Making communications land - Are they received and understood as intended? we...
Manoj Purandare - Application Security - Secure Code Assessment Program - Prevention is better than Cure
1. CyberFrat Manoj Purandare
Secure Code Assessments [ SCA ]
Prevention is better than Cure
Part – 1 of 3
Manoj Purandare
General Manager – Application Security, ACPL Systems Ltd., India.
CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL,
PCI-DSS Security Implementer
25 yrs of IT and Information Security expertise and experience
Application Security
2. CyberFrat
Secure Code Assessments [ SCA ]
Prevention is better than Cure
Part – 1 of 3
Manoj Purandare
General Manager – Application Security, ACPL Systems Ltd., India.
CISSP, PmP, PgMP, Cyber Crime Analyst, ITIL,
PCI-DSS Security Implementer
25 yrs of IT and Information Security expertise and experience
Application Security
Manoj Purandare
3. CyberFrat
• Current Scenario – SAST (Static Application Security Test)
• Equifax and other stories to learn from
• Application Security - must have SAST Planning
• What is SAST and secure code assessment [ SCA ]
• The Secure Programming Techniques -Abstract
• Your vulnerable application may have multiple risks
• Understand an Attack Surface to your applications
• The Secure Code Review Metrics
• Must have application security in annual risk assessments
• Tools and resources to assess and audit application security with secure code
assessments [SCA] maturity
• Your future – Prevention is better than Cure, start S-C-A
Application Security –Source Code Assessment topics
Manoj Purandare
4. CyberFrat
Application or Software & its Security ?
Manoj Purandare
Compare it to avoiding your daily junk food, and eating good food. Do regular exercise or Yoga,
to help generate good ideas & positive actions in your body.
But this food may be impure, or mixed with unwanted
ingredients, to make your body ill. So we need to have
control on our food habits and keep the impurities out
of our body.
How?
Stay Current – latest security tools
Stay Updated- latest patch & fixes
Stay Secure- Always Monitor & Control
5. CyberFrat
Before starting with Application Security
• This past June, just half-way into 2017, over 790 U.S. data breaches had already been
reported, according to the Identity Theft Resource Center (ITRC). This was a half-year
record high and a 29% jump from the same time period in 2016. And the 63% of those
breaches were caused by cyber attacks.
• Since more than 80% of cyber attacks target applications, having a strong application
security solution in place is vital. An application security tool will help your
development team identify security vulnerabilities before a hacker can, and fixes
them.
• The Equifax story and many such happened in past 3 years risen a doubt on our own
applications or 3rd party application which we use currently. Lack of visibility in usage
of Apache Struts. Refer these --CVE-2017-9805, CVE-2017-5638, CVE-2017-5638
Manoj Purandare
6. CyberFrat
Current Example of Security Breach (in short)
Manoj Purandare
• In this case, Equifax, like many companies, has a large portfolio of applications. As
revealed in the OSSRA report, most companies aren't doing a good job at tracking
open source, so unless Equifax had deployed a solution like Black Duck Hub, they
probably did not have a complete and reliable inventory of the open source
components in use in their applications.
• In March, when the vulnerability was disclosed, it would be highly likely that they
would not even know they were at risk, even if their security team was aware of the
vulnerability. Put simply, they were flying blind.
• Since the exploits for CVE-2017-5638 were widely available and being used almost
immediately after the vulnerability was disclosed.
• Equifax entered this period of very high risk without knowing it, at the same time
that hackers were actively scanning and probing to find websites and applications
that were vulnerable.
• If this is the case, the door was "unlocked" until they discovered the breach over
four months later.
7. CyberFrat
So What Can Companies Learn From This?
Manoj Purandare
• Visibility is critical. You can't protect yourself if you don't know what's in your code. If you
don't have a complete inventory of the open source your teams are using then you are leaving
your applications at risk.
• Open Source Vulnerability Management needs to be automated and tightly integrated into
development and DevOps tools and processes. You are only as secure as your weakest link.
Only by ensuring that all code is scanned before going into production can you be confident
that you have addressed the weak links.
• Lessen the GAP between :
a) when vulnerabilities are reported and
b) when you patch or mitigate them.
More than 10 new open source vulnerabilities are reported every day. Unfortunately, you can't
rely on the National Vulnerabilities Database (NVD) to give you early warning of them. Exploits
are already available for the latest Struts vuln (CVE-2017-9805), yet NVD still has no data for it.
Research has shown that it takes an average of three weeks for vulnerabilities to be
documented in NVD.
