Be the Agent of Change: Lead Your Organization to Secure Software

1
Be the Agent of ChangeLead Your Organization to
Secure Software
2
Secure Software Forum (SSF)

• Annual education series dedicated to secure
  software
• Leading security experts collaborate on education
  initiatives
• Yearly programs include
• February kick-off event in San Jose
• Free workshop series
• Executive dinner series
• Webcast series
• Workshops sponsored by Microsoft SPI Dynamics

3
SPI Dynamics Overview

• Founded January 2000 by Web application and
  security experts
• The leader in Web application security assessment
  throughout the lifecycle
• Eight patents pending or issued
• 700 Customers in Global 2000
• Strong in F500, all industries and government
• Over 100 customer and revenue growth percentage
  year-to-year since inception

4
The History of Application Security
5
History of Web Applications
Simple, single server solutions

• Web Server
• HTML

Browser
6
Web Application Architecture
Web Services
Database Server Customer Identification Access
Controls Transaction Information Core Business
Data
Application Server Business Logic Content Services
Web Servers Presentation Layer Media Store
Wireless
Browser
7
Web Applications Breach the Perimeter
Trusted Inside
Internet
DMZ
IIS SunOne Apache
ASP .NET WebSphere Java
SQL Oracle DB2
Corporate Inside
HTTP(S)
Firewall only allows PORT 80 (or 443 SSL) traffic
from the Internet to the web server. Any Web
Server 80
Firewall only allows applications on the web
server to talk to application server.
Firewall only allows application server to talk
to database server.
IMAP FTP SSH TELNET POP3
8
The State of Application Security
Certain industries make automated application
assessments standard practice
Networks Secured, Applications Vulnerable
Early Adopters Begin Manual Application Testing
These early adopter industries establish
application security programs
2000
2006

• Web application security programs
• Enabled across the software development lifecycle
  (SDLC)
• Leverage automated assessment software
• Involve cross functional teaming
• Require executive sponsorship

9
The State of Application Security
Over 70 percent of security vulnerabilities
exist at the application layer, not the network
layer Gartner
The battle between hackers and security
professionals has moved from the network layer to
the Web applications themselves Network World
64 percent of developers are not confident in
their ability to write secure applications Micros
oft Developer Research
Hacking has moved from a hobbyist pursuit with a
goal of notoriety to a criminal pursuit with a
goal of money Counterpane Internet Security
10
The State of Application Security
11
(No Transcript)
12
Elements that Drive Change
People Providing guidance on secure application
development
Process Security cannot be an afterthought
Tools Providing the most innovative tools
13
People Education As a Driver
Patterns Practices Dedicated team focused on
security guidance
MSDN and TechNet Sharing whitepapers and how tos
Education Train every Developer and IT
Professional on security
14
Process Security Development Lifecycle (SDL)

• A PROCESS by which Microsoft develops software
  and defines security requirements and milestones
  to
• Reduce the number of security errors
• Reduce the severity of any security errors not
  found
• Reduce the attack surface

15
Utilizing Innovative Tools
Tools facilitate creating secure applications
Secure by Default
Static Analysis
Create non-admin apps
Scan your code for security vulnerabilities
Use features like the /GS switch and SafeCRT
libraries to create secure apps
Seamless create applications for a custom zone
Nurturing the Partner Ecosystem
16
Engineering ExcellenceFocus Yielding Results
17
Application Vulnerability Overview
18
Web Application Vulnerabilities
Web application vulnerabilities occur in three
major areas
19
Web Application Vulnerabilities

• Platform
• Known vulnerabilities can be exploited
  immediately with a minimum amount of skill or
  experience script kiddies
• Most easily defendable of all web vulnerabilities
• Must have streamlined patching procedures
• Must have inventory process

• Examples
• IIS UNICODE
• Apache chunked encoding

20
Web Application Vulnerabilities

• Administration
• More difficult to correct than known issues
• Require increased awareness
• More than just configuration, must be aware of
  security flaws in actual content
• Remnant files can reveal applications and
  versions in use
• Backup files can reveal source code and database
  connection strings

