Cigital. Paco Hope, Technical Manager paco@cigital.com



Similar documents
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

ISO COMPLIANCE WITH OBSERVEIT

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Cash Management. Getting Started Guide

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

EJGH Encryption User Tip Sheet of 8

Instructions for the Integrated Travel Manager (ITM) Self Service Password Reset (May 2011)

The Initial Registration Process. During the initial registration process, this guide assumes the user has been provided a login ID.

Using the Help Desk. Logging into Help Desk. Creating a New Help Desk Ticket

Hang Seng HSBCnet Security. May 2016

How To Secure An Emr-Link System Architecture

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Training Guide for Delaware Practitioners and Pharmacists Delaware Division of Professional Regulation Prescription Monitoring Program

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

River Valley Credit Union Online Banking

White Paper. Information Security -- Network Assessment

Strategic Asset Tracking System User Guide

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

IBM Connections Cloud Security

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Activity 1: Scanning with Windows Defender

Installation Steps for PAN User-ID Agent

Monash Health Self Service

User Guide for CDC s SAMS Partner Portal. Document Version 1.0

Contact Center Administrator Guide

Lab Configure Basic AP Security through IOS CLI

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Application Security Testing. Generic Test Strategy

RSA SecurID Software Token Security Best Practices Guide

Reference Document. SedonaOnline Support

Enhanced Model of SQL Injection Detecting and Prevention

IT Security Procedure

Frequently Asked Questions

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Risk Based Security Testing

Supplement to Gaming Machine Technical Standards Consultation

Self-service password management user guide

Host-based Protection for ATM's

Service Children s Education

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Information Technology Security Procedures

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

AESDIRECT ACCOUNT ADMINISTRATION USER GUIDE

Welcome Guide for MP-1 Token for Microsoft Windows

NSi Mobile Administrator Guide. Version 6.2

Network and Workstation Acceptable Use Policy

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Internet Access Gateway Logon Instructions IAG Platform, XP

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

INFORMATION TECHNOLOGY CONTROLS

BlackShield ID Agent for Remote Web Workplace

Securing Corporate on Personal Mobile Devices

DriveLock and Windows 7

Centralized Self-service Password Reset: From the Web and Windows Desktop

CHANGES IN GECS 3.50 PACKAGES

i-mobile Multi-Factor Authentication

Remote Access Password Tips

Synergy SIS AdminVUE Administrator & User Guide

CYBER SECURITY POLICY For Managers of Drinking Water Systems

Manual Password Depot Server 8

LogMeIn HIPAA Considerations

USM IT Security Council Guide for Security Event Logging. Version 1.1

Security and Identity Management Auditing Converge

Business ebanking - User Sign On & Set Up

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

SANS Institute First Five Quick Wins

Two Factor Authentication. Software Version (SV) 1.0

Still Aren't Doing. Frank Kim

Technology Manager Non-Seller Admin Guide Creating and Managing Fannie Mae User IDs

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

Information Security

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

Big Data and Security: At the Edge of Prediction

User Management Guide

Implementation Guide

SonicWALL PCI 1.1 Implementation Guide

RSA Authentication Manager 7.1 Basic Exercises

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

ecatcher - Security Features with a Talk2M Pro Account

RSA SecurID Certified Administrator (RSA Authentication Manager 8.0) Certification Examination Study Guide

FileCloud Security FAQ

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Hosted VoIP Phone System. Admin Portal User Guide for. Enterprise Administrators

Sophos Mobile Control user help. Product version: 6.1

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Analytics, Big Data, & Threat Intelligence: How Security is Transforming

FAQs for Password Self Service

Pharos User Process Guide

Application Installation/Setup

Josiah Wilkinson Internal Security Assessor. Nationwide

RemotelyAnywhere. Security Considerations

User Manual For MIS Helpdesk

Transcription:

The Foundation for Security Paco Hope, Technical Manager paco@cigital.com www.cigital.com info@cigital.com +1.703.404.9293 Cigital, Inc. All Rights Reserved. 2 Cigital Consulting firm of recognized software security experts since 1992 Widely published in books, white papers, and articles Industry thought leaders Deep expertise in commercial areas: financial services, wireless communications, gaming Experience in industry standards, best practices, and regulatory compliance 3 Redistribution Prohibited 1

Cigital, Inc. All Rights Reserved. 4 What are Requirements? The IEEE Standard 729 defines requirements as: A condition or capability needed by a user to solve a problem or achieve an objective A condition or capability that must be met or possessed by a system to satisfy a contract, standard, specification, or other formally imposed document. Three Types of Requirements Functional (Behavioral) Requirements Functions that the system must perform Non- Functional Requirements Properties system must possess Derived Requirements Functional/non- functional requirements implicit from stated requirements Cigital, Inc. All Rights Reserved. 5 Redistribution Prohibited 2

Func5onal Requirements Inputs that are expected by the system Outputs that must be produced Relationships between those inputs and outputs ÜberInventory : If the system is powered off, and the CMD button is pressed for 4 seconds, the system shall be termed Powered On. If the system is powered on, and the CMD button is pressed for 4 seconds, the system shall be termed Powered Off. If the Scan button is pressed, the laser shall activate and scan for a barcode. The laser shall remain active for 30 seconds or until a barcode is recognized. Cigital, Inc. All Rights Reserved. 6 Non- func5onal Requirements Example Non- Functional Requirements The system shall connect to 802.11a and 802.11b networks. The system shall acquire and recognize barcodes within 15 seconds more than 80% of the time. The system will require less than 11 Mbs network speed to handle 100 concurrent devices. Auditability Extensibility Maintainability Performance Portability Reliability Security Testability Usability etc. Cigital, Inc. All Rights Reserved. 7 Redistribution Prohibited 3

