ensure software security already during development
DESCRIPTION
"How to Code Security into Software? Software Security Assurance with HP Fortify." Nowadays it becomes more and more obvious that security should not only be applied as an afterthought, but already during development. I will show possibilities on how you can integrate Software Security assurance in your Development Lifecycle, and what technologies and processes can help you with that." Lucas v. Stockhausen Software Security ConsultantTRANSCRIPT
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Ensure Software Security already during developmentLucas v. StockhausenSoftware Security [email protected]+49-1520 1898430HP Enterprise Security
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Some Explanations
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Hacker: A person who enjoys exploring the details of (programmable) systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
Definition Hacker (Wikipedia)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Heise Newsletter 25.1.2012
http://www.h-online.com/security/news/item/Video-conferencing-systems-as-spying-tools-1421346.html
3 % of the public available IP adresses~5000 open Video Systems.Continous exploit from there.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
5
No “Defence in Depth” means….
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Heise Newsletter 26.1.2012
http://www.h-online.com/security/news/item/Hackers-may-have-disrupted-railway-computers-and-schedules-1422666.html
Attack from 3 IP Adresses to US railway.No big damage – just 15 min delay.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How can HP Fortify help?
By 2016 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud services
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
We convince & pay the
developer to fix it
4
We are breached or pay
to have someone tell us
our code is insecure
3
Today’s approach > expensive, reactive
IT deploys the insecure
software
2Somebody
builds insecure software
1
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Software Development Today
Small coding errors can have a big effect on security
Typical software development practices don’t address the problem
As a group, developers tend to make the same security mistakes over and over
10
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
30X
15X
10X
5X
2X
30x more costly to secure in production
Why it doesn’t work
After an application is released into Production, it costs 30x more than during design.
Cost
Source: NIST
ProductionSystem testing
Integration/ component
testing
CodingRequirements
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Embed security into SDLC development process 1
This is application security
The right approach > systematic, proactive
In-house
Outsourced
Commercial
Open source
Leverage Security Gate to validate resiliency of
internal or external code before Production
2
Monitor and protect software running in
Production
3Improve SDLC policies
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Fortify RTA
Software Security Metrics and Reporting
Fortify Source Code Analysis
Fortify SSC Server
Fortify Security Scope
HP WebInspect Source Code Security Audits Run-Time Protection
PLAN DESIGN CODE FUNCTIONAL
TEST
ACCEPTANCE
TESTDEPLOY
Software must be Fortify'd
Governance Module
Collaboration ModuleSoftware Inventory
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Static Analysis
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
SecurityDevelopment Teams
Build Tool
Example Process
Fortify SSC Server
CISO
AWB
Project Security Lead
Security Auditor
AWB
Development Manager
IDE
Developer
Fortify SCA
AWB
Fortify CM
AWB
Source Code Repository(s)
Central Build Server(s)
2. Audit
3. Assign
4. Fix
Monitor
5. Validate
1. Identify
Defect Tracking System CM
CM
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Auditing – Different Possibilities
Auditworkbench Collaboration Module(Web-base Auditworkbench)
Clicking on the issue and being guided through the source code is VERY important for understanding and fixing a vulnerability
IDE - VS, Eclipse
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Auditing (AWB and IDE) - Overview
17
Issue - GroupsIssue - Groups
FilteringFiltering PriorizationPriorization CategorizationCategorization
Functions and Rulewriting wizard (only in AWB)
Functions and Rulewriting wizard (only in AWB)
OverviewOverview
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Diagram
Auditing (AWB and IDE) – Trace the issue
Analysis Trace
Sourcecode
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
Detailed description of the issue
Auditing (AWB and IDE) – Training on the job
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Detailed recommendation to fix the issue
Auditing (AWB and IDE) – Training on the job
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
Store Analysis
Auditing (AWB and IDE) - Result
See other comments and make comments yourself
File a bug
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Dynamic Analysis
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
INTRODUCTION TO WEBINSPECT WebInspect is a comprehensive Dynamic Application Security Testing (DAST) solution used by IT Security auditors and penetration testers to detect, classify and report discrete application vulnerabilities.
WebInspect dynamically interacts with your application enumerating application parameters and server configuration characteristics which can be exploited by a malicious attacker.
