Software security engineering

Editor's Notes

• #3: I plan to start at 2.30 and finish at 3 PM Parlero degli scenari di incidenti delle risposte a tali incidenti e delle strategie per remdiare nel long term. Parlero anche di come creare “consapevolezza” e della Software security initiative.
• #5: There are bad guys and good guys and some they just looking for work, be careful of responsible disclosure going public with a zero day can go against you. On the other hand also ignoring the vulnerabilities you are suppose to fix is not a very responsbile approach
• #6: The most common approach to finding vulnerabilities is to analyze the running application. The two techniques are “vulnerability scanning” (using tools and signature databases) and “penetration testing” (custom testing by experts). However, for many types of problems, analyzing the running application is very time-consuming and inaccurate. SQL injection, for example, is very difficult to find and diagnose in a running application, but can be quickly found by analyzing the source code. The other approach is to analyze the source code. Like pentesting, this can be done manually (source code review) or with tools (static analysis). Code-based approaches have a reputation for being expensive and time-consuming, but this reputation is unfounded. For many types of issues, using the code is many times faster and more accurate than penetration testing. The most cost-effective approach to application security is a “combined” or “integrated” approach. The assessor should be encouraged to use the most appropriate tool to find problems in the most cost-effective manner. For example, an assessor may notice a potential vulnerability during a penetration test, automatically scan the code for possible instances of the problem, and then confirm using code review. Note that the purely automated approaches (scanning and static analysis) are especially ineffective for application security (most experts put the effectiveness of pure scanning or static analysis at less than 20%). This is largely due to the custom nature of applications. Because each one is different, there is no database of signatures the automated tools can use.
• #7: Ultimately a mature software security process blends both information risk management and software engineering processes in a software security framework. For example, threat modeling will identify threats and technical impacts during design that are used as a factor along with business impact in the calculation of the overall risk. Ideally, such mature software security process should integrate software security activities in each phase of the SDLC. This also included activities that are performed as part of the operation life-cycle such as patch and incident management as well foundational activities such as metrics and measurements and security training and awareness. Ideally, for a software security framework to be useful in practice, it needs to apply to the different software development methodologies used by your organization. This might include evolutionary-interactive software life-cycles such as spiral, RUP, XP and Agile besides the traditional waterfall model but also. In case of RUP and Agile for example this means that such software security best practices need to be iterated as the software evolves and reviewed at each interaction depending on the available artifacts.
• #8: Another pre-condition is focusing on software security awareness that is communicating to the project stakeholders what software security entitles to that is when and how security needs to be applied to the application, in better terms explaining the difference between application and software security.Applications vs. software are best described as the Chinese philosophy “yin” and “yang” concepts: opposing and, at the same time, complementary (completing) aspects of any one software development process when seen from different perspectives. For example, from the “when” perspective is applying security after application is already build vs. while the application is being build, from the problem solution perspective is looking at the sympthoms instead of the root causes, from the approach perspective is catch and patch vs. building security throughout the software life cycle and from the risk perspective is reactive response to security incidents via implementation of “band-aid” solutions vs. proactive threat analysis, risk assessment and implementation of countermeasures as necessary.
• #10: So you need a road map, start with assessing the maturity of the PPT in place, then definition of the processes to build security into the SDLC and the security activities. Then you cannot manage if you do not measure and risk menagement expecially needs vulnerability metrics for example. Finally you can make the case with your data and set objectives moving forward.