To solve this problem, Some independent organizations like Black Duck & others independently
monitors and researches vulnerabilities using hundreds of sources so they can provide same day
alerts for vulnerabilities like the CVE-2017-9805.
8. CyberFrat
• Application security includes measures taken by
monitoring and control of the flaws in the design,
development, deployment, upgrade, or
maintenance of the application.
• The primary focus is on layer 7 of the OSI model
• Secure Code Assessments [SCA] should be part of
an organization’s or vendor’s software (or system)
development life-cycle (SDLC), and even in case of
CICDs (Continuous Integration Continuous
Deployments)
• Monitor & try to control- GitHUB, Bitbucket and
other type of software code repositories, from
where developers may get in-secure code,
malware, etc.
Application Security - must have
Manoj Purandare
9. CyberFrat
Application Security - must have
• A key component of application security should be for developers and their
managers to be aware of
1. SCA (Secure Code Assessments) requirements,
2. common threats and quarterly/frequent SAST assessments on existing in-house & 3rd party apps.
3. effective countermeasures
• The application security knowledge and maturity is significantly lower today than
traditional network security, which is emphasized in my presentation.
Manoj Purandare
The Reason:
We all know
10. CyberFrat
What is SAST (Static Application Security Testing)
Manoj Purandare
SAST is a set of technologies designed to analyze application source code, byte code
and binaries for code + design conditions that are indicative of security vulnerabilities.
SAST solutions analyze an application from the “inside out” in a non-running state.
SAST has been emerging in India,and now has become the reality. Secure Code
Assessment [SCA] is the solution, by which the organizations are now going ahead, to
Save Time and Money
11. CyberFrat
SAST (Static Application Security Testing)
Manoj Purandare
Static Application Security Testing (SAST) – SAST solutions such as Source Code
Analysis (SCA) have the flexibility needed to perform in all types of SDLC
methodologies.
SAST solutions can be integrated directly into the development environment. This
enables the developers to monitor their code constantly. Scrum Masters and Product
Owners can also regulate security standards within their development teams and
organizations. This leads to quick mitigation of vulnerabilities and enhanced code
integrity. Thus an Organization can save lot of TIME, Efforts and MONEY.
Here’s a basic understanding in case of difference of SAST and DAST usage
12. CyberFrat
Approach of the common SCA tools
A tool goes for a thorough
security test (dynamic,
static or mobile) of an
application or a website
A Customer provides
code, binary portion of
application or gives URL
Customer can study the
results and remediate
found vulnerability , as per
the provided reports and
analysis
Manoj Purandare
For SAST - Secure Code Assessment(SCA) is nowadays widely used using open source
technologies and licensed SAST /DAST software, since organization have understood
its importance at early stage (Development and QA) and how to save Time and
Money, instead being liable for losses in millions ahead.
13. CyberFrat
Secure Programming Techniques:
An Abstract View of Program
• Avoid buffer overflow
• Secure software design
• Language-specific problems
• Application-specific issues
Program Component
Validate input
Respond
judiciously
Call other code carefully
Just remember these very basic things :
1. Validate all your inputs
• Command line inputs, environment variables, CGI inputs, …
• Don't just reject “bad” input, define “good” and reject all else
2. Avoid buffer overflow
3. Carefully call out to other resources
• Check all system calls and return values
14. CyberFrat
Secure Programming Techniques: An Abstract View of Program
Compartmentalization :
1. Divide system into modules
a) Each module serves a specific purpose
b) Assign different access rights to different modules
• Read/write access to files
• Read user or network input
• Execute privileged instructions (e.g., Unix root)
2. Principle of least privilege
• Give each module only the rights it needs
Defense in Depth
• Failure is unavoidable – plan for it
• Have a series of defenses
• If an error or attack is not caught by one mechanism, it should be caught by another
• Examples
• Firewall + network intrusion detection
• Fail securely
• Many, many vulnerabilities are related to error handling, debugging or testing features,
error messages
Keep it Simple
• Use standard, tested components. Don’t implement your own cryptography
• Don’t add unnecessary features. Extra functionality more ways to attack
• Use simple algorithms that are easy to verify
15. CyberFrat
• Unauthorized access to your company data or
sensitive customer.
• Theft of sensitive data to conduct identity theft, credit
card fraud or other crimes
• Potential damage of your brand
• Defacement of your websites
• Manipulation of data impacting data integrity, quality
and organization’s reputation
RISKS - Your Application may have multiple risks
Manoj Purandare
16. CyberFrat
• Denial of service; availability of data
• Redirection of users to malicious web sites; phishing
and malware distribution
• Attackers can assume valid user identities
• Access to hidden web pages using forged URLs
• Attacker’s hostile data can trick the interpreter to
execute unintended commands
• Development teams’ negligence in handling
application security while secure coding.