WebInspect employs “ethical” attack methods which discover and confirm vulnerabilities without actually exploiting them.
Monthly WebInspect Technical Demonstration: http://www.hp.com/go/techdemos
23
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Start remediation of vuln’s immediatelyLive scan visualization Live Scan
Dashboard
Site tree
Vulnerabilities found in
application
Excluded and Allowed Hosts
Section
Detailed Attack Table
Live Scan
Statistics
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Grey Box Testing
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
Integrated Analysis
Dynamic Analysis
Application
SecurityScopeReal-time link
• Find More• Fix Faster
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Real Time Analysis
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
Fortify RTA : Components
Console
RTA
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SSCSoftware Security Center
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
Fortify SSC Server – Risk ManagementTrack, measure and understand software security riskFlexible reporting
Dashboards to details - Metrics that matterSnapshots and trends - Easy to customize
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
Fortify SSC Server – Risk Management IITrack, measure and understand software security riskCentralized management of software security
Software security policy - Multiple projectsReal-time alerts - Enterprise Security Rules management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.35
Fortify Server – Risk Management IIITrack, measure and understand software security riskCollaborative Auditing and Remediation
Web Base Auditworkbench like interfaceUser Assignment
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How can HP Fortify help?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37
Fortify RTA
Software Security Metrics and Reporting
Fortify Source Code Analysis
Fortify SSC Server
Fortify Security Scope
HP WebInspect Source Code Security Audits Run-Time Protection
PLAN DESIGN CODE FUNCTIONAL
TEST
ACCEPTANCE
TESTDEPLOY
Software must be Fortify'd
Governance Module
Collaboration ModuleSoftware Inventory
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
And the knowledge?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.39
526 Categories to Date
Growth in Vulnerability Categories2005 – 2012 Examples of Categories
•Command Injection
•Cross-Build Injection
•Cross-Site Request Forgery
•Cross-Site Scripting
•HTTP Response Splitting
•JavaScript Hijacking
•LDAP Injection
•Privacy Violation
•Session Fixation
•SQL Injection
•System Information Leak
•Unhandled Exception
For a complete list, go to http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html
SRG updates the Fortify Secure Coding Rulepacks to identify the latest categories of software vulnerabilities on a quarterly basis
0
100
200
300
400
500
600
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40
21 Languages to Date
•ABAB
•Actionscript
•ASP.NET
•Java
•C•C++
•C#
•COBOL
•Cold Fusion
•T-SQL
•Objective C
•PL/SQL
•JavaScript /AJAX
•XML/HTML
•Classic ASP
•JSP
•PHP
•Python
•VB.NET
•VBScript
•VB6
SRG leads the industry in support for the broadest array of programming languages
Growth in Language Support2005 – 2012 Language Support
0
5
10
15
20
25
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41
710,000+ APIs to DateSRG builds extensive support for the packages and frameworks used today, resulting in support for over 710,000 APIs over 526 vulnerability categories and 21 languages
•JDK 1.4, 1.5, 1.6
•Apache Struts 1.x, 2.x
•Hibernate 2.x, 3.x
•Spring 1.x, 2.x
•JSF 1.x
•.NET 1.1, 2.0, 3.0, 3.5
•Microsoft Practices Enterprise Library
•NHibernate 1.x
•Spring MVC
•Google GWT
•Java Webservices
Growth in API Support2005 – 2012 Sample Packages
0
100.000
200.000
300.000
400.000
500.000
600.000
700.000
800.000
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How to use?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43
Security in the Development Lifecycle
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44
Maturity Models
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45
Four high-level Disciplines
All security-related activities mapped under 4 Disciplines, each representing a group of related business functions
Alignment & Governance
Requirements & Design
Verification & Assessment
Deployment & Operations
Activities related to security program management and cross-cutting organizational concerns
Activities related to the product conception and software design processes
Activities related to reviewing, testing, and validating software
Activities related to knowledge transfer and maintenance of running software
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46
What’s under each Discipline?
