Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Transcription

1 Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs business AN AUERBACH BOOK

2 Contents Preface xvii How This Book Is Organized xviii About the Authors Acknowledgments xxi xxiii Chapter 1 How Does Software Fail Thee? Let Us Count the Ways Vulnerabilities Abound Security Flaws Are Omnipresent Cars Have Their Share of Computer Problems Too 5 the Roots of Defective Software Tracing 1.3 What Are the True Costs of Insecure Software to Global Enterprises? Addressing Security Questions Addresses Resilience References 11 Chapter 2 Characteristics of Secure and Resilient Software Functional Versus Nonfunctional Requirements Testing Nonfunctional Requirements Families of Nonfunctional Requirements Availability Capacity Efficiency Interoperability Manageability Cohesion Coupling Maintainability 22

3 2.12 Performance Portability Privacy Recoverability Reliability Scalability Security ServiceabiIity/SupportabiIity Characteristics of Good Requirements Eliciting Nonfunctional Requirements Documenting Nonfunctional Requirements References 34 Chapter 3 Security and Resilience in the Software Development Life Cycle Resilience and Security Begin from Within Requirements Gathering and Analysis Systems Design and Detailed Design Functional Decomposition Categorizing Threats Ranking Threats Mitigation Planning Design Reviews Development (Coding) Phase Static Analysis Peer Review UnitTesting Testing Deployment Security Training References 48 Chapter 4 Proven Best Practices for Resilient Applications Critical Concepts The Security Perimeter Attack Surface Mapping the Attack Surface Side Channel Attacks Application Security and Resilience Principles Practice 1: Apply Defense in Depth Practice 2: Use a Positive Security Model 56

4 4.7 Practice 3: Fail Securely Practice 4: Run with Least Privilege Practice 5: Avoid Security by Obscurity Practice 6: Keep Security Simple Practice 7: Detect Intrusions Log All Security-Relevant Information Ensure That the Logs Are Monitored Regularly Respond to Intrusions Practice 8: Don't Trust Infrastructure Practice 9: Don't Trust Services Practice 10: Establish Secure Defaults Mapping Best Practices to Nonfunctional Requirements References 64 Chapter 5 Designing Applications for Security and Resilience Design Phase Recommendations Misuse Case Modeling Security Design and Architecture Review Threat and Risk Modeling Risk Analysis and Modeling Security Requirements and Test Case Generation Design to Meet Nonfunctional Requirements Design Patterns Architecting for the Web Architecture and Design Review Checklist References 84 Chapter 6 Programming Best Practices The Evolution of Software Attacks TheOWASPTop A1: Injection A2: Cross-Site Scripting A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request Forgery A6: Security Misconfiguration A7: Failure to Restrict URL Access 92

5 6.2.8 A8: Invalidated Redirects and Forwards A9: Insecure Cryptographic Storage A10: Insufficient Transport Layer Protection OWASP Enterprise Security API (ESAPI) InputValidation and Handling Client-Side Versus Server-Side Validation Input Sanitization Canonicalization Examples of Attacks due to Improper Input Handling Approaches to Validating Input Data Handling Bad Input ESAPI Interfaces Cross-Site Scripting Same Origin Policy Attacks Through XSS Prevention of Cross-Site Scripting ESAPI Interfaces Injection Attacks SQL Injection Stored Procedures Identifying SQL Injection and Exploitation Defending Against SQL Injection Creating SQL Queries Additional Controls to Prevent SQL Injection Attacks ESAPI Interfaces Authentication and Session Management Attacking Log-in Functionality Attacking Password Resets Attacking Sensitive Transactions Cross-Site Request Forgery CSRF Mitigation Session Management Attacking Log-out Functionality Defenses Against Log-out Attacks Defenses Against Cookie Attacks Session Identifiers ESAPI Interfaces Access Control 124