• Examples
• Extension Checking
• Common File Checks
• Data Extension Checking
• Backup Checking
• Directory Enumeration
• Path Truncation
• Hidden Web Paths
• Forceful Browsing

21
Web Application Vulnerabilities

• Application
• Coding techniques do not include security
• Input is assumed to be valid, but not tested
• Inappropriate file calls reveal source code
  system files
• Unexamined input from a browser can inject
  scripts into page for replay against later
  visitors
• Unhandled error messages reveal application and
  database structures
• Unchecked database calls can be piggybacked
  with a hackers own database call, giving direct
  access to business data through a web browser

• Examples
• Application Mapping
• Cookie Manipulation
• Custom Application Scripting
• Parameter Manipulation
• SQL Injection
• Hidden Web Paths
• Forceful Browsing

22
Application Security Assurance ProgramMaturity
Model Best Practices
23
Application Security Assurance Program (ASAP)

• ASAP Maturity Model is about defining a roadmap
  and execution of the SDL
• Organizations should implement their own
  Trustworthy Computing Initiative tailored to
  their own needs
• Describes the programs needed to integrate
  security throughout the software development
  lifecycle and throughout the production lifespan
  of the application
• A holistic program providing end-to-end lifecycle
  coverage while spanning People, Process and
  Technology

TECHNOLOGY
PROCESS
PEOPLE
Executive Buy-in, Integrated Organization
Proactive Strategic
Technical Management Curriculum
Policy-driven Secure SDL
Management
Cross-Functional Teams
Integrated Development QA Tools
Developer Awareness
Reactive Tactical
Security Department Testing Tools
Organizational Silos
24
ASAP Maturity Model

• Characterized by
• Security team finds application vulnerabilities
  from initial scanning efforts
• Most vulnerabilities require development fixes
• Vulnerability reports sent to development
• Development pushes back due to short timelines
  business impact of security rework
• Due to a lack of application security training,
  issue acceptance and resolution is difficult

Level 1 Reactive Tactical
TECHNOLOGY
PROCESS
PEOPLE
Proactive Strategic
Reactive Tactical
Security Department Testing Tools
Organizational Silos
25
ASAP Maturity Model

• Characterized by
• Security team conducts assessment
• Developers trained on security
• Vulnerabilities still require development
  fixes
• Vulnerability reports sent to development

Level 2 Planned Purposeful
TECHNOLOGY
PROCESS
PEOPLE
Proactive Strategic
Cross-Functional Teams
Integrated Development QA Tools
Developer Awareness

• Now, developers understand the issues
• The development process still doesnt include
  proactive secure development.

Reactive Tactical
Security Department Testing Tools
Organizational Silos
26
ASAP Maturity Model

• Characterized by
• Vulnerability management software used across SDL
• Security processes in place across SDL
• Security integrated into entire development
  lifecycle
• All levels of the organization committed to
  security
• Complete security curriculum standard practice

Level 3 Proactive Strategic
TECHNOLOGY
PROCESS
PEOPLE
Executive Buy-in, Integrated Organization
Technical Management Curriculum
Policy-driven Secure SDL
Management
Cross-Functional Teams
Integrated Development QA Tools
Developer Awareness
Security Department Testing Tools
Organizational Silos
27
ASAP Best Practices

Regulatory Compliance


28
Effective ASAP Implementations

• Executive Sponsorship
• Must obtain senior level management sponsorship
• Must assess potential impacts to application
  development efforts
• Must clearly communicate criticality of ASAP
• Management must understand that ASAP is not a
  project, it will be integrated into the existing
  processes in the SDL

29
Security Kickoff
Requirements
Development
QA
Test
Design
Release
Support Services

• Establish ASAP team
• Development
• Quality
• Security
• Audit, Risk, etc.
• Identify checkpoints in the SDL where security
  will be reviewed
• Establish rapport
• Processes are made up of people
• This is a team with common goals, not a boxing
  match

30
Security Training
Requirements
Development
QA
Test
Design
Release
Support Services

• Identify development and quality team
• Define appropriate training levels for team
  members
• Provide general secure coding training
• Provide company and department specific training
• Company / department standards
• Proper use of libraries and objects

31
Demonstration

• SQL Injection (AvailableServices.aspx)