RISKS - Your Application may have multiple risks
Manoj Purandare
17. CyberFrat
Your existing
known Software
Common Considerations
• Lots of monetary or brand value flows
through them
• Compliance requirements (e.g. PCI, HIPAA,
FFIEC, etc.)
• Formal SLAs with customers
• You’ve had one or more previous security
incidents (or near misses)
This includes :-
• Critical legacy systems
• Notable web applications
To assess application security, many organizations focus on obvious software resources,
but overlook their overall inventory of applications and code from less obvious sources
when they analyze their assets.
Understand Attack surface to your Application
Manoj Purandare
18. CyberFrat
Consider the rest of Web
Applications Your Organization
Actually Develops and
Maintains
( Internal and 3rd party both)
You may miss some of these Analysis points :-
• Lack of knowledge, overlooked or forgot
they were there
• Line of business procured through non-
standard channels
• Added through a merger or acquisition
• Believed to be retired but still active
This includes :-
• Line of business applications
• Event-specific applications, e.g. holiday
apps, sales support, open enrollments
Understand Attack surface to your Application
Manoj Purandare
19. CyberFrat
Add In your
new Software
You Bought
from
Somewhere
You may miss some of these Analysis points :-
• Automated scanners are good at finding
web applications. Non-web, not so much.
• Contract language or un-validated
assumptions that the application vendor has
security “covered”
This includes –
• Less known or utilized line of business
applications
• Support applications
• Infrastructure applications
Understand Attack surface to your Application
Manoj Purandare
20. CyberFrat
Mobile /
Cloud based
You may miss some of these Analysis points :-
• Decentralized procurement
• Ineffective security policies
• Use of prohibited software
• Lack of awareness
This includes :-
• Support for line of business functions
• General marketing and promotion
• Financial analysis applications
• Software as a Service (SaaS)
• Mobile applications
• User procured software
Understand Attack surface to your Application
Manoj Purandare
21. CyberFrat
As perception of the problem of attack surface grows, the scope of the problem
increases – or, the more you know, the more you need to assess. This may also
included public facing, intranet and both.
Attack Surface:
The Security Officer’s and Auditor’s Perspective
Perception
Insight
Web
Applications
Mobile
Applications
Cloud
Applications
and Services
Client-Server
Applications
Desktop
Applications
Manoj Purandare
22. CyberFrat
Value and Risks are not equally distributed
• Some applications matter more than others
– Value and character of data being managed
– Value of the transactions being processed
– Cost of downtime and breaches
• Thus, all applications should not be treated the
same
– Allocate different levels of resources for assurance
– Select different assurance activities ( Application wise)
– Also must often address compliance and regulatory
requirements
– Also Check, verify and document the Quarterly, Half-
yearly, Yearly & external audits done on threats and
mitigations done on all the applications
Manoj Purandare
23. CyberFrat
Application Security and Network Security issues
are to be handled differently
Technical Rationale A Non-Technical Rationale
Manoj Purandare
24. CyberFrat
Mean Time to Fix (MTTF)
• A 2013 industry study from White Hat Security revealed that the
“Mean Time to Fix” for web application flaws categorized as
“serious” averaged 193 days across all industries.
• In a similar study from Veracode, 70% of 22,430 applications
submitted to their testing platform in 2012 contained
exploitable security vulnerabilities
• Take Strict action on your internal and 3rd party applications as
well.
• Try to follow-up and maintain the Critical & High vulnerabilities
to be resolved within 1st quarter or 2 (90 to 180 days) only.
• Initially we can assume to target Medium and Low, and the Info
& Best practices type of suggested vulnerabilities to be
resolved within 1st quarter to 3 (90 to 270 days).
Manoj Purandare
25. CyberFrat
Mean Time to Fix (MTTF)
• How would you report to your management that a “serious”
and likely exploitable vulnerability was present on your primary
public facing web site or a 3rd party hosted portal for more than
six months?
• Verizon’s 2013 Breach Report says 90% of attacks last year were
perpetrated by outsiders and 52% used some form of hacking.
How does this help you explain application risk?
• Check whether the Application Security Analyst, Information
Security Analyst, Software testers, Quality Analyst be armed &
prepared /utilized with knowledge of FISMA, SANS, PCI-DSS
Security implementation knowledge and practice as per
compliance and world standards.
• As a proactive measure - Go for the right tools for Secure Code
Assessment / Review for quarterly, half-yearly, yearly
assessments without depending and waiting for external
assessments/audits.
Manoj Purandare
26. CyberFrat
No Automated Scanner can find all Vulnerabilities-
You have to use your brain
• There is no “silver bullet” for identifying application security
vulnerabilities. There are different classes of tools ranging
from static code scanners that assess the code to dynamic
scanners that analyze logic and data flow. Generally, 30% to
40% of vulnerabilities can be identified by scanners; the
remainder are uncovered by other means.
• Manual testing allows an informed and experienced tester to
attempt to manipulate the application, escalate privileges or
get the application to operate in a way it was not designed to
do.
• But wait, there’s more…………
Manoj Purandare
27. CyberFrat
Unauthenticated
Automated Scan
Common Application Test methods
Automated
Source Code
Scanning
Blind Penetration
Testing
Manual Source
Code Review
Authenticated
Automated Scan
Informed Manual
Testing
Automated
Binary Analysis
Manual Binary
Analysis
Application security goes well beyond simply running a
scanning tool. For critical or high value applications, or
those that process sensitive data, thorough testing may
actually include a combination of several methods.
Manoj Purandare
28. CyberFrat
The Secure Code Review Metrics
• Decide what to measure
• Set the minimum benchmark
• Define reporting requirements to Management, and customers.
• Use a hybrid approach to integrating standards into your SDLC model of
choice.
• Map metrics to a certain level of completion and security testing and
monitoring programs.
• Communicate, Co-ordinate, Document all the components related to your
Secure SDLC before initiating a Secure Code Assessment Program.
• Have a definite approach with Management and team consensus to
successfully achieve your goals in this Secure Code Review.
29. CyberFrat
Metrics by SDLC Phase (General Model)
SDLC Phase Secure Code Metric
Requirements
•Percentage of security requirements given in project specifications.
•Percentage of security requirements subject to cost/benefit, and
risk analysis.
•Percentage of security requirements which are considered in threat
models.
Design
•Percentage of design components subjected to attack surface
analysis.
•Percentage of security controls that are covered by security design
patterns.
•Percentage of security controls which pose an architectural risk.
Implementation
(Coding)
•Percentage of application components subject to manual and/or
automated source code review.
•Percentage of code deficiencies detected during peer reviews.
•Percentage of application components subject to code
integrity/signing procedures.
Verification
(Testing)
•Percentage of common weaknesses and exposures detected per
requirement specification.
•Percentage of security controls within the application that met the
required specification for software assurance.
30. CyberFrat
But then, where is the problem ?
You cannot bring all the code & developers to centralized area to resolve all at
once.
Good things needs time, strategy and resources to implement, in a structured
manner
Consensus building across multiple business areas is not easy
Training & updating all developers every time
Centralizing source code analysis is problematic
Finding the right reporting metrics for Senior Management is critical to project
success
For this,
I have a solution
31. CyberFrat
Application Security – Define your and your Auditors basic role
Information Security Professionals
• Promote SCA awareness in your
organization .
• Confirm that application security testing
is part of your overall security program –
• Demand that all applications developed
by 3rd parties be tested and remediated
in Dev & QA stage, prior to being placed
in production
• Get all developers and their managers
trained on SCA
IT Auditors
• Be an FPG- Friend, Philosopher & Guide
with the Organization to meet the
standards & compliances.
• Influence your Chief Audit Executive to
include SCA in the organization’s annual risk
assessment
• Increase your relevance and value to your
organization by identifying risks associated
with poorly coded applications
• Conduct a simple initial audit to assess
what controls are in place
• Conduct a subsequent audit to determine
the effectiveness of those controls;
measure MTTF
• Consider the standards and compliances
such as FISMA/SANS/PCI-DSS etc.
Manoj Purandare
as Prevention is better than cure
thus saving TIME and MONEY of your
organization at the initial stage itself
Obtain and review the SDLC from a
security perspective as Secure SDLC even
in case of CICD (Continuous Integration
Continuous Deployment environments)
32. CyberFrat
Tools and Resources
• Open Software Assurance Maturity Model (OpenSAMM) – A
freely available open source framework that organizations can
use to build and assess their software security programs
www.opensamm.org
• The Open Web Application Security Project (OWASP) – Worldwide
not-for-profit organization focused on improving the security of
software. Source of valuable free resources www.owasp.org
• Open Source or Low Cost Application Security Scanners – OWASP
Zed Attack Proxy (ZAP), w3af, Mavituna Netsparker, Websecurify,
Wapiti, N- Stalker, SkipFish, Scrawlr, Acunetix, and many more to
do basic discovery work
• Also consider survey in case of Licensed tools like Fortify,
Checkmarx, Veracode, and many such tools & resources,
comparing the best features as your needs.
• Your study towards right tools depends on your requirements.
33. CyberFrat
The OWASP Top 10 For 2013
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Manoj Purandare
Now you can also check of OWASP Top ten 2017. Also it is recommended to be
prepared to concentrate 2013 top 30 since the categories may get changed as per
more vulnerabilities, which you may need to concentrate.
34. CyberFrat
Example SCA Audit Work Program
Software Assurance Maturity Model (SAMM) Scorecard
Level 1
Maturity
Level
Activity
Business
Functions
# Security Practices/Phase A B
Governance
1 Strategy & Metrics 0.5 0 1
2 Policy & Compliance 0.5 0 1
3 Education & Guidance 0 0 0
Construction
4 Threat Assessment 0 0 0
5 Security Requirements 0.5 0 1
6 Secure Architecture 0 0 0
Verification
7 Design Review 0.5 0 1
8 Code Review 0 0 0
9 Security Testing 0 0 0
Deployment
10 Vulnerability Management 1 1 1
11 Environment Hardening 1 1 1
12 Operational Enablement 0 0 0
SAMM Valid Maturity Levels
0 Implicit starting point representing the activities in the Practice being unfulfilled
1 Initial understanding and ad hoc provision of Security Practice
2 Increase efficiency and/or effectiveness of the Security Practice
3 Comprehensive mastery of the Security Practice at scale
Legend
Objective Activity was met.
Objective Activity was not met.
Manoj Purandare
38. CyberFrat
Basic requirements to understand in case of
Open Source Software or Licensed VM tools
– Support report, customization, usage as per FISMA, SANS, OWASP, PC_DSS, etc.
– Support consolidation and de-duplication of imported results from scanner tools, manual
testing and threat modeling
– Provide extensive reports on application security status and trending over time
– Translate application vulnerabilities into software defects and pushes tasks to developers
in the tools and systems they are already using
– Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while
vulnerabilities are being resolved. While your organization takes on remediation of your
applications, virtual patching helps guard against common vulnerabilities such as Cross-
Site Scripting (XSS) and SQL Injections.
– Compatible with a number of commercial and freely available dynamic and static scanning
technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers
– Recommended to have – Virtual Application Scanner – Will allow audit and security
professionals to identify, track and report on application security vulnerabilities and
remediation activities/effectiveness.
– Should be Quarterly updating their Scan Engine, Vulnerability Databases, & Support,
facilities and services
– This may match to fulfill our quarterly / half-yearly internal compliance, Information
Security Policies, Security standards, frameworks and compliance – FISMA, SANS, PCI-DSS,
OWASP etc. as per organization’s convenience. Manoj Purandare
39. CyberFrat
Queries / Suggestions welcome
Manoj Purandare
You can reach me for any further assistance and consulting in :
- SAST and DAST based vulnerabilities assessments and guidance.
- How to save yourself from Hacks
- Safeguarding your IT Assets
- Secure Code Assessments / Static Code Review
- Security testing for Information Assets, Network and applications.
- Security Audits for your Applications / Websites and Infosec too.
- Forensics and Investigation and Consulting
- Information Security Consulting.
- A query /suggestion in case of - Application Security / Information Security
40. CyberFrat Manoj Purandare
My sincere acknowledgements and Special Thanks to all
1. My friend - Gaurav Batra, APAC, CISO, Mondelez International & CYBERFRAT
2. All the members of Vidyalankar Institute of Technology.
3. All the members of CYBERFRAT Team
4. All my friends in our Cyber FRAT Groups, re-knowned members of Infosec, Security,
Investigations field worldwide.
5. Websites: Owasp.org, blackducksoftware.com, Itcentralisation.com, and many other
important sites.
6. Joe Krull, Director, Denim Group
7. My colleagues, seniors, and all the members of Information Security Industry.
41. CyberFrat
Thank you
Manoj Purandare
Manoj Purandare
General Manager – Application Security – ACPL Systems Ltd.
manojypurandare@gmail.com, technicalmanoj@gmail.com
www.linkedin.com/in/manojypurandare
Mobile: 9820841115 / 1111