Integrating security into the application development process
Download as PPTX, PDF1 like1,664 views
The document provides an overview of integrating security into the application development process. It discusses seeking to understand development methodologies, programming languages, and risk frameworks. It also covers source code security best practices like code reviews and tools. Application security and software quality assurance testing methods are reviewed. The document also discusses analyzing deployed applications and other considerations like training and metrics. Resources for further learning are provided.
Integrating security into the application development process
- 1. Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
- 2. Agenda • Seek First to Understand • Source Code Security • AppSec and SQA • Analyzing Deployed Applications • Other Considerations • Resources
- 3. How to Write Good Code From http://xkcd.com/844/
- 4. SEEK FIRST TO UNDERSTAND
- 5. Development Methodologies • Agile with Scrum • Capability Maturity Mode Integrated – 1 (Waterfall) – 3 (Iterative) – 5 (Spiral) • Extreme Programming (XP) • Object-Oriented Development • Pair Programming With Iterative • Proofs of Correctness with Waterfall • Rational Unified Process (RUP) • Team Software Process (TSP) List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
- 6. Programming Languages • ASP.NET • C / C++ / C# / Objective-C • HTML5 • Java • PHP • Python • Ruby • What else?
- 7. Risk/Security Frameworks • COBIT (ISACA) • COSO (SOX) • HITRUST CSF (HIPAA) • ISO/IEC 27002:2005 • NIST • OCTAVE (CERT) • STRIDE/DREAD – Spoofing (identity), Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege – Damage, Reproducibility, Exploitability, Affected users, Discoverability
- 8. Project Phase-Gate Model • Scoping • Build Business Case • Development • Testing and Validation • Launch
- 9. The OWASP Top Ten (Web) • A1 – Injection • A2 – Broken Authentication and Session Management • A3 – Cross-Site Scripting (XSS) • A4 – Insecure Direct Object References • A5 – Security Misconfiguration • A6 – Sensitive Data Exposure • A7 – Missing Function Level Access Control • A8 – Cross-Site Request Forgery (CSRF) • A9 – Using Components with Known Vulnerabilities • A10 – Unvalidated Redirects and Forwards
- 10. The OWASP Top Ten (Mobile) • M1 – Insecure Data Storage • M2 – Weak Server Side Controls • M3 – Insufficient Transport Layer Protection • M4 – Client Side Injection • M5 – Poor Authorization and Authentication • M6 – Improper Session Handling • M7 – Security Decisions Via Untrusted Inputs • M8 – Side Channel Data Leakage • M9 – Broken Cryptography • M10 – Sensitive Information Disclosure
- 11. Prep Checklist • What development methodologies do we follow? • What programming languages do we use? • What risk/security frameworks do we follow? • What third-party libraries do we use? • What stages in the development process require approval from the security team?
- 13. Code Reviews • Benefits – Find flaws – Reduce fraud • Peer Reviews in Software, by Karl Wiegers – Ad hoc review – Passaround – Pair programming – Walkthrough – Team Review – Inspection
- 14. OWASP Code Review Project • Methodology (v1.1, current) – Preparation – Security Code Review in the SDLC – Security Code Review Coverage – Application Threat Modeling – Code Review Metrics • Methodology (v2.0, due in January 2014) – Preparation – Application Threat Modeling – Understanding Code Layout/Design/Architecture – Reviewing by Technical Control – Reviewing by Vulnerability – Security Code Review for Agile Development
- 15. Code Review Tools • NIST SAMATE – Software Assurance Metrics and Tool Evaluation • Tools – Source Code Security Analyzers – Byte Code Scanners – Binary Code Scanners
- 16. Code Review Tools (cont’d) • Checkmarx ($; multiple languages) • DevInpsect ($; Java, .NET) • FindBugs / FindSecurityBugs (free; Java) • FxCop (free; .NET) • IDA Pro ($; Windows/Linux executables) • LAPSE (free; Java) • PMD (free; Java) • Rational AppScan ($; multiple languages) • RATS (free; C, C++, Perl, PHP, Python)
- 17. APPSEC AND SQA
- 18. The SQA Process • Initiation • Planning • Tracking • Training • Reviews • Issue Resolution • Testing • Audit • Process Improvement List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
- 19. Positive and Negative Testing • Positive Test Cases – Does the app do what it’s supposed to do? • Negative Test Cases – Does the app do anything it’s not supposed to do?
