboards to details - Metrics that matterSnapshots and trends - Easy to customize


Fortify SSC Server – Risk Management IITrack, measure and understand software security riskCentralized management of software security

Software security policy - Multiple projectsReal-time alerts - Enterprise Security Rules management


Fortify Server – Risk Management IIITrack, measure and understand software security riskCollaborative Auditing and Remediation

Web Base Auditworkbench like interfaceUser Assignment


How can HP Fortify help?


Fortify RTA

Software Security Metrics and Reporting

Fortify Source Code Analysis

Fortify SSC Server

Fortify Security Scope

HP WebInspect Source Code Security Audits Run-Time Protection

PLAN DESIGN CODE FUNCTIONAL

TEST

ACCEPTANCE

TESTDEPLOY

Software must be Fortify'd

Governance Module

Collaboration ModuleSoftware Inventory


And the knowledge?


526 Categories to Date

Growth in Vulnerability Categories2005 – 2012 Examples of Categories

•Command Injection

•Cross-Build Injection

•Cross-Site Request Forgery

•Cross-Site Scripting

•HTTP Response Splitting

•JavaScript Hijacking

•LDAP Injection

•Privacy Violation

•Session Fixation

•SQL Injection

•System Information Leak

•Unhandled Exception

For a complete list, go to http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html

SRG updates the Fortify Secure Coding Rulepacks to identify the latest categories of software vulnerabilities on a quarterly basis

0

100

200

300

400

500

600


21 Languages to Date

•ABAB

•Actionscript

•ASP.NET

•Java

•C•C++

•C#

•COBOL

•Cold Fusion

•T-SQL

•Objective C

•PL/SQL

•JavaScript /AJAX

•XML/HTML

•Classic ASP

•JSP

•PHP

•Python

•VB.NET

•VBScript

•VB6

SRG leads the industry in support for the broadest array of programming languages

Growth in Language Support2005 – 2012 Language Support

0

5

10

15

20

25


710,000+ APIs to DateSRG builds extensive support for the packages and frameworks used today, resulting in support for over 710,000 APIs over 526 vulnerability categories and 21 languages

•JDK 1.4, 1.5, 1.6

•Apache Struts 1.x, 2.x

•Hibernate 2.x, 3.x

•Spring 1.x, 2.x

•JSF 1.x

•.NET 1.1, 2.0, 3.0, 3.5

•Microsoft Practices Enterprise Library

•NHibernate 1.x

•Spring MVC

•Google GWT

•Java Webservices

Growth in API Support2005 – 2012 Sample Packages

0

100.000

200.000

300.000

400.000

500.000

600.000

700.000

800.000


How to use?


Security in the Development Lifecycle


Maturity Models


Four high-level Disciplines

All security-related activities mapped under 4 Disciplines, each representing a group of related business functions

Alignment & Governance

Requirements & Design

Verification & Assessment

Deployment & Operations

Activities related to security program management and cross-cutting organizational concerns

Activities related to the product conception and software design processes

Activities related to reviewing, testing, and validating software

Activities related to knowledge transfer and maintenance of running software


What’s under each Discipline?





The 4 Disciplines are high-level categories for activitiesThree security Functions under each Discipline are the specific silos for improvement within an

organization

Disciplines

Functions


Security Research – Fortify SSA Maturity Model Initiate Define ImplementDesign Develop Test Operate




Fortify SSC


SCA

WebInspect

RTA

Fortify SSC Server

Vulnerability Managemen

tInfrastructure Hardening

Operational Enablement

Architecture Review

Code Review

Security Testing

Threat Modeling

Security Requirements

Defensive Design

Education & Guidance

Standards & Compliance

Strategic Planning


SSA Scorecard

Objective 0

Objective 1

Objective 2

Objective 3

Blank Scorecard

Industry Best Practices

EnterpriseScoring

PrioritizedRoadmap

1

7

3

6

8

2

5

4

Governance& Alignment


Verification& Assessment

Deployment& Operations

Governance& Alignment


Verification& Assessment

Deployment& Operations

Threat Md Sec Req Def DesignEducation Standard Planning Arch Rev Code Rev Sec Testing Vul Mgmt Infr Harden Ops Enable


