" The Invisible Person ... the Security Architect "
Security Lifecycle Management Process
1. INFOSECFORCE
Application Security
INFOSECFORCE
Application Security
BILL ROSS
15 Sept 2008
“ Balancing security controls to business requirements “
BILL ROSS 1
2. INFOSECFORCE Security and Project Lifecycles
Security and Lifecycle Management Process
(SLCMP)
Said “slickum”
A “practitioner’s” view …..
Bill Ross
3. INFOSECFORCE
Slickum brief objectives
Purpose:
- Discuss application security issues
- Describe web application information security
- To describe a process by which software is securely developed
Expected outcome:
- An increased awareness of how to prevent web application attacks
- How to implement the SLCMP process into the SDLC
- More securely built applications and infrastructure
4. INFOSECFORCE
What You Need to Know
Symantec Internet Security Threat Report, Volume XIV
4
5. INFOSECFORCE
Operational report
Less rigor in Web programming, an increasing variety of software, and
restrictions on Web security testing have combined to make flaws in Web software
the most reported security issues, according to the Common Vulnerabilities and
Exposures (CVE) project.
Web and business applications are increasingly compromised around the world
causing businesses to loose millions of dollars through data compromise
Hacking is no longer for fun …… it is for profit …. Internal or external hackers
exploit weaknesses in application code to achieve their objectives.
Symantec 2008 Cyber report indicates there are 1,656, 227 number of new
threats in the wild
6. INFOSECFORCE
Common attack tools
1. Phishing. The use of e-mails that appear to originate from a trusted source to trick a user into entering
valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the
user is doing business with.
2. Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but
actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
Malware A generic term for a number of different types of malicious code.
3. Spam Electronic junk mail or junk newsgroup postings.
4. Worms. A computer program that can run independently, can propagate a complete working version of
itself onto other hosts on a network, and may consume computer resources destructively.
5. Trojan. A computer program that appears to have a useful function, but also has a hidden and potentially
malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a
system entity that invokes the program.
6. Virus. A hidden, self-replicating section of computer software, usually malicious logic, that propagates by
infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself;
it requires that its host program be run to make the virus active.
8. Key stroke logger. Practice of tracking(or logging) the keys struck on a keyboard typically in a covert
manner so that the person using the keyboard is unaware that their actions are being monitored
9. Denial of service. The prevention of authorized access to a system resource or the delaying of system
operations and functions
10. Web application attacks
7. INFOSECFORCE
“ the Cyber Battle Field”
Google China cyber attack part of vast espionage campaign, experts say
Computer attacks on Google that the search giant said originated in China
were part of a concerted political and corporate espionage effort that exploited
security flaws in e-mail attachments to sneak into the networks of major
financial, defense and technology companies and research institutions in the
United States, security experts said. (New York Times)
Washington (DC) - Yesterday, the FBI announced it considers cyber
attacks to be the third greatest threat to the security of the United
States. The only two preceding it are nuclear war and weapons of mass
destruction (WMD). JAN 2009
8. INFOSECFORCE
Malicious code is installed
• In 2008, Symantec blocked an average of more than 245 million attempted
malicious code attacks worldwide each month.
• Over 60% of Symantec’s malicious code signatures were created in 2008.
• Over 90% of threats discovered in 2008 are threats to confidential
information.
Symantec Internet Security Threat Report
9. INFOSECFORCE
Key trends
“The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response.
The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity.
It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale.”
