Secure Software Development Lifecycle. Security... Not getting better



Similar documents
Microsoft STRIDE (six) threat categories

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

The Value of Vulnerability Management*

How To Manage Security On A Networked Computer System

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Network Security Audit. Vulnerability Assessment (VA)

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Security Considerations for the Spiral Development Model

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

HIPAA Compliance Evaluation Report

Columbia University Web Security Standards and Practices. Objective and Scope

SAST, DAST and Vulnerability Assessments, = 4

Audit/Logging Repudiation. Security Testing: Testing for What It s NOT supposed to do

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Software Development: The Next Security Frontier

Security Testing. How security testing is different Types of security attacks Threat modelling

Big Data, Big Risk, Big Rewards. Hussein Syed

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Bomgar Corporation. Bomgar Application Security Assessment Summary January 26, This document is the property of Bomgar Corporation.

Security Controls What Works. Southside Virginia Community College: Security Awareness

Vulnerability Management Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensuring security the way how we do it

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Enterprise Computing Solutions

Securing SharePoint 101. Rob Rachwald Imperva

Taxonomic Modeling of Security Threats in Software Defined Networking

CompTIA Security+ (Exam SY0-410)

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

The Business Case for Security Information Management

Penetration Testing. Presented by

The Security Development Lifecycle

Web application security: automated scanning versus manual penetration testing.

- Table of Contents -

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

SCOPING QUESTIONNAIRE FOR PENETRATION TESTING

Security Controls for the Autodesk 360 Managed Services

IBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Information Technology Security Review April 16, 2012

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Cyber R &D Research Roundtable

BM482E Introduction to Computer Security

Secure Programming Lecture 9: Secure Development

Effective Software Security Management

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Columbia University Web Application Security Standards and Practices. Objective and Scope

Chapter 4 Application, Data and Host Security

Fortinet Solutions for Compliance Requirements

Threat Modeling. Deepak Manohar

IBM Connections Cloud Security

A Survey on Requirements and Design Methods for Secure Software Development*

05.0 Application Development

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Adobe Systems Incorporated

Cisco Advanced Services for Network Security

Cutting Edge Practices for Secure Software Engineering

Patch and Vulnerability Management Program

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

The Protection Mission a constant endeavor

OPEN SOURCE SECURITY

QuickBooks Online: Security & Infrastructure

NERC CIP VERSION 5 COMPLIANCE

Web Application Report

Network and Host-based Vulnerability Assessment

Information Security Policy

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

MySQL Security: Best Practices

Application Security Testing

Seven Practical Steps to Delivering More Secure Software. January 2011

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

THE TOP 4 CONTROLS.

Advanced Systems Security

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Transcription:

Secure Software Development Lifecycle This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007 This lecture material is copyrighted by Laurie Williams (2007). However, you are encouraged to download, forward, copy, print, or distribute it, provided you do so in its entirety (including this notice) and do not sell or otherwise exploit it for commercial purposes. For PowerPoint version of the slides, contact Laurie Williams at williams@csc.ncsu.edu. 2005 Laurie Williams Security... Not getting better http://www.cert.org/stats/vulnerability_remediation.html 2 1

Security Testing: Testing for What It s NOT supposed to do Thompson, Herbert, *, IEEE Security and Privacy, July/Aug 2003, pp. 83-86. Security vs. Reliability Reliability - The ability of a system or component to perform its required functions under stated conditions for a specified period of time. Security The ability of a system or component to perform its required functions without confidentiality, integrity, and availability losses for a specified period of time. 2005 Laurie Williams 2

Latent Code Problem Definitions Fault - reliability concept: An incorrect step, process, or data definition in a computer program. Fault-prone component reliability concept: A component that will likely contain faults. Vulnerability - security concept: an instance of a [fault] in the specification, development, or configuration of software such that its execution ecut can violate an [implicit or explicit] security policy. Vulnerability-prone component - security concept: a component that is likely to contain vulnerabilities. 2005 Laurie Williams Realized Code Problem Definitions Failure - reliability concept: the inability of a software system or component to perform its required functions within specified performance requirements. Failure-prone component reliability concept: A component that will likely contain failures. Attack - security concept: the actions that cause a violation of security. Attack-prone component - security concept: a component with a high probability that the component will be exploited. 2005 Laurie Williams 3

Vulnerability Types design vulnerability a mistake in the design that precludes the program from operating securely, no matter how perfectly it is implemented by the coders implementation vulnerabilities a mistake in the actual coding of the software that causes a security problem [design might be fine, code is the problem] 7 Cost of Change Curve penetrate and patch 8 http://swc.scipy.org/lec/img/dev01/boehm_curve.png 4

Secure Software Development Life Cycle () The point: think about security early and often during software development 9 http://www.computer.org/portal/cms_docs_security/security/v3n4/j4apv01.gif Phase 1: Security guidelines, rules, and regulations Security policy: A system-wide specification is created that defines overarching security requirements Can be based on specific government regulations (e.g. HIPAA, Sarbanes Oxley, etc.) Examples: Role-based permission levels, access-level controls, and password standards and controls 10 5

Phase 2: Security requirements Misuse case/abuse case/attack use cases can be developed that show behavioral flows that are not allowed or are unauthorized. Example security requirements [p. 62-63] The application stores sensitive user information that must be protected for HIPAA compliance. To that end, strong encryption must be used to protect all sensitive user information wherever it is stored. The application must remain available to legitimate users. Resource utilization by remote users must be monitored and limited to prevent or mitigate denialof-service attacks. The application supports multiple l users with different levels l of privilege. il The application assigns users to multiple privilege levels and defines the actions each privilege level is authorized to perform. Mitigations for authorized bypass attacks need to be defined. The application takes user input and uses SQL. SQL injection mitigations are a requirement. 11 Phase 3: Architectural and design reviews/threat modeling. Software practitioners need a solid understanding of the product s architecture and design so they can devise better and more complete security strategies. Phase 4: Secure coding guidelines. See Chapter 2 in book. (buffer overflow, input validation, etc.) Static analysis tools can detect many implementation errors by scanning the source code or the binary executable. Using the secure coding standards as baselines, testers can then develop test cases to verify that the standard is being followed. There are also services where you can send your code and have a third party analyze it for defects/vulnerabilities. 12 6

Phase 5: Black/gray/white box testing Gray box is hybrid black/white Penetration testing black box testing in which the tester specifically thinks like an attacker Phase 6: Determining exploitability. A vulnerablity s exploitability [attack proneness] is an important factor in gauging the risk it presents. Determining a vulnerablity s exploitability involves weighing five factors: The access or positioning i required by the attacker to attempt t exploitation ti The level of access or privilege yielded by successful exploitation The time or work factor required to exploit the vulnerability The exploit s potential reliability The repeatability of exploit attempts 13 Also: Software should be deployed using security defaults A software patch management process should be in place 14 7

Guidelines for Testers [p. 70-71] Define security/software development roles and responsibilities Understand the security regulations your system has to abide by, as applicable. Request a security policy if none exists. Request documented security requirements and/or attack use cases. Develop and execute test cases for adherence to umbrella security regulations if applicable. Develop and execute test cases for the security requirements/attack use cases. 15 Guidelines for Testers Request secure coding guidelines and train software developers and testers on them. Test for adherence to secure coding practices. Participate in threat modeling walkthroughs, and prioritize security tests. Understand and practice secure deployment practices. Maintain a secure system by having a patch management process in place, including evaluating exploitability. 16 8

Phase 2: Misuse/Abuse Case 17 http://folk.uio.no/nik/2001/21-sindre.pdf 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information