SSA Best Practice Approach

Key PrinciplesRapid identification and remediation of critical vulnerabilities

• Don’t “forget to fix” or “boil the ocean”

Prevent introduction of new vulnerabilities• Integrate into existing SDLC with minimal process changes• Provide flexibility to integrate with new SDL as it rolls-out

Provide support for the developers• Training in the context of their own code base• Mentoring as required

Monitor and control• Automate gathering of vulnerability statistics and publish• Enforcement via security gate

Continuous Improvement

49


A successful software security initiative leads to:

Measurably reduced risk from existing applications

A controlled process for preventing vulnerabilities in new releases

Reduced costs, delays, and wasted effort from emergency bug fixes and incident clean-up

Goals and benefits for Software Security Assurance SSA


Success is foreseeing failure. – Henry Petroski


Thank youLucas v. [email protected]+49-1520 1898430


Backup Slides


RAST is the key to correlation

WebInspect SCASecurityScope

ID: 234

File: NewClass.javaLine: 27

ID: 234

File: NewClass.javaLine: 27

URL: www.sales.company.com

Source Code: <java.sql. Connection.xxx>


ROI


The biggest ROI is no breach

No regulatory costs

No brand reputation

…

Hard to measure if it never happened to you before.

The Breach


Fixing Bugs Earlier in the Lifecycle

$0

$3.000

$6.000

$9.000

$12.000

$15.000

Requirements Design Coding Testing Maintenance

Cost of Fixing One VulnerabilityBased On The Stage It Was Identified

$139 $455 $977

$7,136

$14,102


Example: Cost of Fixing Critical Defects

Application• Sample Application Size: 2 Million LOC

Vulnerabilities Identified Using

SCA

The following case study provides an example of the savings generated by using source code analysis to find vulnerabilities earlier in the SDLC

• Defects Identified during SCA: 1,600

• Defects Deemed Critical 200


Example: Cost of Fixing Critical Defects

StageCritical Bugs

Identified

Cost of Fixing 1 Bug

Cost of Fixing All Bugs

Requirements $139

Design $455

Coding $977

Testing 50 $7,136 $356,800

Maintenance 150 $14,102 $2,115,300

Total 200 $2,472,100

StageCritical Bugs

Identified

Cost of Fixing 1 Bug

Cost of Fixing All Bugs

Requirements $139

Design $455

Coding 200 $977 $195,400

Testing $7,136

Maintenance $14,102

Total 200 $195,400

Cost of Fixing Vulnerabilities LaterCost of Fixing Vulnerabilities Early

Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3MM


Quiz


Quiz

String userName = ctx.getAuthenticatedUserName();

String itemName = request.getParameter("itemName");

String query = "SELECT * FROM items WHERE owner = '"

+ userName + "' AND itemname = ‘”

+ itemName + “‘”;

ResultSet rs = stmt.execute(query);

68

Username = lucasItemname = x’ or 1=1; --


Quiz - Solution

69

String userName = ctx.getAuthenticatedUserName();

String itemName = request.getParameter("itemName");

String query = "SELECT * FROM items WHERE owner = '"

+ lucas + "' AND itemname = ‘”

+ x’ or 1=1; -- + “‘”;

ResultSet rs = stmt.execute(query);



Quiz - Solution

70

SELECT * FROM items WHERE owner = ‘lucas' AND itemname = ‘x’ or 1=1; -- ‘”;


ensure software security already during development

Technology

reporting13 copyright

over10 copyright

vulnerability16 copyright

nist11 copyright

explanations copyright

sdlc development process

static analysis copyright

proactiveembed security