glissondcs.gla.ac.uk - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

glissondcs.gla.ac.uk

Description:

... bill was introduced in the Senate by Senator Patrick Leahy and Senator Arlen Specter containing new rules for corporate data security and stiff penalties for ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 44
Provided by: bradgl
Category:

less

Transcript and Presenter's Notes

Title: glissondcs.gla.ac.uk


1
Web Development Evolution The Business
Perspective on Security
  • William Bradley Glisson
  • L. Milton Glisson
  • Ray Welland

2
Why?
  • Data, Information, Knowledge
  • One mans data can be another mans knowledge,
    and vice versa, depending on context
  • (Stewart, T. A., The Wealth of Knowledge. )
  • "Information is the world's new currency
    information has value. (Secret Service Director
    Ralph Basham )
  • Knowledge is what we buy, sell, and do
  • (Stewart, T. A., The Wealth of Knowledge. )

3
Business Incentive
  • The 2004 (FBI) Computer Crime and Security Survey
    estimates that losses from internet security
    breaches, in the US, exceeded 141 million within
    the last year.
  • PricewaterhouseCoopers 2004 Survey indicates that
    security problems are on the rise in the United
    Kingdom and that malicious attacks are the
    primary culprits.
  • The Department of Trade and Industrys (2004)
    survey estimates security breaches continue to
    cost UK businesses several billions of pounds.
  • The Deloitte 2005 Global Survey estimates that
    identity theft cost the UK almost a billion
    dollars in 2003.

4
Application Security
One dollar required to resolve an issue during
the design phase grows into 60 to 100 dollars to
resolve the same issue after the application has
shipped. (Secure Business Quarterly
2001) Gartner estimates that the cost to fix a
security vulnerability during testing to be less
than 2 percent of the cost of removing it from a
production system.
5
Truth
  • Companies do not want to admit that their systems
    have been compromised
  • They do not want to incur the expense necessary
    to rectify the problem
  • They do not know how to fix the problem
  • They are not even aware that their systems have
    been compromised.

6
Soft and Hard Cost
  • Telang and Wattals research indicates that a
    software vendor loses, on average, approximately
    0.6 of their stock price per vulnerability
    announcement.
  • Minimize the chance of copy cat attacks on their
    systems until the issue has been resolved and
    patched.

7
Legislative Pressure
  • Economic Espionage Act of 1996 (EEA)
  • Health Insurance Portability and Accountability
    Act of 1996 (HIPAA)
  • Graham-Leach-Bliley Act of 1999
  • Sarbanes-Oxley Act of 2002 (SOX)
  • Recently a ninety-one page bill was introduced in
    the Senate by Senator Patrick Leahy and Senator
    Arlen Specter containing new rules for corporate
    data security and stiff penalties for information
    burglars

8
What is Security?
  • Encryption, Secure Socket Layer (SSL), firewalls,
    creating and maintaining secure networks, the use
    of digital certificates, the different
    technologies used for authentication and
    authorization or intrusion detection systems
  • A secure system to one organization may not meet
    another organizations definition of security

9
Security
  • Confidentiality Proper access is restricted to
    the appropriate individuals.
  • Integrity modification of assets by appropriate
    personnel within guidelines.
  • Availability - Access is available to the
    appropriate parties at designated times.
  • (Commonly known as the CIA Triad)

10
Security
  • How much risk is the organization willing to
    accept and at what financial cost?
  • Policy, procedures, standards, and technical
    controls (developed implemented) will define
    the systems in terms of the CIA.
  • Collaborative approach defines overall security
    of the system within a business.
  • As Alan Zeichick, Conference Chairman of the
    Software Security Summit, phrased it, "Software
    is vulnerable! Enterprises have spent millions of
    dollars installing network firewalls and Virtual
    Private Networks, but the real danger is in
    poorly written applications

11
Business Strategy
  • Encompasses all of the information about the
    overall business that ranges over defining the
  • scope of the business
  • establishing the business models
  • broad marketing strategies
  • establishment of processes and policies
  • acquisition and distribution of information
  • overall approach to technology within the
    organization.

12
Business Strategy Perspectives
  • Corporate -high level strategy that details the
    organizations purpose and scope
  • Business - deals with the competition in
    individual markets including market segmentation,
    market positioning, industry analysis, and brand
    value
  • Operational - concerns the implementation aspect
    of the business which would include optimising
    web site design, hardware requirements and
    utilization and software requirements

13
Corporate Level
  • Chief Executive Officers and Chief Financial
    Officers are potentially being held accountable
    for the security of their applications (SOX)
  • Champions - high level champions within the
    organization are more likely to succeed in
    changing and sustaining changes to corporate
    cultures
  • Security needs to be viewed as a collective
    organizational problem

14
Business Level
  • Businesses need to understand that their web site
    is their front door to the world.
  • Businesses need to outline the performance
    standards that they are going to provide and
    follow through with an effective, efficient and
    secure value chain while providing appropriate
    customer service capabilities.
  • If customers perceive that their data is not safe
    and secure, this can result in lost customers,
    lost future revenue, lost market advantage and
    possibly monetary compensation.