6 6.9.1 Avoiding Security Through Obscurity Access Control Issues 124 for Broken Access Control Testing Defenses Against Access Control Attacks Administrator Interfaces Protecting Administrator Interfaces ESAPI Interfaces Cryptography Hashing and Password Security Attacking the Hash Precomputed Attacks Message Authentication Code (MAC) Home-Crown Algorithms Randomness and Pseudo-Randomness ESAPI Interfaces Error Handling User Error Messages Log-in Error Messages A Case Study Error Message Differentiation Developer Error Messages Information to Be Kept Private Structured Exception Handling ESAPI Interfaces Ajax and Flash 134 Traffic AJAX Application AJAX Client Requests Server Responses Typical Attacks Against AJAX Applications Security Recommendations for AJAX Applications Adobe Flash Sandbox Security Model Cross-Domain Policy Restrict SWF Files Embedded in HTML Attacking Flash Applications Securing Flash Applications Additional Best Practices for Software Resilience Externalize Variables EncryptedProperties Method Summary Initialize Variables Properly 142

7 Do Not Ignore Values Returned by Functions Avoid Integer Overflows 143 Practices Top 10 Secure Coding 6.16 Fifty Questions to Improve Software Security References 151 Chapter 7 Special Considerations for Embedded Systems, Cloud Computing, and Mobile Computing Devices Embedded Systems Bad Assumptions About Embedded Systems Programming New Mantras The Framework Distributed Applications/Cloud Computing Representational State Transfer (REST) REST Stateless Authentication Attacking Distributed APIs Securing Distributed APIs Mobile Applications BlackBerry Windows Mobile iphone Mobile Application Security References 165 Chapter 8 Security Testing of Custom Software Applications Fixing Early Versus Fixing After Release Testing Phases Unit Testing Manual Source Code Review The Code Review Process Automated Source Code Analysis Automated Reviews Compared with Manual Reviews Commercial and Free Source Code Analyzers Fortify Acquiring Commercial or Open-Source Analysis Tools Deployment Strategy 181

8 8.8.1 IDE Integration for Developers Build Integration for Governance Regulatory Compliance Benefits of Using Source Code Analyzers Penetration (Pen)Testing Penetration Testing Tools Automated Black Box Scanning Deployment Strategy Cray Box Testing Limitations and Constraints of Pen Testing Tools References 189 Chapter 9 Testing Commercial off-the-shelf Systems The Problems with Shrink-Wrapped Software The Common Criteria for Information Technology Security Evaluation Harmonizing Evaluation Criteria Development Evaluation Operation 197 of the Common Criteria Key Concepts Framework The Security The Common Criteria Approach The Security Environment The Common Criteria Portal Criticisms of the CC The Commercial Community Responds The BITS/FSTC Security Assurance Initiative ICSALabs Evaluation Methodology Certification Criteria ICSA Labs Testing and Certification Process Veracode's VerAfied Software Assurance Ratings Methodology Assessing Software for the VerAfied Mark References 216

9 Chapter 10 Implementing Security and Resilience Using CLASP Comprehensive, Lightweight Application Security Process (CLASP) CLASP Concepts ,3 Overview of the CLASP Process CLASP Key Best Practices Best Practice 1: Institute Awareness Programs Best Practice 2: Perform Application Assessments Best Practice 3: Capture Security Requirements Best Practice 4: Implement Secure Development Practices Best Practice 5: Build Vulnerability Remediation Procedures Best Practice 6: Define and Monitor Metrics Best Practice 7: Publish Operational Security Guidelines CLASP Security Activities to Augment Software Development 10.6 Applying CLASP Security 10.7 Re-engineering Processes 227 Activities to Roles 228 Your SDLC for CLASP Business Objectives Process Milestones Process Evaluation Criteria Forming the Process Re-engineering Team Sample CLASP Implementation Roadmaps Green-Field Roadmap Legacy Roadmap References 236 Chapter 11 Metrics and Models for Security and Resilience Maturity Maturity Models for Security and Resilience Software Assurance Maturity Model OpenSAMM Core Practice Areas Levels of Maturity Assurance 243

