Technology Standardization for Security

Transcription

1 IBM Software Group Technology Standardization for Security testing ti across SDLC Security Testing a STeP-IN Theme Conference Dated: 17 th April 2009, Pune By : Randeep S. Chhabra & Satya Shukla IBM Corporation IBM Software Group software Executive Summary Application security continues to be a top security threat Regulatory Compliance (PCI), user demand (Web 2.0) and Enterprise Modernization (SOA) are driving awareness and action for security testing The cost and lack of coverage of reactive security is driving companies towards proactive measures building security into the application development process Traditional approaches make it unlikely that development will support security testing due to schedule risks and potential project failure IBM is focused on evolving new innovative approach for integrating security testing into application development providing the most accurate and easy to use solution for non-security professionals Cost / Complexity Time Security Team Operations / Infrastructure 2

2 IBM Software Group software Business challenges in today s environment Market Share Increase Customer Satisfaction; Lower cost of Customer Acquisition ; Faster Time to Market. Drive value Reduce the costs of operating a secure, resilient business and improve information that maintains the security of your business. Manage business risks Improve the consistent enforcement of corporate security policies and regulatory compliance requirements with fewer resources. Block security threats Anticipate vulnerabilities and risk. Reduce exposure to external and internal threats. 3 IBM Software Group software Current Market Drivers Increase in vulnerabilities / disclosures Application security has become the top threat Regulatory Compliance Requirements such as PCI, HIPAA, GLBA, etc User demand For rich applications is pushing development to advanced code techniques Web 2.0 introducing more risks to threats Enterprise Modernization Driving traditional applications to online world (SOA), increasing corporate risk Cost cutting in current economic climate Demands increased efficiencies Source: IBM ISS Threat Report 4

3 IBM Software Group software What is the cost of a defect? 80% of development costs are spent identifying and correcting defects! During the coding phase $25/defect During the build phase $100/defect During the QA/Testing phase $450/defect Once released as a product $16,000/defect The increasing costs of fixing a defect. 5 IBM Software Group software Typical Customer Adoption To Date QA Testing team Information Security Group Market Maturity Build security testing into the IDE Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security and Compliance Testing, oversight, control, policy, in-depth tests Code Build QA Security 6

4 IBM Software Group software Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Developers Developers Developers Application Security Testing Maturity 7 IBM Software Group software Enabling the Operationalization of Security Testing Customers are addressing Web Application Security in three ways: Enable the Security Embed Security Testing Organization Testing in the SDLC Requires web application security subject matter expertise testing solution for select stakeholders Testing Implement environment-specific security Single-step security testing (no additional oversight required as expertise is built-in) Eliminates training requirements for non-security experts Alleviates security testing bottleneck downstream Increases security awareness across the organization (code security improvement, vulnerability awareness) Enables a more efficient process for ontime and on-budget application development Outsource Security Testing Outsource web application security infrastructure or testing Enables immediate identification for sources of online risk without the necessary time and investment for in-house training and resources Express Edition Standard Edition Enterprise Edition Developer Edition Build Edition Tester Edition Standard Edition Reporting Console OnDemand Security Consulting Control, Monitor, Collaborate and Report Web Application Security Testing 8

5 IBM Software Group software Tester Hacker A tester has more in common with a hacker than you think Input mangling Boundary checks, garbage g input, malformed data, brute force Error condition exploitation Exception scenarios, ungraceful failures, misconfiguration, missing/altered/malformed dependencies "Stress" tests Resource starvation, denial of service, spawning multiple instances, tightly looping execution Discovering and exploiting Logic holes; unintended consequences and behaviors; weakest links Circumventing controls Security, application, system, auditing, logging, etc. Checking for leakages Data, logic, system hooks; in logs and traces Creativity Use it in ways it was never design to be used 9 IBM Software Group software Tester - Responsibilities Must work with developers on items that cannot be directly tested No direct or external interface/method suitable for exploitation or verification Get engaged early in the development cycle Before an initial draft of specification/design available Testers can and should provide insight Point out what s not clear, missing, or incomplete Request additional information/depth of details Be willing to dig deep; go beyond what s given Mustn t be afraid to challenge developers Worst case: You re wrong (it happens) and you ve learned something Best case: You re right and you ve prevented a field issue Be professional, courteous, respectful Don t be arrogant 10

