Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Integrating Security into the

Application Development Process

Jerod Brennen, CISSP

Agenda

• Seek First to Understand

• Source Code Security

• AppSec and SQA

• Analyzing Deployed Applications

• Other Considerations

How to Write Good Code

Development Methodologies

• Agile with Scrum

• Capability Maturity Mode Integrated

– 1 (Waterfall) – 3 (Iterative) – 5 (Spiral)

• Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative

• Proofs of Correctness with Waterfall • Rational Unified Process (RUP)

• Team Software Process (TSP)

Programming Languages

• ASP.NET

• C / C++ / C# / Objective-C

• HTML5

• Java

• PHP

• Python

• Ruby

• What else?

Risk/Security Frameworks

• COBIT (ISACA)

• COSO (SOX)

• HITRUST CSF (HIPAA)

• ISO/IEC 27002:2005

• NIST

• OCTAVE (CERT)

• STRIDE/DREAD

– Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege

– Damage, Reproducibility, Exploitability, Affected users, Discoverability

Project Phase-Gate Model

• Scoping

• Build Business Case

• Development

• Testing and Validation

• Launch

The OWASP Top Ten (Web)

• A1 – Injection

• A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS)

• A4 – Insecure Direct Object References • A5 – Security Misconfiguration

• A6 – Sensitive Data Exposure

• A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF)

• A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards

The OWASP Top Ten (Mobile)

• M1 – Insecure Data Storage

• M2 – Weak Server Side Controls

• M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection

• M5 – Poor Authorization and Authentication • M6 – Improper Session Handling

• M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage

• M9 – Broken Cryptography

Prep Checklist

• What development methodologies do we follow?

• What programming languages do we use?

• What risk/security frameworks do we follow?

• What third-party libraries do we use?

• What stages in the development process require

approval from the security team?

Code Reviews

• Benefits

– Find flaws – Reduce fraud

• Peer Reviews in Software, by Karl Wiegers

– Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection

OWASP Code Review Project

• Methodology (v1.1, current)

– Preparation

– Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics

• Methodology (v2.0, due in January 2014)

– Preparation

– Application Threat Modeling

– Understanding Code Layout/Design/Architecture – Reviewing by Technical Control

– Reviewing by Vulnerability

Code Review Tools

• NIST SAMATE

– Software Assurance Metrics and Tool

Evaluation

• Tools

– Source Code Security Analyzers

– Byte Code Scanners

Code Review Tools (cont’d)

• Checkmarx ($; multiple languages)

• DevInpsect ($; Java, .NET)

• FindBugs / FindSecurityBugs (free; Java)

• FxCop (free; .NET)

• IDA Pro ($; Windows/Linux executables)

• LAPSE (free; Java)

• PMD (free; Java)

• Rational AppScan ($; multiple languages)

• RATS (free; C, C++, Perl, PHP, Python)

The SQA Process

• Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement

Positive and Negative Testing

• Positive Test Cases

– Does the app do what it’s supposed to

do?

• Negative Test Cases

– Does the app do anything it’s not

supposed to do?

Top 10 Negative Test Cases

• Embedded Single Quote • Required Data Entry

• Field Type Test • Field Size Test

• Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity

• Web Session Testing • Performance Changes

SQA Security Tools

• QAInspect

• OWASP Zed Attack Proxy (ZAP)

• OWASP Mantra

ANALYZING DEPLOYED

APPLICATIONS

Application Scanning

• Automated scanners interact with an

app like an actual user

• Production vs. Non-Production

• Authenticated vs. Non-Authenticated

• Don’t forget the app infrastructure

– Host Systems

– Web Servers

Manual App Analysis

• OWASP Testing Guide (v3)

– Information Gathering

– Configuration Management Testing – Authentication Testing

– Session Management Testing – Authorization Testing

– Business Logic Testing – Data Validation Testing

– Testing for Denial of Service – Web Services Testing

– AJAX Testing

Scanning vs. Pen Testing

• Scanning

– Automated

– Look for signature-based flaws

– Some heuristics

• Web App Pen Testing

– Unconventional thinking

– Test application logic

Web App Security Scanners

• Acunetix Web Vulnerability Scanner (WVS) • AppScan

• Arachni • Burp Suite • Grendel-Scan

• QualysGuard Web Application Scanner (WAS) • SamuraiWTF

• Veracode Web Application Security (WAS) • W3AF

• WebInspect • WebSecurify

SQA Metrics

• ISO 9126-1 (Software Quality)

– Functionality

• Security (unauthorized access)

– Reliability – Usability – Efficiency

– Maintainability – Portability

• Security – CIA Triad

– Confidentiality – Integrity

SQA Metrics (cont’d)

• OWASP

– Cross-site scripting tests run – SQL injection tests run

– User input tests run

– Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked

• Vulnerabilities detected vs. vulnerabilities remediated

Developer Training

• OWASP Resources

– Top 10 Application Security Risks – Top 10 Mobile Security Risks

– WebGoat Project (Java) – Mutillidae (PHP)

– Bricks (PHP and MySQL)

• SANS Courses

– SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE

– DEV544: Secure Coding in .NET

Professional Organizations

• OWASP

• ISSA

• (ISC)2

• InfraGard

• ISACA

• W3C Web Application Security

Working Group

Resources

• Codecademy

– http://www.codecademy.com/learn

• OWASP Top Ten (2013)

– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project –

https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_-_English.pptx

• OWASP Code Review Project

– https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project

• NIST SAMATE

– http://samate.nist.gov/ • Web App Scanner List

– http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List

• SecTools

More Resources

• Project Phase Gate Model

– http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model

• ISO 9126 Software Quality Characteristics

– http://www.sqa.net/iso9126.html

• Top 10 Negative Test Cases

– http://www.sqatester.com/methodology/Top10NegativeTestCases.htm

• OWASP – Software Quality Assurance

– https://www.owasp.org/index.php/Software_Quality_Assurance

• OWASP Testing Project

– https://www.owasp.org/index.php/OWASP_Testing_Project

• “952” Metrics for Software Quality Assurance (SQA)

– http://davidfrico.com/sqa-metrics.pdf

• Web Application Security Working Group

Even More Resources

• SQL Injection Tutorial

– http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project

– https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks

Contact Info

Jerod Brennen, CISSP

CTO & Principal Security Consultant, Jacadis

LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail

http://www.jacadis.com/ [email protected]