15
Operational Level
  • There appears to be a lack of understanding on
    how to protect application code as it is
    developed.
  • BZ Survey 55.9 percent blamed poor programming
    practices for the number of vulnerabilities in
    software applications.
  • How does a business protect itself and capitalize
    on software application development in order to
    gain a competitive advantage for their business.

16
WES Solution
  • My PhD research has produced a possible solution,
    A Web Engineering Security (WES) Methodology.
  • An independent flexible Web Engineering
    development methodology that is specific to
    security.
  • The process needs to be compatible with existing
    application development processes so that they
    are complementary, hence
  • Deliverables between phases will vary on the size
    of the organizational and the methodology they
    are implementing, and
  • Flexible enough to be tailored to individual
    companies of varying size.

17
Web Engineering Security (WES)
  • Methodology Principles
  • Good Communication
  • Within the development team
  • With the end user (Requirements / Feedback
    perspective)
  • Employee Education
  • Importance of security potential organizational
    impact
  • Technical attacks social engineering attacks
  • Cultural Support
  • Needs to originate from upper management
  • Needs to continually be fostered by upper
    management

18
Web Engineering Security (WES) Process
19
Project Development Risk Assessment
  • This step provides an opportunity for the
    organizations development team to understand the
    application from a risk point of view and helps
    to generate applicable questions to address the
    application security requirements phase
  • Formal (Document /Board Approval)
  • Advantage for management is that it presents a
    clear understanding of the risks before a
    substantial investment is made in the development
    of the web application
  • Disadvantage of a highly formalized process is
    that it can slow down the development process.
  • Informal (Expert Opinion)
  • Advantage faster in nature
  • Disadvantage introduces more risk

20
Web Engineering Security (WES) Process
21
Organizational Compatibility
  • Security Policy Compatibility
  • Policies, standards, baselines, procedures, and
    guidelines can assist in large organizations to
    provide cohesiveness within the organization.
  • The goal of an information security policy is to
    maintain the integrity, confidentiality and
    availability of information resources. (Hare,
    C., Policy Development, )
  • In smaller organizations, policies can be
    implicit to the organization.

22
Organizational Compatibility
  • Corporate Culture Compatibility
  • Employee security awareness programs, employee
    education on social engineering attacks,
    recognition of organizational norms.
  • Remind employees periodically about security
    policies, standards, baselines, procedures, and
    guidelines (Integrating security into their
    annual evaluation )
  • Technological acceptance of corporate norms is
    when a solution has been implemented in the
    environment, becomes accepted and then becomes
    expected.

23
Organizational Compatibility
  • Technological Compatibility
  • Infrastructure compatibility
  • Does the technical expertise to create new
    applications exist in the company?
  • Is the current code repository compatible with
    the proposed development?
  • Does the hardware infrastructure support the new
    applications?
  • Value Added
  • value configuration(s) one of the goals of the
    organization should be to provide added value
    regardless of the product or service that is
    being offered. Technology is a major contributor
    to this goal in todays market place.
  • How will this help add value to their
    organization?

24
Web Engineering Security (WES) Process
25
Security Design / Coding
  • Previously generated information allows the
    technical architect to pick the most appropriate
    technical controls from a design, risk and cost
    perspective.
  • Encouraging programmers to adhere to coding
    standards and to pursue good coding practices,
    and participate in code reviews will increase the
    code readability which will inherently improve
    software enhancement maintenance and patch
    maintenance.
  • Better software engineering development leads to
    more maintenance, not less
  • (Glass, R. L., Facts and Fallacies of Software
    Engineering)

26
Web Engineering Security (WES) Process
27
Controlled Environment Implementation
  • Implement in an environment that mirrors
    production testing compatibility
  • Operating System
  • Software Configurations
  • Interfacing Programs
  • Goal - Minimise Surprises!

28
Web Engineering Security (WES) Process
29
Testing
  • Programmers should be running their own battery
    of tests when the code is conceived
  • Allotment of Appropriate time
  • Augment the testing process
  • Automated Tools
  • Test Script (Developers, Testers, End-users)
  • Outside Auditors Conducting Penetration Tests
  • White Box / Black Box

30
Evidence
  • The National Institute of Standards and
    Technology (NIST) estimates that 93 of reported
    vulnerabilities are software vulnerabilities.
  • Organization for Internet Safety (OIS) publishes
    Guidelines for Security Vulnerabilities Reporting
    and Response
  • A flaw within a software system that can cause
    it to work contrary to its documented design and
    could be exploited to cause the system to violate
    its documented security policy.