- 20. Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
- 21. SQA Security Tools • QAInspect • OWASP Zed Attack Proxy (ZAP) • OWASP Mantra
- 23. Application Scanning • Automated scanners interact with an app like an actual user • Production vs. Non-Production • Authenticated vs. Non-Authenticated • Don’t forget the app infrastructure – Host Systems – Web Servers – Backend Databases
- 24. Manual App Analysis • OWASP Testing Guide (v3) – Information Gathering – Configuration Management Testing – Authentication Testing – Session Management Testing – Authorization Testing – Business Logic Testing – Data Validation Testing – Testing for Denial of Service – Web Services Testing – AJAX Testing • Version 4 in development (some material available)
- 25. Scanning vs. Pen Testing • Scanning – Automated – Look for signature-based flaws – Some heuristics • Web App Pen Testing – Unconventional thinking – Test application logic
- 26. Web App Security Scanners • Acunetix Web Vulnerability Scanner (WVS) • AppScan • Arachni • Burp Suite • Grendel-Scan • QualysGuard Web Application Scanner (WAS) • SamuraiWTF • Veracode Web Application Security (WAS) • W3AF • WebInspect • WebSecurify
- 28. SQA Metrics • ISO 9126-1 (Software Quality) – Functionality • Security (unauthorized access) – Reliability – Usability – Efficiency – Maintainability – Portability • Security – CIA Triad – Confidentiality – Integrity – Availability
- 29. SQA Metrics (cont’d) • OWASP – Cross-site scripting tests run – SQL injection tests run – User input tests run – Cookie or credentials manipulation testing has been performed – Denial of Service scenarios have been checked • Vulnerabilities detected vs. vulnerabilities remediated List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
- 30. Developer Training • OWASP Resources – Top 10 Application Security Risks – Top 10 Mobile Security Risks – WebGoat Project (Java) – Mutillidae (PHP) – Bricks (PHP and MySQL) • SANS Courses – SEC542: Web App Penetration Testing and Ethical Hacking – DEV522: Defending Web Applications Security Essentials – DEV541: Secure Coding in Java/JEE – DEV544: Secure Coding in .NET • Web Application Security Consortium
- 31. Professional Organizations • OWASP • ISSA • (ISC)2 • InfraGard • ISACA • W3C Web Application Security Working Group
- 32. RESOURCES
- 33. Resources • Codecademy – http://www.codecademy.com/learn • OWASP Top Ten (2013) – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project – https://www.owasp.org/index.php/File:OWASP_Top_10_-_2013_Final_- _English.pptx • OWASP Code Review Project – https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project • NIST SAMATE – http://samate.nist.gov/ • Web App Scanner List – http://projects.webappsec.org/w/page/13246988/Web%20Application%20Secu rity%20Scanner%20List • SecTools – http://sectools.org/
- 34. More Resources • Project Phase Gate Model – http://en.wikipedia.org/wiki/Phase%E2%80%93gate_model • ISO 9126 Software Quality Characteristics – http://www.sqa.net/iso9126.html • Top 10 Negative Test Cases – http://www.sqatester.com/methodology/Top10NegativeTestCases.htm • OWASP – Software Quality Assurance – https://www.owasp.org/index.php/Software_Quality_Assurance • OWASP Testing Project – https://www.owasp.org/index.php/OWASP_Testing_Project • “952” Metrics for Software Quality Assurance (SQA) – http://davidfrico.com/sqa-metrics.pdf • Web Application Security Working Group – http://www.w3.org/2011/webappsec/
- 35. Even More Resources • SQL Injection Tutorial – http://www.youtube.com/watch?v=qELByGfNJSE • OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project – http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks • OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project • OWASP Mutillidae – https://www.owasp.org/index.php/Category:OWASP_Mutillidae • OWASP Bricks – https://www.owasp.org/index.php/OWASP_Bricks
- 36. Contact Info Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com