Software Security
Transcription
Software Security
Software Security: Practical application of tools, training and techniques Mr. Rustin Sides Senior Consultant Cigital Federal, Inc. [email protected] +1 (334) 416-2705 The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. The premiere software and product delivery event. Major Software Security Headlines The Problem Area ad r T l a n ti io us c Fo Insider Threat (Trusted Agent) Network Apps S/W Data orized Unauth access orized or Auth ng i s s a Byp r e k on c i t c e t Atta Pro k r o w Net e d e e N us c o F d What is ASACoE? ASACoE History 33,000 + Air Force officer records compromised Sampled AF applications using automated tools Significant risks exist in Air Force applications ASACoE History Compromise of the Air Force Assignment Management System (AMS) led to pilot in 2006 Pilot conducted on 8 systems within ESC Static Analysis using automated tools Found numerous validated vulnerabilities HQ ESC established ASACoE to assist USAF program offices with building Assurance into their Software Development Lifecycle (SDLC) The United States Air Force as a Cigital Client The ASACoE Approach Support Support Enable Enable Train Train re Softwa nce Assura ASACoE Assessment 5 day on-site assessment Broader strategic approach Tool driven aimed at low-hanging fruit Multi-perspective analysis Large scale effort across several different applications and technology stacks The Assessment Process USAF Program Management Office (PMO) requests an assessment of their applications Training is provided to their developers (Cigital / Fortify) A 5 day on-site assessment is conducted by an ASACoE team A week of analysis is conducted at ASACoE HQ A final report summarizing the findings is delivered to the PMO along with the analyzed results Total time of engagement 3 to 4 days of training prior to assessment 5 days on-site assessment including mentoring 5 days of detailed source code analysis auditing On-going support with developers as needed New scans delivered quarterly What ASACoE Does Not Do ARA and Threat Modeling There has been a plan for DRA but to this date no PMO has requested one Manual Code Review We have done some, but given the short time we have with the source code, not in depth. Manual Pen Testing Only for Oracle Forms and a few other technologies unsupported by the tools Pros and Cons of Customer Context All ASACoE Assessment teams include military enlisted developers Pros: Credibility at military installations Guards DoD best interests More familiar with government practices Cons: Less experienced with software security Time of availability limited (deployments, additional duties) High turn-over rate USAF takes action in July 2009 TCNO (Time Compliance Network Order) 2009-188-003 “Multiple Vendor Web Applications Vulnerable to Cross-site Scripting Vulnerabilities” Action: “Correct AF assets with secure encoding.” Good goal, wrong approach This is an application layer problem, and should be fixed at that layer An uphill battle fighting this at the network layer Can be mitigated using secure coding practices The Problem Area ad r T l a n ti io us c Fo Insider Threat (Trusted Agent) Network Apps S/W Data orized Unauth access orized or Auth ng i s s a Byp r e k on c i t c e t Atta Pro k r o w Net e d e e N us c o F d Educational Efforts Provide Program Offices 3-day On-site Training 1-day Crash Course on Threats and Defensive Programming 2-days of Training on Tool Utilization SAF/A6 and AFSPACE Created/Recommended Software Security Policy Guidance Best Practices for Application Accreditations AF Institute of Technology, Academy, and Cyber Technical Schools Joint and International Allied Partners Aided US Navy, Army & Canadian Army Stand Up Similar Centers Panel Member and Presenter at Conferences Air Force IT Conference (AFITC): 2008, 2009, and 2010 Joint Mission Planning System (JMPS) Anti-Tamper Symposium Secure Solutions Conference: 2008, 2009, and 2010 ASACoE Tool Suite Application Defense Source Code Analysis (SCA) Static Analysis Tool Web Application Firewalls & Database Monitoring Monitor, prevent and report on intrusion attempts against Web-based applications Proactive security; analysis tuned for minimal false positives Security Ops Team Developers Management Centralized Scan Repository Security Testers Web Penetration Testing Dynamic Analysis (IBM Rational AppScan) Comprehensive and automated testing of Web applications for vulnerabilities Security Leads / Auditors Database Auditing Source Code Auditing (SCA) Federal best practices policies and USAF STIG compliance checks Security auditing and analysis of source code by industry leading software security analysts ASACoE Reports and Support Triage Assessment Report Executive Summary Objectives and Technical Scope Assessment Approach Report of Findings Vulnerability Descriptions Recommendations for Mitigation Augment Remediation Efforts When Requested Quarterly Review of Follow-up Scans by the ASACoE Staff First Level of Support for Tools and Processes – Customer Service Focus ASACoE Processes Checklists keep you accountable ASACoE Assessment Process ASACoE Metrics Process ASACoE Assessment Status and Coverage Program Management Offices Visited: 152 Applications Assessed: 641 Total Lines of Code Assessed: 105,540,534 * Ramstein AB Germany *as of 29 SEP 2010 ASACoE Results Significant Risk Mitigation throughout the SDLC Cost and Time Savings for Air Force PMOs Certification & Accreditation Processing Time Reduced Real Time Protection for Fielded Operational Systems Industry vs AF vulnerabilities Top Industry Vulnerabilities Top AF Vulnerabilities Injection Flaws Cross-Site Scripting Cross-Site Scripting Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Direct Object Reference Insecure Direct Object Reference Injection Flaws Cross-Site Request Forgery Insecure Cryptographic Storage Security Misconfiguration Cross-Site Request Forgery Insecure Cryptographic Storage Broken Authentication and Session Handling Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards Malicious File Execution Insecure Communications Failure to Restrict URL Access ASACOE Before and After Results 49% 26% 60% 9% 75% 69% Using IBM Rational AppScan for Web Penetration Testing IBM Rational AppScan Strengths Automated Web Penetration Testing allows for wider coverage on assessments Support for most web based technologies used by the USAF Wide range of web hosted environments Many DoD websites are CAC enabled Some flex based websites with flash in the presentation layer Ability to export results as XML Used for reporting metrics and trending on a centralized management server Ability to resume a paused scan Scans have needed to be optimized for varied scalable environments IBM Rational AppScan Wishlist Ability to scan Java Applets Currently cannot scan Oracle Forms based applications Some custom Java applets used to access legacy applications have had to be manually penetration tested Integration with Static Analysis tools Benefits to finding correlated results from static analysis and dynamic analysis Currently doing this through a manual process Notification service for interrupted scans Many scans of large websites run overnight unattended SMS or email notification of an exception of excessive timeouts Useful AppScan Extensions used by ASACoE Scan Optimizer (Beta) Increases scan performance Encode/Decode Useful for manual pen tests Expression Test Regular expression tester Customer Testimonials “…What you did for us was to allow us to evaluate more than 5 million lines of code that was proprietary at a cost savings of nearly $500 million…” - Lead Developer for a major weapons system “…After the assessment was complete, they didn’t just pack up and say have a nice day. They kept in touch offering incredible assistance with specific vulnerability fixes, proper procedure for securing code, and even software to help test our code once we fixed it…” - Lead Developer for a $9.2B contracting system “…They were instrumental in our team changing our coding practices for the better. Our developers use the ASACoE tools routinely to audit our system and build in security...” - Program Manager for a major logistics system “…The tools and training provided by the ASACoE have made a practical contribution to our ability to create more secure applications and to monitor the results of those improvements…Being a small organization with a limited budget, it would have been impossible to procure the tools and training on our own…” - Program Manager for a major AF weather agency 4 6 ASACoE Changing the Way the Air Force Thinks about Software Thank you for your time Questions? Rustin Sides [email protected]