10 11.3 The Building Security In Maturity Model (BSIMM) BSIMM Software Security Framework BSIMM Activities Governance: Strategy and Metrics Governance: Compliance and Policy Governance: Training 258 Attack Models Intelligence: Intelligence: Security Features and Design Intelligence: Standards and Requirements SSDLTouchpoints: Architecture Analysis SSDLTouchpoints: Code Review SSDLTouchpoints: Security Testing Deployment: Penetration Testing Deployment: Software Environment Deployment: Configuration Management and Vulnerability Management 284 Results with BSIMM Measuring 11.6 Helpful Resources For Implementing BSIMM Applying BSIMM to the Financial Services Domain Working Group Methodology References 289 Chapter 12 Taking It to the Streets Getting Educated DEVELOPER 530: Defending Web Applications DEVELOPER 530: Essential Secure Coding in Java/JEE DEVELOPER 541: Secure Coding in Java/JEE: Developing Defensible Applications DEVELOPER 542: Web App Penetration Testing and Ethical Hacking DEVELOPER 544: Secure Coding in.net: Developing Defensible Applications 294

11 DEVELOPER 545: Secure Coding in PHP: Developing Defensible Applications DEVELOPER 534: Secure Code Review for Java Web Apps DEVELOPER 543: Secure Coding in C/C++: Developing Defensible Applications Aspect Security Inc CERT Software Engineering Institute (SEI) SEI Secure Coding in C and C++ Course Getting Certified Certified Secure Software Lifecycle Professional (CSSLP) Why Obtain the CSSLP? Benefits of Certification to the Professional Benefits of Certification to the Enterprise Getting Involved Web Application Security Consortium Reaching Out for Research DHS Research Program Areas The U.S. Treasury and the FSSCC Last Call Conclusion References 316 Glossary 319 Appendix A 2010 CWE/SANS Top 25 Most Dangerous Programming Errors 335 A.1 Brief Listing of the Top A.1.1 Insecure Interaction Between Components 336 A.1.2 Risky Resource Management 336 A.1.3 Porous Defenses 337 A.2 Detailed CWE Descriptions 338

12 A.2.1 A.2.2 A.2.3 A.2.4 A.2.5 A.2.6 A.2.7 A.2.8 A.2.9 A.2.10 A.2.11 A.2.12 A.2.13 A.2.14 A.2.15 A.2.16 A.2.17 A.2.18 CWE-79: Failure to Preserve Web Page Structure ("Cross-Site Scripting") 338 CWE-89: Improper Sanitization of Special Elements Used in an SQL Command ("SQL Injection") 338 CWE-120: Buffer Copy Without Checking Size of Input ("Classic Buffer Overflow") 339 CWE-352: Cross-Site Request Forgery (CSRF) 339 CWE-285: Improper Access Control (Authorization) 339 CWE-807: Reliance on Un-trusted Inputs in a Security Decision 340 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") 340 CWE-434: Unrestricted Upload of File with Dangerous Type 340 CWE-78: Improper Special Elements Used in an OS Command ("OS Command Injection") 341 Sanitization of CWE-311: Missing Encryption of Sensitive Data 341 CWE-798: Use of Hard-Coded Credentials 341 CWE-805: Buffer Access with Incorrect Length CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ("PHP Value 342 File Inclusion") 342 CWE-129: Improper Validation of Array Index 342 CWE-754: Improper Check for Unusual or Exceptional Conditions 342 CWE-209: Information Exposure Through an Error Message 343 CWE-190: Integer Overflow or Wraparound 343 CWE-131: Incorrect Calculation of Buffer Size 343

13 A.2.19 A.2.20 A.2.21 A.2.22 A.2.23 CWE-306: Missing Authentication for Critical Function 344 CWE-494: Download of Code Without Integrity Check 344 CWE-732: Incorrect Permission for Critical Resource 344 Assignment CWE-770: Allocation of Resources Without Limits or Throttling 344 CWE-601: URL Redirection to Site ("Open Redirect") 345 A.2.24 CWE-327: Use of a Broken or Risky Cryptographic Algorithm 345 A.2.25 CWE-362: Race Condition 345 Appendix B Enterprise Security API 347 B.1 Interface Encoder 348 B.2 Interface User 349 B.3 Interface Authenticator 350 B.4 Interface AccessController 351 B.5 Interface AccessReferenceMap 352 B.6 Interface Encryptor 355 B.7 Interface HTTPUtiIities 355 B.8 Interface Logger 357 Index 361