• No results found

Secure Software Development Lifecycle. Security... Not getting better

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Secure Software Development Lifecycle. Security... Not getting better"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

Secure Software Development

Lifecycle

This lecture provides reference material for the book entitled “The Art of Software Security Testing” b W sopal et al © 2007

© 2005 Laurie Williams

Testing” by Wysopal et al. © 2007

This lecture material is copyrighted by Laurie Williams (2007). However, you are encouraged to download, forward, copy, print, or distribute it, provided you do so in its entirety (including this notice) and do not sell or otherwise exploit it for commercial purposes.

For PowerPoint version of the slides, contact Laurie Williams at [email protected].

Security . . . Not getting better

2

(2)

Security Testing: Testing for What

It’s NOT supposed to do

Thompson, Herbert, *, IEEE Security and Privacy, July/Aug 2003, pp. 83-86.

Security vs. Reliability

• Reliability - The ability of a system or component to

perform its required functions under stated conditions for perform its required functions under stated conditions for a specified period of time.

• Security – The ability of a system or component to perform its required functions without confidentiality, integrity, and availability losses for a specified period of time

© 2005 Laurie Williams

(3)

Latent Code Problem Definitions

• Fault - reliability concept: An incorrect step, process, or data definition in a computer program.

• Fault-prone component – reliability concept: A component that will likely contain faults.

• Vulnerability - security concept: an instance of a [fault] in the specification, development, or configuration of software such that its execution can violate an [implicit or

© 2005 Laurie Williams

so t a e suc t at ts e ecut o ca o ate a [ p c t o

explicit] security policy.

• Vulnerability-prone component - security concept: a component that is likely to contain vulnerabilities.

Realized Code Problem Definitions

• Failure - reliability concept: the inability of a software system or component to perform its required functions system or component to perform its required functions within specified performance requirements.

• Failure-prone component – reliability concept: A component that will likely contain failures.

• Attack - security concept: the actions that cause a violation of security

© 2005 Laurie Williams

violation of security.

• Attack-prone component - security concept: a

component with a high probability that the component will be exploited.

(4)

Vulnerability Types

• design vulnerability – a mistake in the design that precludes the program from operating securely, no matter how perfectly it is implemented by the coders • implementation vulnerabilities – a mistake in the actual

coding of the software that causes a security problem [design might be fine, code is the problem]

7

Cost of Change Curve

“penetrate andpenetrate and patch”

8

(5)

Secure Software Development Life Cycle

(SSDL)

The point: think about security early and often during software development

9

http://www.computer.org/portal/cms_docs_security/security/v3n4/j4apv01.gif

SSDL

• Phase 1: Security guidelines, rules, and regulations

– Security policy: A system-wide specification is created that defines overarching security requirements

– Can be based on specific government regulations (e.g. HIPAA, Sarbanes Oxley, etc.)

– Examples: Role-based permission levels, access-level controls, and password standards and controls

(6)

SSDL

• Phase 2: Security requirements

– Misuse case/abuse case/attack use cases can be developed that show behavioral flows that are not allowed or are unauthorized. – Example security requirements [p. 62-63]

• The application stores sensitive user information that must be protected for HIPAA compliance. To that end, strong encryption must be used to protect all sensitive user information wherever it is stored.

• The application must remain available to legitimate users. Resource utilization by remote users must be monitored and limited to prevent or mitigate denial-of-service attacks.

Th li ti t lti l ith diff t l l f i il Th • The application supports multiple users with different levels of privilege. The

application assigns users to multiple privilege levels and defines the actions each privilege level is authorized to perform. Mitigations for authorized bypass attacks need to be defined.

• The application takes user input and uses SQL. SQL injection mitigations are a requirement.

11

SSDL

• Phase 3: Architectural and design reviews/threat

modeling.

– Software practitioners need a solid understanding of the product’s architecture and design so they can devise better and more complete security strategies.

• Phase 4: Secure coding guidelines.

– See Chapter 2 in book. (buffer overflow, input validation, etc.) – Static analysis tools can detect many implementation errors by

scanning the source code or the binary executable scanning the source code or the binary executable.

– Using the secure coding standards as baselines, testers can then develop test cases to verify that the standard is being followed. – There are also services where you can send your code and have

a third party analyze it for defects/vulnerabilities.

(7)

SSDL

• Phase 5: Black/gray/white box testing

– Gray box is hybrid black/white

– Penetration testing – black box testing in which the tester specifically thinks like an attacker

• Phase 6: Determining exploitability

.

– A vulnerablity’s exploitability [attack proneness] is an important factor in gauging the risk it presents. Determining a vulnerablity’s exploitability involves weighing five factors:

Th iti i i d b th tt k t tt t l it ti • The access or positioning required by the attacker to attempt exploitation • The level of access or privilege yielded by successful exploitation • The time or work factor required to exploit the vulnerability • The exploit’s potential reliability

• The repeatability of exploit attempts

13

SSDL

• Also:

Software should be deployed using security

– Software should be deployed using security

defaults

– A software patch management process should

be in place

(8)

Guidelines for Testers [p. 70-71]

• Define security/software development roles and

responsibilities

• Understand the security regulations your system has to abide by, as applicable.

• Request a security policy if none exists.

• Request documented security requirements and/or attack use cases.

• Develop and execute test cases for adherence to • Develop and execute test cases for adherence to

umbrella security regulations if applicable. Develop and execute test cases for the security requirements/attack use cases.

15

Guidelines for Testers

• Request secure coding guidelines and train software developers and testers on them.

• Test for adherence to secure coding practices.

• Participate in threat modeling walkthroughs, and prioritize security tests.

• Understand and practice secure deployment practices. • Maintain a secure system by having a patch

management process in place including evaluating management process in place, including evaluating exploitability.

(9)

Phase 2: Misuse/Abuse Case

17

References

Download now ( PDF - 9 Page - 113.26 KB )

Related documents

GENERAL SERVICES ADMINISTRATION. Federal Acquisition Service Authorized Federal Supply Schedule Price List

May be required to perform in one or more of the following areas: risk assessment methods and procedures; security of system software generation; security of computer

Why self-signed certificates are much costlier and riskier than working with a trusted security vendor

infrastructure and physical security, to the hardware and software required for the PKI SSL system, to the personnel needed to manage the certificate lifecycle, the true costs

Cisco IronPort S-Series Web Security Appliance Security Target

FMT_SMF.1: The TOE is required to perform security management functions to manage functions related to system data collection, analysis and reaction, system configuration, audit

MM74C74 Dual D-Type Flip-Flop

A critical component in any component of a life support device or system whose failure to perform can be rea- sonably expected to cause the failure of the life support device or

ISSECO Syllabus Public Version v1.0

Threat Modeling, STRIDE, Security Principles, Guidelines for Secure Software Development, Security Architecture, Software Attack Surface, Secure Software Development Lifecycle

Nordic Balance Settlement. Reference Group Meeting November 6 th -7 th, 2012 Hilton Hotel (Helsinki Airport)

4:1 DSO report hourly metered data per metering point on production & consumption.

BHEL BLOCK 3 ppt

 ROTOR MACHINING SECTION : Equipped with large size machining tools like Turning Lathe, CNC Lathes, Horizontal Boring Machines, special purpose Fir tree Groove Milling Machine

Self-Dealing: A Concise Guide For Foundation Board and Staff

If a family member has no duties or responsibilities for the operation of the foundation, paying such family member’s travel expenses is a violation of the self- dealing rules –