Web-based Cyber criminals want Increased sophistication Rapid adaptation to
malicious activity YOUR information of the Underground security measures
has accelerated Economy
• Focus on exploits
• Primary vector for targeting end-users • Well-established • Relocating operations to
malicious activity for financial gain infrastructure for new geographic areas
• Target reputable, monetizing stolen • Evade traditional security
high-traffic websites information protection
Symantec Internet Security Threat Report
10. INFOSECFORCE
Key Trends – Global Activity
• Data breaches can • Documented • Trojans made up 68 • 76% phishing lures target
lead to identity theft vulnerabilities up percent of the Financial services (up
• Theft and loss top 19% (5491) volume of the top 50 24%)
cause of data • Top attacked malicious code • Detected 55,389 phishing
leakage for overall vulnerability: • 66% of potential website hosts (up 66%)
data breaches and Exploits by malicious code • Detected 192% increase in
identities exposed Downadup infections propagated spam across the Internet
• Threat activity • 95% vulnerabilities as shared executable with 349.6 billion
increases with attacked were client- files messages
growth in side • 90% spam email
Internet/Broadband distributed by Bot networks
usage
Internet Security Threat Report
11. INFOSECFORCE
Website compromise
• Attackers locate and compromise a high-traffic site through a vulnerability specific to
the site or in a Web application it hosts
• Once the site is compromised, attackers modify pages so malicious content is
served to visitors
Site-specific vulnerabilities Web application vulnerabilities
Internet Security Threat Report, 11
11
12. INFOSECFORCE
Impact of Security Defects
Bad Business
• On average, there are 5 to 15 defects in
every 1,000 lines of code
US Dept. of Defense and the Software
Engineering Institute
Slow Business
• It takes 75 minutes on average to track
down one defect. Fixing one of these
defects takes 2 to 9 hours each
5 Year Pentagon Study
• Researching each of the 4,200
vulnerabilities published by CERT last year
for 10 minutes would have required 1
staffer to research for 17.5 full workweeks
or 700 hours
Intel White paper, CERT, ICSA Labs
Loss of Business
• A company with 1,000 servers can spend
$300,000 to test & deploy a patch; most
companies deploy several patches a week
Gartner Group
13. INFOSECFORCE
The SDL Reduces the Total Cost
of Development
The National Institute of Standards and Technology (NIST) estimates that code fixes performed after
release can result in 30 times the cost of fixes performed during the design phase.
14. INFOSECFORCE
Top 10 Web Security Threats
Broken authentication Cross-site scripting (XSS)
Broken access control Unvalidated input
Insecure storage
Buffer overflows
Improper error handling
Injection flaws
Insecure configuration management
Application denial-of-service
SUN
15. INFOSECFORCE
Web Application Security Threats
1. Unvalidated input (Mother of all Web Tiered Attacks)
Attacker can tamper any part of the HTTP request. SQL injection, Cross Site Scripting, buffer overflows(URL,
Cookies, Form Fields, Hidden Fields, Headers )
2. Broken Access Control
Insecured IDs, Poor file permissions, Service account exploit, Path Traversal
3. Broken Authentication and Session Management
Focus is in USER authentication and user active sessions. Example is if “cookies” not proper protected,
attacker can assume the identity of user
4. Cross site scripting
Malicious script sent to server which is then sent to user accessing same server (Chat server). User believes
script came from trusted source. (Can come in any form of active scripting (Java, Active X, Shockwave, Flash
and etc)
16. INFOSECFORCE
Web Application Security Threats 2
5. Buffer Overflow Errors
Attackers use buffer overflows to corrupt the execution stack of a web application By sending
carefully crafted input to a web application, an attacker can cause the web application to execute
arbitrary code. Present in both the web server or application server products or the web
application itself
6. Injection Flaws
Injection flaws allow attackers to relay malicious code through a web application to another
system. When a web application passes information from an HTTP request through as part of an external request,
the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information
7 . Improper Error Handling
The most common problem is when detailed internal error messages such as stack traces,
database dumps, and error codes are displayed to a potential hacker . These messages reveal
implementation details that should never be revealed.
8. Application DOS
Types of resources Bandwidth, database connections, disk storage, CPU, memory, threads, or
application specific resources. Application level resources impacting
17. INFOSECFORCE
Attack vector analyses
Hacker targets
• From observed hacker malicious activity statistics, we know that hackers are now seldom
interested in defeating the network or the infrastructure low-level defenses. The
adversaries today are well aware of the fact that applications are typically less defended
than the rest of the IT infrastructure.
A Garner report states “
that over 75% of attacks
against websites and web-
based applications come at
the application layer and
not lower infrastructure and
network layers.”