• #11: Essential elements: Verification check points, developer’s training and tools. The aim of the Software Development Lifecycle SDL is to integrate tasks and checkpoints in the software development organization’s processes so that software security can be improved with well defined security reviews and security deliverables. Critical to the effectiveness of the SDL implementation is the ongoing education and training for software developers and the techniques and technologies required for secure development. Figure 2 depicts at high level the phases of the SDL and the software security activities: Figure 2: MS SDL The SDL software security activities (the yellow blocks) map to the SDLC (the big arrows) such as: Definition of security feature requirements during the requirements phase Security architecture design, best practices and threat modeling during design Static analysis via automation tools during implementation Application of coding and testing standards during implementation Code reviews during implementation Security focused testing, pen and fuzz testing, during the verification phase Security servicing and response during operations (post release) Pro and Cons: Con: Threat analysis as is done in the MS SDL is very product oriented and static because is build around the Microsoft risk model STRIDE/DREAD. This risk model might work well for a software development shop and for shrink wrapped software development but it will not be suitable for applications developed for organizations that use proprietary risk management models such as financial and banking institutions for example. Pro: Microsoft products that have adopted the SDL such as SQL Server 2003, Vista and IE6 had significant less security issues then products that did not use it. This is data validated by comparing with the number of vulnerabilities in software versions developed prior to the introduction of the SDL: software developed under the SDL have exhibited over a 50% reduction in vulnerabilities Pro: The SDL methodology is adequately supported by tools such as threat modeling and source code analysis tools. Some of these tools (e.g. Prefix and Prefast) are part of Microsoft Integrated Development Environment for which a license is needed while others are free (e.g. ACE Torpedo TM). So far SDL is the only security-enhanced lifecycle process model that support threat analysis with a tool. Pro: MS SDL is very well documented, easily accessible via MSDN web site and very extensive including secure software handbooks for developers, threat and countermeasures guidelines and checklists etc.
• #13: Security will need to be baked into each of the development steps as well, but that will not be the primary focus on that particular step. Particularly for the acceptance tests and QA steps.
• #15: OWASP believes that clearly articulating an application security requirements guide detailing both high-level and specific requirements is the best way to ensure that a strong, robust yet workable guide can become default in all aspects of application security.
• #16: Take LMCO standard and tailor it Refine: “You will do access control” Into: This is the access control matrix & this is how it will be enforced. - we will use netegrity to implement this policy
• #17: Adaptation of a proven object-oriented modeling technique, use cases, to capture and analyze security requirements in a simple way. We define a use case as a specification of a type of complete interaction between a system and one or more actors. We define an abuse case as a specification of a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system. The graphical example in Figure TBD depicts the derivation of security requirements via use and and misuse cases. The functional scenario consists on the user action: entering username and password and for the application actions: authenticate the user and provide for an error message if validation fails. The misuse case consists on the actions: hacker trying to break authentication by brute forcing the password via a dictionary attack and by guessing the valid username from the error messages. By graphically representing the threats to the user actions (misuses) it is possible to derive the countermeasures as the application actions that mitigate such threats.
• #20: Threat modeling implies a view of the architecture in terms of users accessing assets (web servers, data) through protocols crossing trust boundaries. It is a king of end to end data flow schematic. The notation is not important, rather to be comprehensive enough to identify gaps in controls and countermesures.
• #21: Threat is un-authorized access to data, the vulnerability can be leaving the computer un-attended via shared terminal, a SQL injection attack, elevation of privileged from a logged session or simply access to data from the browser that allows you to get to the data. All the orange ones are vulnerabilities while the green ones are the countermeasures
• #22: Data flows diagrams and attack trees (threat definition) and secure requirements (Scope definition) all feed the threat model. The result is the identification of threats, the risk of such threats and the countermeasures that mitigate such threats. The threat model is also used for secure code reviews as a why to determine along with secure coding standards that threats are mitigated.
• #24: Not trying to reinvent the whole SDLC, just trying to insert a few key activities that will help generate more secure code.
• #26: Once you have decided the categorization, that is STRIDE, ASF, MITRE CVE etc you need to document the vulnerability and the type By describing the security threat you help the developer to understand how an attacker can exploit the vulnerability (real example in plain english) The software root cause is the an example of offending security defect, the how to should cover both white box and black box depending if the code is already integrated as part of the application, the countermeasure is the code fix, configuration change, design change and the risk rating is the assigned value to the risk of the vulnerability
• #28: Find issues Validate standards Act as a gateway There is not such a thing like a fully automated process, false positives need to be validated. A manually focused source code analysis can find more issues than automated validation only
• #29: Validation of false positives, tools provide knowledge to the developers and point to root causes. The validation is in terms of relevance, some issues are quality issues
• #31: Security testing as part of the testing workflow is still in his infancy If the requirements (Security) are written down the normal testing process should work.
• #32: General testing procedures can be adapted for security tests. Some can be conducted manually some need the help of tools
• #37: Discussion? Security flaws are often sensitive. Should they be treated differently
• #42: Combine looking for quick wins while setting out a roadmap