6 IBM Software Group software Designer and Developer - Responsibilities Designer/architect, Developer/Coder Must work with testers on adequate code coverage Help identify where code is security sensitive Indicate what can and cannot be directly tested Provide precedence (logic) outline of behavior related to: Authentication, authorization, error handling/recovery, data processing combinations, etc. Clearly document all: Input/output operations, interfaces, dependencies in libraries and external programs, environment variables, valid and invalid configuration states Mustn t be afraid to listen to testers Worst case: A flaw in your code is found (it happens) and re-work is needed Best case: It s not a flaw and a better understanding is established Be professional, courteous, respectful Don t be dismissive 11 IBM Software Group software Tester and Developer - Symbiotic OPEN feed-back is a must A climate of superiority must not be tolerated Don t accept the do your job and I ll do mine attitude 12

7 IBM Software Group software Embedding Security in the Development Lifecycle Primary goals for Web Application Security 1. Manage Online risk with security audits 2. Realize process efficiencies with testing coverage occurring early in the development lifecycle Emerging focus Security Auditors Challenge Accountable for managing organizational risk through on-line activity Limited resources (by budget or skillset) to provide timely security testing coverage The result is a bottleneck that impacts development release cycles The Solution Engage seamlessly more testers earlier in the development lifecycle 13 IBM Software Group software Challenge: Building software securely from the ground up Security Auditors need to enable more testers in the process, but software developers are not trained to be security experts, nor can they meet new development demands Niche security testing teams have been performing audits before code can pass to production These teams cannot keep up with the demand from hundreds of developers pushing new applications frequently > as a result software releases are delayed or risk is introduced Need to engage more testers earlier in the process Need to make it simple for non-security professionals How do we get more resources to provide more security testing for our applications How do we make it easier to identify security vulnerabilities? How can I ensure our developers are implementing our corporate policies? Development does not like us halting releases due to security issues. How can I give them back control? 14

8 IBM Software Group software Solution: Utilize offerings designed for the development environment to identify and fix security issues early in the development process, and turn the security audit into the final check, not the first step Developer Edition & Build Edition provide security and compliance checks Combination of Static Code Analysis and Dynamic Analysis provide non-security professionals in development the ability to accurately check for security defects in code Designed for the developers uses case to seamlessly fit security testing into the development workflow Build Edition embeds automated security testing into the build process Provides remediation advice to simplify ability to fix security issues High accuracy security issue identification that developers can understand and fix Includes embedded security issue training Bite-sized training modules allow developers to quickly understand the security issue and make appropriate fix Facilitates non-disruptive adoption of security testing solutions to improve application IBM Developer Edition IBM Build Edition 15 IBM Software Group software Security Testing Technologies Primer Static Code Analysis <> Whitebox - Looking at the code for issues (codelevel scanning) Dynamic Analysis <> Blackbox - Sending tests to a functioning application Composite Analysis - Blend of all testing techniques for improved accuracy of reporting - Leverage strengths and overcomes weaknesses of each individual technique - Akin to SPI s Hybrid Analysis WhiteBox (WB) vs BlackBox (BB) WB: The ability to see inside the box to see the inner workings of the machine BB: Can t see inside as it s a closed off object, need to test its response to actions String Analysis - IBM patent pending code analysis technique - Code analysis version of Scan Expert for efficient configuration of scan to enable accurate results Runtime Analysis - Monitoring behavior for feedback while application is running at a detailed level to tell where a vulnerability exists in the execution code 16

9 IBM Software Group software Enabling Business and Technology Experts to Collaborate Traceability of Requirements to Security needs to be achieved Rich text Requirements Business Objectives Business Processes Storyboards & Sketches Requirements Definition Requirements Composer Elicit, capture, elaborate, review and discuss requirements Industry & Domain Models Use Cases Prototypes Text to visual transformation Requirements Management RequisitePro Search, filter on attributes Traceability between related artifacts Impact & Coverage analysis 17 IBM Software Group software Quality Manager Tester needs a central hub for business-driven software quality across Security, Functional and Performance Testing Catch quality issues early reducing cost and risk Stakeholder and team coordination Fewer meetings, less rework using a dynamic test plan Automated process workflow Reduce labor-intensive tasks, improve cycle time Upstream and downstream quality Enforce standards at coding and deployment IBM Quality Manager Accelerate time to market & Improve flexibility Make confident decisions with effortless reporting Lab efficiency and asset utilization Save 30-40% testing time overall Test coverage optimization across environments 95% confidence on optimal coverage Industry leading lifecycle coverage System z, System i, SAP and.net Ongoing process improvement and analytics Version history and trending within and across projects Proactive risk management and decision-making Automated, filtered and prioritized reporting Protect existing investments, deliver greater predictability Adopt successful deployment patterns, map to operational KPIs CONTINUOUS test plan participate AUTOMATED context GOVERNANCE use case distributed access dashboards synchronize EASY HANDOFF trace LAB UTILIZATION functional PERFORMANCE security compliance 18