31
Web Engineering Security (WES) Process
32
Web Engineering Security (WES) Process
33
End User Evaluation
  • All systems must be evaluated with a sample of
    end-users, not surrogates!
  • Critical to the success of the solution
  • End user avoidance by working around security
  • Compromised due to a flaw in the design / code
  • Possibility that the application will be abused,
    corporate credibility lost, and financial
    consequences incurred.

34
Conclusions
  • Technical solutions alone will not solve current
    security issues in the global web environment.
  • Increasing business, legislative, societal
    pressures will force organizations to
    strategically address application security from a
    development perspective
  • The most effective way to handle security, in the
    application design, is to incorporate security
    upfront into the development methodology.
  • Not following a web application development
    methodology that specifically addresses security
    is an expensive and dangerous strategy for any
    business.

35
Further Work
  • Fortune 500 Financial Organization Case Study
  • Industry Survey (ICWE)
  • Process Observation
  • Recommendations
  • Recommendation Implementation
  • Data Gathering

36
Contact Details
Brad Glisson, Department of Computing
Science, University of Glasgow E-mail
glisson_at_dcs.gla.ac.uk. Web www.dcs.gla.ac.uk/gli
sson/
Prof. Milton Glisson, School of Business and
Economics, North Carolina A T State
University, E-mail glissonm_at_ncat.edu
Prof. Ray Welland, Department of Computing
Science, University of Glasgow E-mail
ray_at_dcs.gla.ac.uk. Web www.dcs.gla.ac.uk/ray/
37
Extra Slides
  • Extra Slides

38
Common Application Security Problems
  • Un-validated parameters
  • Cross-site scripting
  • Buffer overflows
  • Command injection flaws
  • Error-handling problems
  • Insecure use of cryptography
  • Broken Access Controls

39
Project Development Risk Assessment
  • NIST - National Institute of Standards and
    Technology - agency of the U.S. Commerce
    Department's Technology Administration.
  • COBRA - Security risk analysis application
  • OCTAVE - Operationally Critical Threat, Asset,
    and Vulnerability Evaluation - Focuses on
    organizational risk and strategic,
    practice-related issues, balancing operational
    risk, security practices, and technology.
  • FRAP - Facilitated Risk Analysis Process

40
Agile Web Engineering (AWE)
41
AWE WES Comparison
42
Secure Value Chain
  • Overall, the business environment continues to
    become more interconnected, hence, traditional
    boundaries between organizations are eroding.
  • This tight integration, from a security view
    point, opens the door to a multitude of problems,
    if an attack is successful, in compromising one
    of the linked systems.

43
Definitions
  • Unvalidated Input Information from web requests
    is not validated before being used by a web
    application. Attackers can use these flaws to
    attack backend components through a web
    application.
  • Broken Access Control Restrictions on what
    authenticated users are allowed to do are not
    properly enforced. Attackers can exploit these
    flaws to access other users accounts, view
    sensitive files, or use unauthorized functions.
  • Broken Authentication and Session Management
    Account credentials and session tokens are not
    properly protected. Attackers that can compromise
    passwords, keys, session cookies, or other tokens
    can defeat authentication restrictions and assume
    other users identities.
  • Cross Site Scripting (XSS) Flaws The web
    application can be used as a mechanism to
    transport an attack to an end users browser. A
    successful attack can disclose the end users
    session token, attack the local machine, or spoof
    content to fool the user.
  • Buffer Overflows Web application components in
    some languages that do not properly validate
    input can be crashed and, in some cases, used to
    take control of a process. These components can
    include CGI, libraries, drivers, and web
    application server components.
  • Injection Flaws Web applications pass parameters
    when they access external systems or the local
    operating system. If an attacker can embed
    malicious commands in these parameters, the
    external system may execute those commands on
    behalf of the web application.
  • Improper Error Handling Error conditions that
    occur during normal operation are not handled
    properly. If an attacker can cause errors to
    occur that the web application does not handle,
    they can gain detailed system information, deny
    service, cause security mechanisms to fail, or
    crash the server.
  • Insecure Storage Web applications frequently use
    cryptographic functions to protect information
    and credentials. These functions and the code to
    integrate them have proven difficult to code
    properly, frequently resulting in weak
    protection.
  • Denial of Service Attackers can consume web
    application resources to a point where other
    legitimate users can no longer access or use the
    application. Attackers can also lock users out of
    their accounts or even cause the entire
    application to fail.
  • Insecure Configuration Management Having a strong
    server configuration standard is critical to a
    secure web application. These servers have many
    configuration options that affect security and
    are not secure out of the box. The Open Web
    Application Security Project (OWASP). The Ten
    Most Critical Web Application Security
    Vulnerabilities. c2004
  • http//www.owasp.org/index.jsp
Write a Comment
User Comments (0)
About PowerShow.com