Source: IBM
18. INFOSECFORCE
Application security paradox
Applications, data and business processes are
vulnerable even when a robust network and
infrastructure security program is in place.
Internet DMZ Trusted
IIS ASP
.NET
Inside
SunOne SQL
WebSphere Oracle
Apache
Java
DB2
HTTP(S) Corporate
IMAP, FTP Firewall only Firewall only Firewall only allow Inside
allows PORT 80 allows application server
SSH , TELNET (or 443 SSL) applications to talk to
POP3, XML traffic from the on the web database server.
Internet to the server to talk to
web server.
application
Any – Web server.
Server: 80
SOURCE: SPIDYNAMICS
19. INFOSECFORCE
Hacking the Super Bowl
Is nothing sacred anymore ????
Super Bowl exploits
“ At last week's RSA Conference in San Francisco, just days after
the Super Bowl attack, I sat down with Thompson. On his laptop,
he showed me the simple line of Javascript code that pointed
Super Bowl site visitors to a known criminal hacker exploit server.
Apparently, there was a cross-site scripting error on the official
Super Bowl Web site that allowed some criminal hackers to inject
a poisoned iFrame command. And it wasn't just the Super Bowl
site--it turns out there were several others, mostly healthcare
related, including the U.S. Centers for Disease Control “
Source
Robert Vamosi
Senior editor, CNET Reviews
20. INFOSECFORCE
How did this happen ?
Business engines fueled by multiple and powerful applications
21. INFOSECFORCE
Expanding “e-com” perimeter
Microsoft’s vision for secure
and
Easy
“ anywhere access ”
Bill Gates, 2007 RSA
22. INFOSECFORCE
Expanding “e-com” perimeter
Microsoft’s vision for secure
Social networks, and
I-Pod, I-PAD as a network, peripheral-geddon
Easy
&
“ anywhere access ”
“THE CLOUD”
Bill Gates, 2007 RSA
25. INFOSECFORCE
This ….. IBM believes
Application Security Strategies
Engineering security into application systems is a critical discipline
and should be a key component in multi-disciplinary, concurrent or
distributed development teams. This applies to the development,
integration, operation, administration, maintenance and evolution of
e-Business application systems as well as to the development, delivery,
and evolution of software-based products.
Source: IBM
26. INFOSECFORCE
Security Business Case
Security Defects Matter Frequent
• 3 out of 4 business websites are
vulnerable to attack (Gartner)
Pervasive
• Majority of hacks occur at the Application
level (Gartner)
=
Undetected
• QA testing tools not designed to detect
security defects in applications
Expensive
• Bugs and software defects costs the
national economy $60 billion annually …
delivering quality applications to the
1000 application sample ‘Healthchecks’ with market has become a mandatory requirement
AppScan – 98% vulnerable: all had firewalls … the cost of fixing defects after deployment
and encryption solutions in place… is almost 100 times greater than detecting and
eliminating them during development.
SOURCE: Seagate Technology
27. INFOSECFORCE
Best practice solutions
Application security requirements define the high level specifications for securely
developing and deploying applications
Application Planning Application Development Prod and Maintenance
Minimal set of coding practices
Data Classification – Classify Input Validation – Validate input Applications shall be hosted on
data according to the sensitivity of from all sources. servers compliant with the corporate
the data.
Security requirements for IT system
Default deny – Access control
Risk Assessment – Conduct should be based on specific hardening
preliminary risk assessment before permission rather than exclusion.
development begins and after Applications classified as
planning is complete. Security By default all access should be sensitive shall at a minimum have
Requirements – Identify and denied.
document the security requirements annual vulnerability assessments,
of the application early in the Principle of Least Privilege – when a significant change to the
development lifecycle. Perform all processes with the least application has occurred, or
set of required privileges depending on the data sensitivity
Security Design – Use the Data
and risk.
Classification process to determine Quality Assurance – Quality
specific security services needed by assurance identifies and eliminates
the application software vulnerabilities.