10 IBM Software Group software Quality management offerings summary Test Management and Lab Management Quality Manager Standard Edition Quality Manager Express Edition NEW Test Lab Manager Offerings Domain-specific testing Static analysis: Software Analyzer Security: Tester Edition Performance: Application Performance Analyzer Functional: Functional Tester Performance: Performance Tester SOA: Service Tester for SOA Quality Code quality: Test RealTime Services Measured Capability Improvement Framework Assessments 19 IBM Software Group software 2008: Introducing the first wave of Jazz offerings Team Concert Core team collaboration at o "Think and work" in unison and provide real-time project heath Requirements Composer Business expert collaboration Elicit, capture, elaborate, discuss and review requirements Quality Manager Quality team collaboration Coordinate quality assurance plans, processes and resources Team Concert offering offering Requirements Composer offering Quality Manager Business Partner Jazz Offerings Best Practice Processes Search And Query Security Dashboards Team Awareness Events Notification Collaboration JAZZ TEAM SERVER ClearQuest ClearCase Build Forge Open Lifecycle Service Integrations Powered by RequisitePro Asset Manager Integrations Software Architect Application Developer and tester portfolio enterprise modernization including system z and i support 20

11 IBM Software Group software Centralized test management reduces risk and cost Supporting a wide variety of platforms across the lifecycle IBM Collaborative Application Lifecycle Management Quality Manager Quality Dashboard Requirements Test Management & Execution Defect Tracking Requirements Composer Create Plan Build Tests Manage Test Lab Best Practice Processes Report Results Team Concert Open Platform Software Analyzer SAP Java Functional Tester JAZZ TEAM SERVER Open Lifecycle Service Integrations Services Tester for SOA Performance Tester System z, i.net homegrown 21 IBM Software Group software Developer & Build Editions raise the industry bar Delivering security-focused solutions across the development lifecycle CISO Dashboard provides filtered relevant data for more informed decision-making Tester Seamlessly add security testing alongside functional & performance testing Developer Embed security testing into the development environment and workflow All test assets and results in one repository Quality process enactment Build Manager QA Manager Automated security tests embedded into the build process Full traceability for security issue prioritization 22

12 IBM Software Group software IBM Ecosystem Enterprise / Reporting Console Developer Ed (desktop) Ent. QuickScan (web client) Build Ed (scanning agent) (scanning agent) (QA clients) Tester Ed Enterprise user (web client) Standard Ed (desktop) Application Developer Software Analyzer ClearCase BuildForge Quality Manager Express (desktop) ClearQuest est / Defect Management CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing & remediation workflows SECURITY Security & Compliance Testing, oversight, control, policy, audits IBM Web Based Training for 23 IBM Software Group software The New IBM Ecosystem Enterprise / Reporting Console Developer Ed (desktop) Ent. QuickScan (web client) Build Ed (scanning agent) (scanning agent) (QA clients) Tester Ed Enterprise user (web client) Standard Ed (desktop) Application Developer Software Analyzer ClearCase BuildForge Quality Manager Express (desktop) ClearQuest est / Defect Management Code Build security testing into the IDE* Build Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing & remediation workflows Security Security & Compliance Testing, oversight, control, policy, audits IBM Web Based Training for 24