32
Create Development Standards
Requirements
Development
QA
Test
Design
Release
Support Services

• Standards should define how critical activities
  are done
• Database access
• Authentication / Authorization
• Encryption
• Etc.
• Standards should be
• Clear and include specific examples
• Concise people will not read, much less follow,
  a long-winded policy

33
Demonstration

• Session Hijacking (PayBill.aspx)

34
Threat Modeling
Requirements
Development
QA
Test
Design
Release
Support Services

• The process of identifying critical components of
  a system, where and how an attack is most likely
  to occur and where such an attack would be the
  most effective
• Taking this information and using it to ensure
  that high risks scenarios are protected against
• Advantages
• Practical attackers view of the system
• Flexible
• Early in the SDL
• Disadvantage
• Good threat models dont automatically mean good
  software

35
Infrastructure Design
Requirements
Development
QA
Test
Design
Release
Support Services

• Infrastructure considerations
• Network design
• Firewalls
• IDS
• SSL use
• Data Encryption
• Authentication Infrastructure
• Single sign on
• Understanding what each security measure does and
  does not do is critical

36
What is a Web-Based Application?

• What is the data path (Network) for web
  applications?
• How does a web-based application work (HTTP)?
• How does your application work?

Web Application
HTTP
Network
37
How Do Web Applications Communicate?
Network Layer
Web Application
HTTP
Network
38
How Do Web Applications Communicate?

• Network Layer
• Client connects to the server
• Client sends request to server
• Server responds to client
• Connection is disconnected
• HTTP is stateless

Server www.mybank.com (64.58.76.230) Port 80
Client PC (10.1.0.123)
Request
Response
39
Securing the Network Layer

• SSL (Secure Sockets Layer)
• Provided encryption of data between a client and
  server
• Typically guarantees to client that server is who
  it asserts itself to be

Server www.mybank.com (64.58.76.230) Port 443
Client PC (10.1.0.123)
SSL Tunnel
40
Securing the Network Layer

• SSL
• Firewalls
• Allows or disallows traffic to pass from the
  external network to the internal network
• Acts as a traffic cop
• Port 80 (HTTP) and port 443 (HTTPS) travel freely
  through the firewall

Server www.mybank.com (64.58.76.230) Port 443
Client PC (10.1.0.123)
SSL Tunnel
41
Securing the Network Layer

• SSL
• Firewalls
• IDS (Intrusion Detection System)
• Monitors network for malicious activities
• Typically signature based detection (similar to
  virus protection)
• Blind to encrypted (SSL) traffic

Server www.mybank.com (64.58.76.230) Port 443
Client PC (10.1.0.123)
IDS
SSL Tunnel
42
What is HTTP?
Web Application
HTTP
Network
43
Tools Localhost proxies
Web Server
Browser
Proxy
44
Demonstration

• Local Host Proxies and HTTP Editors

45
Infrastructure Design
Requirements
Development
QA
Test
Design
Release
Support Services

• Infrastructure considerations
• Network design
• Firewalls
• IDS
• SSL use
• Data Encryption
• Authentication Infrastructure
• Single sign on
• Understanding what each security measure does and
  does not do is critical

46
Secure Coding Libraries
Requirements
Development
QA
Test
Design
Release
Support Services

• Libraries should provide a consistent method of
• Validating user input
• Not limiting developer functionality by changing
  the development process
• Detecting ongoing attacks and protecting the
  application from these attacks
• Libraries can be either commercial or custom built

47
Demonstration

• Cross Site Scripting (ContactUs.aspx)

48
Source Code Review
Requirements
Development
QA
Test
Design
Release
Support Services

• Source code review is the process of manually
  checking a Web applications source code for
  security issues
• Advantages
• Many bugs or backdoors can only be found via
  source code review
• Can provide a very detailed review of application
  functionality
• Disadvantages
• Requires highly skilled security developers
• Can miss calls to issues in compiled libraries
• Cannot detect run-time errors easily
• Time consuming and tedious