SDLC – Address security within Perform internal testing – Use
all stages of the SDLC. source code auditing, pen testing,
manual code review, or automated
source code review
28. INFOSECFORCE Principles of Secure Programming
TARGET THESE AREAS
Minimize attack surface area
Secure defaults
Principle of least privilege
Principle of defense in depth
Fail securely
External systems are insecure
Separation of duties
Do not trust security through obscurity
Simplicity
Fix security issues correctly
SUN
29. INFOSECFORCE
Application security risk analyses
Vulnerability Not having a dedicated security program that trains developers to build
secure applications, not embedding security into the SDLC, not
conducting security testing on applications during and after
development, and not having application firewalls
Threat Numerous threats such as:
- SQL injection, cross site scripting, buffer overflow
Risk Multiple avenues of attack on organizational vital information assets
Likelihood rating High
Risk Impact High
rating
Overall risk High
rating
Risk summary High
Relevant Hardened infrastructure (will not block port 80 attacks)
controls
Risk mitigation Follow application security planning, development and production best
practices. Build security into all SDLC phases.
30. INFOSECFORCE
SLCMP
Embed information security in the SDLC
and PLCMP by applying the practices and
procedures defined in SLCMP
31. INFOSECFORCE
An art form
“ Building highly secure software is nothing less than
an eloquently choreographed dance that calls upon
the talent and skills of the developer, project
manager and information security teaming to ensure
that an application securely glides with grace across
the technical stage ”
32. INFOSECFORCE
SLCMP and the SDLC …“The Dance”
Initiate Design/Develop Implement Production
Statement of need Functional Design and Code 1 st phase 2 nd phase QA Pre prod Prod Post Prod
for new business requirements technical development prod testing prod testing
process, document architecture
application or designed developed
technology
INFOSEC architecture
document created based
on data security Application and
INFOSEC participation categorization, policy, infrastructure
in feasibility analyses, application functionality penetration testing
no documentation and risk and vulnerability
required Server cert
assessments
Build the System Security Plan Integrate controls and First phase Second phase app security Third phase app Create final Ongoing pen
based on NIST 800-53 control create detailed application security testing using formalized security test which risk tests,
application security process to decompile code follows phase one
guidelines. Preliminary risk and testing. Once code acceptance vulnerability
test plan defining as much as possible to testing process.
vulnerability assessment done. begins solidifying, Used as final document assessments,
Measures requirements against testing tools, use soft tools such as determine if code has verification that risk
policy and provides functional timelines, remedial AppScan or Spi organic exposures violating code is stable management
adjustments. Security action processes and Dynamics for high policy, security design, and from INFOSEC
requirements stated based on testers. Gain level testing. the security architecture. perspective
preliminary risk and vulnerability approval from project Feedback findings to Correct findings and provide
manager. to developers to fix or define
assessments. If necessary, developers for code
mitigating controls. Aspect
** Security certification and
requirements document adjusted correction
security has expertise in this accreditation should be
area finalized
33. INFOSECFORCE
SLCMP Deliverables
Initiate Develop Implement Production
- Security control integration
- Second phase app security
- Data security categorization testing
- Preliminary risk assessment - Third phase app security testing
- Security certification
- Security plan - Security accreditation
- Risk assessment - Security architecture - Threat management
- Functional requirements - Functional and vulnerability - Configuration
analyses test plan management and control
- Assurance requirements - First phase testing - Continuous monitoring
- Control selection - Additional planning - Incident response plan
assignments
34. INFOSECFORCE
SLCMP and the PLCMP
Initiate Design/Develop Implement Production
Demand manger reviews the request Control selection begins.
and categorizes project type as a Defines high level technical Validate designs, validate cost Operations provide operational
small, medium, or larger project. and security architecture. estimates, and implement final support for all final solutions and
Detailed technical and solutions and designs designs implemented as part of the
security design infrastructure.