13 IBM Software Group software IBM Ecosystem Enterprise / Reporting Console White Box + String Analysis Ent. Developer Ed QuickScan (desktop) (web client) Application Developer Black Box + Runtime Analysis Software Analyzer Composite Analysis White Box + String Analysis ClearCase Build Ed (scanning agent) Black Box + Runtime Analysis BuildForge (scanning agent) Black Box (QA clients) Tester Ed Composite Quality Manager Analysis ClearQuest est / Defect Management Black Box Black Box Enterprise user (web client) Standard Ed (desktop) Black Box Express (desktop) CODE Build security testing into the IDE* BUILD Automate Security / Compliance testing in the Build Process QA Security / compliance testing incorporated into testing & remediation workflows IBM Web Based Training for SECURITY Security & Compliance Testing, oversight, control, policy, audits 25 IBM Software Group software Black Box DE White Box Accuracy Source free Code coverage HTTP awareness only Multi components support Code/path coverage Limited to given code More than HTTP validations Support partial applications Support per language/framework Requires deployed application Few Prerequisites Works as a remote attacker No need to deploy application Over approximation Integration/deployment issues 26

14 String Analysis IBM Software Group software IBM patent-pending technology Potentially ygame-changing g g technology in code-analysis Existing white-box offerings use Taint Analysis Requires configuration, dependent on both knowledge of code & security expertise to be done accurately Inaccurate configuration results in volumes of false positives String Analysis automates configuration Removes largest driver of inaccurate results of static code analysis Simplifies use for developers (for non-security experts) Taint analysis measures whether an input is tainted, string analysis can determine exactly how it is tainted 27 IBM Software Group software What is Developer Edition? Overview A solution created to empower developers with the ability to invoke Web application security testing within their development environment Designed as a complement to the family of security testing solutions, it enables the development organization to address the volumes of security issues that can be introduced in code. Supports existing developer and build environment use cases for efficient and non-disruptive adoption of security testing with IDE & build server integrations What does it do? Provides security and compliance checks using static code analysis for security vulnerabilities, Enables developers (who are not security experts) address security defects early in development process where the cost of fixing issues is least expensive Highlights Comprehensive Security Analysis Next-Generation Accuracy Unparalleled Ease of Use Identification of line-of-code Self-Serve Security Testing for Developers Seamless Integration into the Development Process Complete the End-to-End security solution 28

15 IBM Software Group software What is Build Edition? Overview A solution created to embed automated Web application security into the build process Designed as a complement to the family of security testing solutions, it enables the development organization to address the volumes of security issues that can be introduced in code. Supports existing developer and build environment use cases for efficient and non-disruptive adoption of security testing with IDE & build server integrations What does it do? Allow scans from Standard Edition or Developer Ed to be processed in a non-ui / scriptable mode Provides simple/generic command line support for integration into most build environments, with an additional adaptor for BuildForge Highlights Automated Security Testing in the Development Process Comprehensive Security Analysis Next-Generation Accuracy Code Coverage Identification of line-of-code Seamless Integration into the Development Process Complete the Endto-End security solution 29 IBM Software Group software Security in the Build Process Goal: Merge into the existing process Use Static Analysis when compilation completes Use Dynamic Analysis when app is deployed Log Results into the existing system Adjust to Build System environment Limit scan depth based on allotted time & resources Support Constantly Changing Applications Functionality Overview Run existing scans Evaluate scan results to report problems to stakeholders Collect scan results information in summary reports Integrate with build environments, including, Apache Ant, Build Forge, and command line based builds Export scan report (or report data) to other systems, including ASE Simplify/Support the integration with bug tracking systems 30

16 IBM Software Group software Value Propositions For Security Team For Development Customer Pain: Client has acquired a web application testing desktop point product being run by a security auditor. Limited licenses or resources performing the testing have created a bottleneck by the security team, and it is impeding the deployment of applications. Value for Customer IBM portfolio of web application security testing solutions enables software development stakeholders from development, build management and QA to share in the security testing responsibility and alleviated the resource limitations of the security team. Unique Proposition IBM s investment in security which allows IBM to lead with the broadest and most advanced security testing. Customer Pain: Client needs the development organization to address the process inefficiencies and project delays resulting from security testing bottleneck occurring late in the development process. Value for Customer IBM Developer Ed and Build Ed provide security testing solutions that are designed for development use cases to enable security testing for nonsecurity experts The offerings allow for the identification and remediation of security issues much earlier in the development process, resulting in a more efficient process and projects delivered on time. Unique Proposition Breadth and strength of testing techniques to provide the necessary efficiencies and accuracy for development to be successful with security testing 31 IBM Software Group software Q&A 32