Alignment & Governance
Requirements & Design
Verification & Assessment
Deployment & Operations
The 4 Disciplines are high-level categories for activitiesThree security Functions under each Discipline are the specific silos for improvement within an
organization
Disciplines
Functions
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47
Security Research – Fortify SSA Maturity Model Initiate Define ImplementDesign Develop Test Operate
Alignment & Governance
Requirements & Design
Deployment & Operations
Fortify SSC
Verification & Assessment
SCA
WebInspect
RTA
Fortify SSC Server
Vulnerability Managemen
tInfrastructure Hardening
Operational Enablement
Architecture Review
Code Review
Security Testing
Threat Modeling
Security Requirements
Defensive Design
Education & Guidance
Standards & Compliance
Strategic Planning
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.48
SSA Scorecard
Objective 0
Objective 1
Objective 2
Objective 3
Blank Scorecard
Industry Best Practices
EnterpriseScoring
PrioritizedRoadmap
1
7
3
6
8
2
5
4
Governance& Alignment
Requirements & Design
Verification& Assessment
Deployment& Operations
Governance& Alignment
Requirements & Design
Verification& Assessment
Deployment& Operations
Threat Md Sec Req Def DesignEducation Standard Planning Arch Rev Code Rev Sec Testing Vul Mgmt Infr Harden Ops Enable
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.49
SSA Best Practice Approach
Key PrinciplesRapid identification and remediation of critical vulnerabilities
• Don’t “forget to fix” or “boil the ocean”
Prevent introduction of new vulnerabilities• Integrate into existing SDLC with minimal process changes• Provide flexibility to integrate with new SDL as it rolls-out
Provide support for the developers• Training in the context of their own code base• Mentoring as required
Monitor and control• Automate gathering of vulnerability statistics and publish• Enforcement via security gate
Continuous Improvement
49
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.57
A successful software security initiative leads to:
Measurably reduced risk from existing applications
A controlled process for preventing vulnerabilities in new releases
Reduced costs, delays, and wasted effort from emergency bug fixes and incident clean-up
Goals and benefits for Software Security Assurance SSA
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.58
Success is foreseeing failure. – Henry Petroski
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank youLucas v. [email protected]+49-1520 1898430
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Backup Slides
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.61
RAST is the key to correlation
WebInspect SCASecurityScope
ID: 234
File: NewClass.javaLine: 27
ID: 234
File: NewClass.javaLine: 27
URL: www.sales.company.com
Source Code: <java.sql. Connection.xxx>
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ROI
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.63
The biggest ROI is no breach
No regulatory costs
No brand reputation
…
Hard to measure if it never happened to you before.
The Breach
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.64
Fixing Bugs Earlier in the Lifecycle
$0
$3.000
$6.000
$9.000
$12.000
$15.000
Requirements Design Coding Testing Maintenance
Cost of Fixing One VulnerabilityBased On The Stage It Was Identified
$139 $455 $977
$7,136
$14,102
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.65
Example: Cost of Fixing Critical Defects
Application• Sample Application Size: 2 Million LOC
Vulnerabilities Identified Using
SCA
The following case study provides an example of the savings generated by using source code analysis to find vulnerabilities earlier in the SDLC
• Defects Identified during SCA: 1,600
• Defects Deemed Critical 200
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.66
Example: Cost of Fixing Critical Defects
StageCritical Bugs
Identified
Cost of Fixing 1 Bug
Cost of Fixing All Bugs
Requirements $139
Design $455
Coding $977
Testing 50 $7,136 $356,800
Maintenance 150 $14,102 $2,115,300
Total 200 $2,472,100
StageCritical Bugs
Identified
Cost of Fixing 1 Bug
Cost of Fixing All Bugs
Requirements $139
Design $455
Coding 200 $977 $195,400
Testing $7,136
Maintenance $14,102
Total 200 $195,400
Cost of Fixing Vulnerabilities LaterCost of Fixing Vulnerabilities Early
Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3MM
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Quiz
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.68
Quiz
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = ‘”
+ itemName + “‘”;
ResultSet rs = stmt.execute(query);
68
Username = lucasItemname = x’ or 1=1; --
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.69
Quiz - Solution
69
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ lucas + "' AND itemname = ‘”
+ x’ or 1=1; -- + “‘”;
ResultSet rs = stmt.execute(query);
Username = lucasItemname = x’ or 1=1; --
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.70
Quiz - Solution
70
SELECT * FROM items WHERE owner = ‘lucas' AND itemname = ‘x’ or 1=1; -- ‘”;
Username = lucasItemname = x’ or 1=1; --