• Architecture
• Design security controls • Security architecture • Implementation • Patch management
Standards and
• Begin organizing security • Design and technical • Change Management • Monitoring
Convergence
plan development architecture developed Capacity Monitoring • Incident response
• Project Review
• Architecture Review • Day to Day Operations • Security administration
• Scoping
• Detailed Design planning • KPI reporting on security
• Solution Design
• Level 4 Support design metrics
• Cost Estimation
• Define Security requirements • Security architecture • Threat management
• Data and Infrastructure Categorization • Security control integration
• Preliminary risk assessment • Security test plan design • Ongoing pen and vulnerability
• Risk assessment • Security penetration and
• Control selection and standard testing
• Functional requirements analyses vulnerability testing
integration • Determines validity of security
• Assurance requirements analyses • Security certification
architecture
• Control selection and standard • Security accreditation
• Determines security process
integration • Final risk assessment
shortfalls
• Determines product successful
functionality and shortfalls
• Security administration
• Security monitoring
INPUT
SECURITY PLAN
FEEDBACK
35. INFOSECFORCE
SLCMP adopted guidelines
Starting Point
FIPS 199 / SP 800-60
FIPS 200 / SP 800-53 SP 800-37
Security
Security Control Categorization Security Control
Selection Monitoring
Defines category of information
Selects minimum security controls (i.e., system according to potential Continuously tracks changes to the
safeguards and countermeasures) planned or impact of loss information system that may affect security
in place to protect the information system controls and assesses control effectiveness
SP 800-53 / FIPS 200 / SP 800-30 SP 800-37
Security Control SLCMP System
Refinement Authorization
Uses risk assessment to adjust minimum control
INPUTS Determines risk to agency operations, agency
set based on local conditions, required threat assets, or individuals and, if acceptable,
coverage, and specific agency requirements authorizes information system processing
SP 800-18 SP 800-53A / SP 800-26 / SP 800-37
SP 800-70
Security Control Security Control
Documentation Security Control Assessment
Implementation
In system security plan, provides a an Determines extent to which the security
overview of the security requirements for Implements security controls in controls are implemented correctly, operating
the information system and documents the new or legacy information as intended, and producing desired outcome
security controls planned or in place systems; implements security with respect to meeting security
configuration checklists requirements Source: NIST
36. INFOSECFORCE
SLCMP Benefits
SLCMP ROI
Fortified applications or infrastructure projects
Hardened against internal and external attack
Meets regulatory compliance mandates
Enhances IS staff knowledge and capability
Reduces long term costs
37. INFOSECFORCE
Conclusions
• 80 % of all attacks on Information Security are directed to the
web application layer
• 2/3 of all web applications are vulnerable
• Infrastructure security doesn’t directly protect code
• The cost of fixing defects after deployment is almost one
hundred times greater than detecting and eliminating them during
design
• One of the most significant risk mitigations an organization can
implement is to create a consistent end-to-end process such as
the SLCMP to embed security and security testing and certification
in infrastructure and software development projects
40. INFOSECFORCE
Initiate deliverables
Data security Categorization Rate application importance as a low, medium, or high impact
application. This is a business impact analyses which defines impact on
an organization if security controls are breeched. Leads to proper
selection of security controls required.
Preliminary risk assessment Measures application/project requirements against policy and provides
functional adjustments. Security requirements stated based on
preliminary risk and vulnerability assessments. If necessary,
requirements document adjusted. Focuses on early assessment of the
application's requirements for confidentiality, integrity and availability
(CIA)
41. INFOSECFORCE
Develop and design
Risk assessment Conducted before the approval of the design specifications. Builds on the initial risk
assessment but more specific. Identifies possible threats/vulnerabilities. Determines
impact on organization if threat occurred. Identifies imposed risks on other assets.
Additional controls needed to prevent identified risks need to be fed back to the
development team
Security plan Foundation for entire SLCMP process. Ensures all controls, architectures, risk
assessments, test requirements, accreditation/assurance and personnel responsibilities
are documented.
Functional requirements Ensure that enterprise security policy and standards are followed. Determine which laws
analyses must be followed by the application.
Assurance requirements Determine what level of certification application requires. For example, government
analyses applications might require a FISMA C&A.