49
Microsoft ASP.NET 2.0 coding

• Emphasize efficient, clean, maintainable code
• Avoid hacks, messy tricks, and stupid
  optimizations
• Code we ship lives a minimum of 10 years
  (guaranteed support)
• All code check-ins must be code-reviewed by
  another developer
• Prior to code check in
• Applies to ALL developers
• All developers are trained on secure coding
  techniques

50
Microsoft ASP.NET 2.0 Testing

• Automated testing is key to success
• Test team staffed by developers who are
  responsible for designing test plans, writing
  automated tests, and building the test
  infrastructure
• Focus on driving up quality, preventing
  regressions, and enabling rapid analysis of
  different builds, variations, and language
  releases
• Current Whidbey Test Status
• 102,000 Functional Test Cases
• 505,000 Functional Test Scenarios
• 71 Stress Mix Variations
• 1000 servers in test lab to run all of this in
  an automated way

51
Development Assessment Tools
Requirements
Development
QA
Test
Design
Release
Support Services

• Process of testing a running application
• Typically involves exercising the application in
  its normal operating mode, taking note of pages,
  parameters, cookies, and other data being passed
  to and from the application, then sending
  malformed versions of the information to the
  application to see what errors are generated
• Advantages
• Tools can be integrated directly into existing
  development environments
• Can be done during development, test and
  pre-production
• Will show many as-built security
  vulnerabilities that were a result of bugs or
  un-designed features
• Can be done rapidly with the addition of
  appropriate tools
• Disadvantages
• Can miss some types of security issues that can
  be discovered by other means (i.e., Source code
  review)
• When done manually, the process can be very time
  consuming

52
Demonstration

• SQL Injection (BillingHistory.aspx)

53
QA Automated Assessment Tools
Requirements
Development
QA
Test
Design
Release
Support Services

• Tools should be able to leverage existing QA
  assets for the purposes of security testing
• Login scripts
• Functional test scripts
• Defect tracking system
• Tools should integrate directly into the existing
  QA testing suite and complement the existing
  process
• Should not overly burden the QA team with
  additional tests
• Should not require extensive application knowledge

54
Penetration Testing
Requirements
Development
QA
Test
Design
Release
Support Services

• Penetration testing is the practice of utilizing
  a specialist in the area of application security
  to attempt to breach an applications security
  measures
• The goal is to gain confidence that a hacker
  could not breach the security measures that have
  been put into place
• Penetration testing provides a real-world view
  of the application and its associated risks

55
Demonstration

• Session hijacking (Login process)

56
Automated Assessment Tools
Requirements
Development
QA
Test
Design
Release
Support Services

• Provides automated, ongoing assessment of web
  based applications to ensure that new attack
  methodologies will not make existing applications
  vulnerable
• Ensure that applications are secure prior to
  going live - this is the last line of defense and
  is a place to double check the process
• These tools should scale to handle the demand an
  enterprise will put on its web application
  assessment assets

57
Demonstration

• Administrative vulnerabilities

58
Infrastructure Assessment
Requirements
Development
QA
Test
Design
Release
Support Services

• Network scanning
• IDS
• Database scanning
• SSL
• SSL accelerators
• Password crackers
• Etc.

59
Regulatory Compliance

• Compliance will effect all aspects of the SDL
• Policy requirements
• HIPAA, GLBA, SOX, CA1386
• Disclosure
• CA1386
• Policy enforcement
• Federal Trade Commission (FTC)

60
Workshop Summary

• Effectively dealing with application security
  issues is a process level issue, not simply a
  code issue
• Integrating security into the SDL (ASAP Programs)
  allows companies to integrate security into their
  processes and gain a mature level of security
  without undue effect on the overall process
• ASAP must be a management level initiative due to
  the effect it will have on the entire SDL

61

• Closing and QA
• Free 15 day trial of WebInspect at
  http//www.spidynamics.com
• Contact (insert email here)

62
Resources

• E-Learning Clinic 2806/2807 Microsoft Security
  Guidance Training for Developers
• https//www.microsoftelearning.com/
• Identify common types of attacks
• Identify threat scenarios
• Describe .NET Framework security features
• SDL Whitepaper
• http//msdn.microsoft.com/security/sdl
• Patterns Practices
• http//www.microsoft.com/practices
• MSDN Security Developer Center
• http//msdn.microsoft.com/security