Cigital. Paco Hope, Technical Manager

Transcription

1 The Foundation for Security Paco Hope, Technical Manager Cigital, Inc. All Rights Reserved. 2 Cigital Consulting firm of recognized software security experts since 1992 Widely published in books, white papers, and articles Industry thought leaders Deep expertise in commercial areas: financial services, wireless communications, gaming Experience in industry standards, best practices, and regulatory compliance 3 Redistribution Prohibited 1

2 Cigital, Inc. All Rights Reserved. 4 What are Requirements? The IEEE Standard 729 defines requirements as: A condition or capability needed by a user to solve a problem or achieve an objective A condition or capability that must be met or possessed by a system to satisfy a contract, standard, specification, or other formally imposed document. Three Types of Requirements Functional (Behavioral) Requirements Functions that the system must perform Non- Functional Requirements Properties system must possess Derived Requirements Functional/non- functional requirements implicit from stated requirements Cigital, Inc. All Rights Reserved. 5 Redistribution Prohibited 2

3 Func5onal Requirements Inputs that are expected by the system Outputs that must be produced Relationships between those inputs and outputs ÜberInventory : If the system is powered off, and the CMD button is pressed for 4 seconds, the system shall be termed Powered On. If the system is powered on, and the CMD button is pressed for 4 seconds, the system shall be termed Powered Off. If the Scan button is pressed, the laser shall activate and scan for a barcode. The laser shall remain active for 30 seconds or until a barcode is recognized. Cigital, Inc. All Rights Reserved. 6 Non- func5onal Requirements Example Non- Functional Requirements The system shall connect to a and b networks. The system shall acquire and recognize barcodes within 15 seconds more than 80% of the time. The system will require less than 11 Mbs network speed to handle 100 concurrent devices. Auditability Extensibility Maintainability Performance Portability Reliability Security Testability Usability etc. Cigital, Inc. All Rights Reserved. 7 Redistribution Prohibited 3

4 A;ributes of Good Requirements Testable Complete Clear Consistent Measurable Unambiguous Cigital, Inc. All Rights Reserved. 8 New and Old Vocabulary Functional security requirement A condition or capability needed in the system to control or limit the fulfillment of requirements Non- functional security requirement A property of the system required to ensure fulfillment of requirements in the face of abuse or misuse Derived security requirements From functional requirements From other security requirements Cigital, Inc. All Rights Reserved. 12 Redistribution Prohibited 4

5 Func5onal Security Requirements Describe positive, functional behavior related to security. Can be directly tested. Often related to security features like role- based access control, data integrity, etc. Back office users must authenticate with userid / password. 5 or more failed attempts to login account lockout Cigital, Inc. All Rights Reserved. 13 Security Non- Func5onal Requirements Audit logs shall be verbose enough to support forensics All price modification events shall be logged. The event log shall contain date, time, user, action, object, prior value, new value Audit logs shall have integrity protection... Application shall achieve 99.7% uptime between 6:00am and 2:00am local time. Multiple database servers Transaction integrity, fall- back, retry, etc. Cigital, Inc. All Rights Reserved. 14 Redistribution Prohibited 5

6 Derived Security Requirements Back office users must authenticate with userid / password. 5 or more failed attempts to login account lockout Implication: Bad guy can deny users access Guess or learn accounts Try every account 3 times All accounts locked Derived requirement: Accounts should unlock after 5 minutes of no attempts Cigital, Inc. All Rights Reserved. 15 Cigital, Inc. All Rights Reserved. 16 Redistribution Prohibited 6

7 Thinking backwards Think of abuse cases and misuse cases as backward use cases Consider grammatical negation Start with use cases Think about what a system does Continue at increasing levels of detail Once you know what a system does, look at it from the adversary's perspective. How can they disrupt the system? How can they profit from the system? 17 Copyright 2007 Cigital Inc. An Automated Teller Machine Scenario: 1. Login 2. Withdraw money 3. Logout What are some example functional requirements? 18 Copyright 2007 Cigital Inc. Redistribution Prohibited 7

8 Login, Withdraw, Logout Card required to login Correct PIN required to login Withdraw even dollar amounts in increments of $20 Can't exceed account balance It's still not good enough What will a bad guy do? 19 Copyright 2007 Cigital Inc. Security Requirements Shoulder- surfing Don't display PIN Steal card Don't allow lots of login attempts Guy behind you uses your forgotten card Audible and visible alerts Session timeout and logout 20 Copyright 2007 Cigital Inc. Redistribution Prohibited 8

9 Cigital, Inc. All Rights Reserved. 21 Four Ways to Create Security Requirements Cigital, Inc. All Rights Reserved. 22 Redistribution Prohibited 9

10 Security Requirements Process Cigital, Inc. All Rights Reserved. 23 Security Requirements Fodder Input Validation Velocity Transactions Visibility Concurrency Cigital, Inc. All Rights Reserved. 24 Redistribution Prohibited 10

11 Input Valida5on: Four Levels Length and Boundaries 4 input fields 1-3 digits, 0-9 inclusive Characters and encoding English characters in ASCII or Unicode, any UTF encoding Syntactic Positive integer percentage Semantic All percentages must total to exactly 100, no more no less Can total to 100 with any combination of 1-4 inputs Cigital, Inc. All Rights Reserved. 25 Velocity Checking How many shots does an attacker get? At what rate? Logins / hour Transactions / minute Kilobytes / day Changes / user Assume attackers do billions of things per hour Does that change your concerns about security? Insiders have higher hit rate Cigital, Inc. All Rights Reserved. 26 Redistribution Prohibited 11

12 Transac5ons Operations can be interrupted Just because you start, doesn't mean you finish Who shares data / resources? Back- office batch processing Help desk Users What do they share? Databases Web servers Session IDs Cigital, Inc. All Rights Reserved. 27 Visibility Versus True Enforcement Don't omit functionality for unauthorized users Prevent use by unauthorized users Specify that it can't be done Then testers must test it Specify what does happen when bad things are attempted Cigital, Inc. All Rights Reserved. 28 Redistribution Prohibited 12

13 Concurrency Can I log in more than once? Can I modify more than one user simultaneously? Can two admins do the same function simultaneously? Can two people view the same file at the same time? How do you resolve conflicts? Cigital, Inc. All Rights Reserved. 29 Four Ways to Create Security Requirements Cigital, Inc. All Rights Reserved. 30 Redistribution Prohibited 13

14 How Do You Do It? Ideal: During initial requirements Next best thing: during test ttrategy Include Security Test Strategy as part of strategy Balance security testing based on risks and impacts Use risk- based security testing to drive security requirements Use some fodder Cigital, Inc. All Rights Reserved. 31 About Security Requirements Cigital, Inc. All Rights Reserved. 32 Redistribution Prohibited 14