42. INFOSECFORCE
Develop …..continued
Control selection Can refer to security control standards or use a NIST-like Information Security
Requirements List to define security environment that an application, service, or project
should meet.
Security architecture Multi faceted security product linking all controls, standards, policies, governance,
platform hooks, data base management, boundary rules and information security
science into a cohesive operational CIA security sphere. Likely section of the Security
plan.
Functional and vulnerability Multi phase technical plan designed to ensure security controls work and that business
test plan logic and software are impervious to corruption and manipulation. Will also include
penetration test plans. Feeds assurance models.
First phase testing Provides developers early high level look at code stability
Additional planning RFPs, SOW, Funding, Test lab, software requirements, staff increases, and etc
components
43. INFOSECFORCE
Implement deliverables
Security control integration Security control settings and switches enabled IAW Security plan and architecture
Second phase app security Formalized process to decompile code as much as possible to determine if code has
organic exposures violating policy, security design, and the security architecture. Correct
testing findings and provide to developers to fix or define mitigating controls. Aspect security has
expertise in this area
Third phase app security Verifies second phase corrections. Use App security test tool following phase one testing
process. Used as final verification that code is stable from INFOSEC perspective
testing
Security certification Pen testing, third party evaluation, test plan results approved, servers hardened and
certified , control effectiveness, governance attestation
RMP/Security accreditation End-to-end risk evaluation incorporating all findings in security certification, final
information security risk decisions, accreditation document signed
44. INFOSECFORCE
Production deliverables
Threat management TM preventive guidance found in security plan. Ongoing oversight of environment
entailing constant environmental and risk management vigilance surrounding operational
environment.
Configuration management Operational process and plan to ensure environment receives current security patches and
and control other software preventive updates ensuring application or environment integrity is
maintained
Continuous monitoring Implement vulnerability management program to regularly assess integrity and availability
of the operating environment. Use COSO testing and other vulnerability assessment and
control processes to ensure that security processes and procedures work.
Incident response plan Local Incident Response Plan will provide process and procedures to rapidly respond to all
security events and incidents.
45. INFOSECFORCE
SDLC/PLCMP Deliverables
Initiate - Data security categorization - Security Plan
- Preliminary risk assessment
Design and - Risk assessment - Security architecture
develop - Functional and vulnerability
- Functional requirements analyses
test plan
- Assurance requirements - First phase testing
- Control selection - Additional planning
assignments
Implement - Security control integration - Security certification
- Security accreditation
- Second phase app security testing - Final risk acceptance
- Third phase app security testing document
Production - Threat management
- Configuration management and control
- Continuous monitoring
- Incident response plan REF: NIST 800-53
Hinweis der Redaktion
We offer customers choice and flexibility in how they purchase and use our products and services. These range from modular software suites like Symantec Protection Suites for enterprises to all-in-one software products such as Norton 360 for consumers. We have professional services – 4,000 security experts providing everything from advisory to supports services – to Norton Live consumer services. There are a variety of solutions that we offer as a service (SaaS) – from online backup for consumers to messaging security for enterprises. And then there are managed services – from residency to MSS to Norton Live for consumers.
Fewer site-specific vulns in 2008 but they still aren’t being patched. Only 394 (3%) patched in 2008 compared to 1,240 (7%) in 2007. The number of site-specific vulns is adding up over time. In 2008, 63% of identified vulnerabilities affected Web applications, an increase over 2007, when 59% did. In 2008 there were a number of high-profile incidents involving SQL injection vulnerabilities. The purpose of these attacks was to inject malicious content into compromised sites that would then attempt to exploit subsequent site visitors. Attackers used a technique that allowed them to dynamically inject malicious content into strings throughout the database without detection. This provided a means of generically exploiting vulnerable applications rather than having to develop application-specific payloads. Messaging: Web servers can be difficult to secure. Patching requires downtime and frequently corporate sites are hosted on third-party server networks. As a result they can frequently be easy targets for attackers. Because of this, Web servers and connected databases need to be continuously monitored for suspicious activity.
STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide