Practical Applications of Software Security Model Chris Nagel

Practical Applications of Software Security Model Chris Nagel Software Security Consultant Fortify Software

Introductions About Me: Chris Nagel Software Security Consultant With Fortify for 2+ Years Before Fortify - Senior Software engineer for USAF(12 years) Air Force Wargaming Institute Developing Wargames Developed.NET web and windows apps in C# Extensive experience in all areas of the SDLC Last 2 years with USAF Application Software Assurance Center of Excellence (ASACoE) Education MS and BS in CS 2

Agenda History The ASACoE Process Challenges Lessons Learned Q&A

In the Beginning 4

History August 2005 USAF Human Resource System Breached 33,000 Personnel Records Stolen Attack vector was software related Impact was felt throughout the USAF

Response Software Security Pilot Program Lead by Maj. Bruce Jenkins Critical vulnerabilities were found in all pilot applications Decision was made to organize a group dedicated to software security Fall 2006 Application Software Assurance Center of Excellence

Response Vehicle Contract competition to find best automated security software Focus on 3 areas: Static Analysis (Source Code Analysis) Dynamic Analysis (Penetration Testing) Data Tier Analysis (Database STIG Checking) The Winners Fortify Software (SCA and 360 Server) IBM Rational Appscan AppSecInc AppDetective Services Prime Contractor Telos Subcontractors Fortify and Cigital

Mastering SSA: ASACoE Program Management Offices Visited: 96 Applications Assessed: 600+ Total Lines of Code Assessed: 93,921,058 Ramstein AB Germany

ASACoE Benefits Significant Risk Mitigation throughout the SDLC Cost and Time Savings for PMOs Certification & Accreditation Processing Time Reduced Real Time Protection for Fielded Operational Systems

60.00 Critical/High Vulnerabilities Per 1,000 Lines of Code Initial Follow-On 40.00 49% 20.00 26% 9% 60% 75% 69% 0.00 App1 App2 App3 App4 App5 App6

The ASACoE Process 11

The ASACoE Process Support Enable Train 5 Day On-Site Triage Assessment Triage Assessment Report; Augment Remediation Efforts; Follow-up Scans 3 Day Training Session

The ASACoE Process - Train 3 Day Training Session 1 Day Defensive Programming Need for Software Assurance Case Studies Vulnerability Examples ½ Day AppDetective Training 1 Day Fortify SCA Training ½ Day Fortify RTA/PTA/360 Server Mixed audience: Managers, IA, Developers Hosted at Gunter AFB or other AFBs 13

The ASACoE Process On-Site Scan codebase with the goal of integrating into the build process Help optimize scans to your codebase Mentor developers on secure coding practices Defensive programming techniques Triage scan results with developers Triage your FPR s as well as AppDetective and AppScan results. Time is limited so a full triage of the FPR s will be delivered with the final report The tools will be left behind and a security assessment report will be delivered to the PMO. This will enable you to perform regular scans on your own 14

The ASACoE Process On-Site ASACoE Assessment Team (4 person team) At least 1 Organic and the rest Contractors Contractors serve as Subject Matter Experts Organics serve as Team Chiefs All team members trained to use software suite Product specialization depending on background Periodic rotation of duties 15

The ASACoE Process On-Site 16

The ASACoE Process - Support -1 st Tier Support - Link to Vendors Support Remediation - 3 rd Party Resources - Verification -New Training - New Assessment Re- Assess Follow Up Scans - Further Analysis - Custom Rules 17

Challenges 18

Challenges Challenge #1: NO MANDATE No clear vision for software assurance Currently working with proactive groups Large focus on new business Can put a damper on remediation Could be making a bigger splash 19

Challenges Challenge #2: Moderate Adoption Many re-assessments reveal moderate adoption of software assurance Focus on scanning leaves little time for process development and automation Need alternate training methods 20

Challenges Challenge #3: Awareness and Education Complex problem with complex solution All leadership levels need to be made aware of the risks associated with software vulnerabilities Getting the word out SAF/A6 and AFSPC Provide policy recommendations and best practices AF Institute of Technology, AF Academy, and Cyber Technical Schools Aided US Navy, Army & Canadian Army Stand Up Similar Centers 21

Software Assurance Process Lessons Learned 22

Software Assurance Process Lessons Lesson #1: Clear Communication Regarding Security Before assessment, try to define policies and expectations Ensure that policies and expectations are communicated to all stake holders Consistently enforce policies and expectations 23

Software Assurance Process Lessons Lesson #2: Don t Bite Off More Than You Can Chew Large amounts of issues are typically found during software assurance assessment Don t Panic Assess risk of vulnerabilities and prioritize what gets fixed first Still worried? Try Fortify RTA! 24

Software Assurance Process Lessons Lesson #3: Automate the Process If you don t have continuous builds, it s worth looking at Integrate Fortify SCA into your build process Automate FPR uploads to Fortify 360 Server Use email alerts to notify stake holders 25

Training Lessons Learned 26

Training Lessons Lesson #1: The ASACoE Training is good for everyone The content is mainly tailored for developers, but it s good for Managers, IA, Builders, etc. Get refresh training from ASACoE Incorporate ASACoE training slides into new hire training 27

Training Lessons Lesson #2: The ASACoE Training Is Not Enough Designed to scratch the surface Software Security is very complex and requires continual education Develop required training program for developers Because Software Security is relatively new, getting training information can be difficult Many software security blogs Books Instructor lead training and conferences Software Security certifications are emerging Certified Software Security Lifecycle Professional (CSSLP) SANS Institute 28

Training Lessons Lesson #3: Not Everyone Learns the Same Not everyone can learn effectively from instructor lead classes CBTs can be effective and are available from Fortify Some developers prefer self study 29

Technology Lessons Learned 30

Technology Lessons Lesson #1: Explore Fortify Custom Rules The default Fortify rule packs cover most APIs, but not everything Custom rules are used to educate SCA on custom APIs or 3 rd party APIs not covered Can also enforce policies in code Very detailed topic Fortify can provide training 31

Technology Lessons Lesson #2: Integrate with Bug Tracking If you re using a bug tracking system, and you should be, integrate with Fortify 360 We support Bugzilla out of the box Can also support: Microsoft Team Foundation Server JIRA HP Quality Center Exposed API for other systems 32

Technology Lessons Lesson #3: Explore Custom Reports Reporting system is based on BIRT, and open source report engine Fortify Report templates available in Fortify 360 Server The ASACoE/Fortify can help with custom reports 33

Closing Remarks The ASACoE process was designed to assess the largest amount of applications possible not the best fit for everyone If you like the ASACoE approach, they will help with implementing their model When considering establishing a Center of Excellence, first consult industry standards (SAMM, BSIMM) 34

Questions?