A;ributes of Good Requirements Testable Complete Clear Consistent Measurable Unambiguous Cigital, Inc. All Rights Reserved. 8 New and Old Vocabulary Functional security requirement A condition or capability needed in the system to control or limit the fulfillment of requirements Non- functional security requirement A property of the system required to ensure fulfillment of requirements in the face of abuse or misuse Derived security requirements From functional requirements From other security requirements Cigital, Inc. All Rights Reserved. 12 Redistribution Prohibited 4

Func5onal Security Requirements Describe positive, functional behavior related to security. Can be directly tested. Often related to security features like role- based access control, data integrity, etc. Back office users must authenticate with userid / password. 5 or more failed attempts to login account lockout Cigital, Inc. All Rights Reserved. 13 Security Non- Func5onal Requirements Audit logs shall be verbose enough to support forensics All price modification events shall be logged. The event log shall contain date, time, user, action, object, prior value, new value Audit logs shall have integrity protection... Application shall achieve 99.7% uptime between 6:00am and 2:00am local time. Multiple database servers Transaction integrity, fall- back, retry, etc. Cigital, Inc. All Rights Reserved. 14 Redistribution Prohibited 5

Derived Security Requirements Back office users must authenticate with userid / password. 5 or more failed attempts to login account lockout Implication: Bad guy can deny users access Guess or learn accounts Try every account 3 times All accounts locked Derived requirement: Accounts should unlock after 5 minutes of no attempts Cigital, Inc. All Rights Reserved. 15 Cigital, Inc. All Rights Reserved. 16 Redistribution Prohibited 6

Thinking backwards Think of abuse cases and misuse cases as backward use cases Consider grammatical negation Start with use cases Think about what a system does Continue at increasing levels of detail Once you know what a system does, look at it from the adversary's perspective. How can they disrupt the system? How can they profit from the system? 17 Copyright 2007 Cigital Inc. An Automated Teller Machine Scenario: 1. Login 2. Withdraw money 3. Logout What are some example functional requirements? 18 Copyright 2007 Cigital Inc. Redistribution Prohibited 7

Login, Withdraw, Logout Card required to login Correct PIN required to login Withdraw even dollar amounts in increments of $20 Can't exceed account balance It's still not good enough What will a bad guy do? 19 Copyright 2007 Cigital Inc. Security Requirements Shoulder- surfing Don't display PIN Steal card Don't allow lots of login attempts Guy behind you uses your forgotten card Audible and visible alerts Session timeout and logout 20 Copyright 2007 Cigital Inc. Redistribution Prohibited 8

Cigital, Inc. All Rights Reserved. 21 Four Ways to Create Security Requirements Cigital, Inc. All Rights Reserved. 22 Redistribution Prohibited 9

Security Requirements Process Cigital, Inc. All Rights Reserved. 23 Security Requirements Fodder Input Validation Velocity Transactions Visibility Concurrency Cigital, Inc. All Rights Reserved. 24 Redistribution Prohibited 10

Input Valida5on: Four Levels Length and Boundaries 4 input fields 1-3 digits, 0-9 inclusive Characters and encoding English characters in ASCII or Unicode, any UTF encoding Syntactic Positive integer percentage Semantic All percentages must total to exactly 100, no more no less Can total to 100 with any combination of 1-4 inputs Cigital, Inc. All Rights Reserved. 25 Velocity Checking How many shots does an attacker get? At what rate? Logins / hour Transactions / minute Kilobytes / day Changes / user Assume attackers do billions of things per hour Does that change your concerns about security? Insiders have higher hit rate Cigital, Inc. All Rights Reserved. 26 Redistribution Prohibited 11

Transac5ons Operations can be interrupted Just because you start, doesn't mean you finish Who shares data / resources? Back- office batch processing Help desk Users What do they share? Databases Web servers Session IDs Cigital, Inc. All Rights Reserved. 27 Visibility Versus True Enforcement Don't omit functionality for unauthorized users Prevent use by unauthorized users Specify that it can't be done Then testers must test it Specify what does happen when bad things are attempted Cigital, Inc. All Rights Reserved. 28 Redistribution Prohibited 12

Concurrency Can I log in more than once? Can I modify more than one user simultaneously? Can two admins do the same function simultaneously? Can two people view the same file at the same time? How do you resolve conflicts? Cigital, Inc. All Rights Reserved. 29 Four Ways to Create Security Requirements Cigital, Inc. All Rights Reserved. 30 Redistribution Prohibited 13

How Do You Do It? Ideal: During initial requirements Next best thing: during test ttrategy Include Security Test Strategy as part of strategy Balance security testing based on risks and impacts Use risk- based security testing to drive security requirements Use some fodder Cigital, Inc. All Rights Reserved. 31 About Security Requirements paco@cigital.com Cigital, Inc. All Rights Reserved. 32 Redistribution Prohibited 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information