digital armour: adding security to software development
DESCRIPTION
Digital Armour: Adding Security to Software Development. Terry Labach IST Information Security Services. "Amateurs produce amateur security, which costs more in dollars, time, liberty, and dignity while giving us less -- or even no -- security." - Bruce Schneier. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Digital Armour: Adding Security to Software Development
Terry LabachIST Information Security Services
#watitis2012
"Amateurs produce amateur security, which costs more in dollars, time, liberty, and dignity while giving us less -- or even no -- security."
- Bruce Schneier
Introduction• Secure Application Development
– what is it?– why should you care?– rules of thumb
• Examples• Questions
#watitis2012
Goals of Secure Application Development
• first, that the actual development process is secure: it aims to prevent unsafe code from being created, inserted, misused, or deployed
• second, that the application created is secure: it does not expose user data or allow unauthorized access to computer systems
#watitis2012
Features of Secure Application Development
– combines fundamental good development practices with security knowledge
– principles applicable across development methodologies, technologies, languages, platforms
#watitis2012
Why care about secure development?
We have duties outlined by the University and the government• Policy 8
– Information Security Policy for University of Waterloo
• FIPPA– Freedom of Information and Protection of
Privacy Act
#watitis2012
Why care about secure development?
• professional responsibility– Our code should work as intended– Robust enough to deal with unforeseen
situations
#watitis2012
Why isn’t secure development practised?
• developers don’t realize importance• not sure what is required
– no training– no mentorship
• “shoot from the hip” approach to coding– experienced coders and co-ops alike
• no mandate from management
#watitis2012
What causes security flaws in applications?
• Development– coding errors– process errors
• incomplete testing– failure to account for known threats– failure to build robustness to account for
unknown threats
#watitis2012
What causes security flaws in applications?
• Deployment– process errors– configuration errors
#watitis2012
What are typical security flaws?
• Many enumerations of flaws• Researchers at Fortify have suggested a
taxonomy of software security errors.
#watitis2012
Taxonomy 1-4• Input Validation and Representation• API Abuse• Security Features• Time and State
#watitis2012
Taxonomy 5-8• Errors• Code Quality• Encapsulation• Environment
#watitis2012
Secure Development Process• No magic bullet to prevent security flaws…
#watitis2012
"The 'code' which he suggests is however very contrary to the line of development here, and much more in the American tradition of solving one's difficulties by means of much equipment rather than by thought."
- Alan Turing, criticizing a proposed computer design.
Secure Development Process• …but following simple rules of thumb can
be quite effective at preventing errors, including security errors.
#watitis2012
Development basics• maintain separate environments for
– development– testing– production– repositories
#watitis2012
Development basics• review code• test code
#watitis2012
Testing
#watitis2012
“The system's security must, of course, be tested for invulnerability from frontal attack - but must also be tested for invulnerability from flank or rear attack.” - Boris Beizer
Testing• automatic testing
– unit testing– regression testing– edge cases (boundaries)– fuzz testing
• vulnerability testing (IST)
#watitis2012
Coding basics• validate input• validate output• validate on server, not client• permission, not exclusion• limit error messages to client• check return values• handle anomalous behaviour (exceptions)
#watitis2012
Design basics• protect data
– in transit (network, http, email)– in place (files, database)
• limit user access– passwords– CAS
• layer defenses
#watitis2012
Infrastructure basics• use APIs and libraries rather than rolling
your own• know your software and deployment
environments
#watitis2012
Examples• code and configuration snippets• demonstrate techniques to improve
security• although using particular languages, most
techniques are applicable to many different languages
#watitis2012
Examples: .NET and SQL• programs often create SQL queries by
concatenating text, including user input
string query = "SELECT * FROM items WHERE itemname = '“ + ItemName.Text + "'";
• a user may be able to craft an entry that includes SQL code and allows access to the database
#watitis2012
Examples: .NET and SQL• for input "name' OR 'a'='a“, the generated SQL is
SELECT * FROM items WHERE itemname = 'name' OR 'a'='a';
• this has the result of returning the entire items table
#watitis2012
Examples: .NET and SQL• to avoid this, use a parameter to the SQL
statementusing (SqlConnection conn = new SqlConnection(connString)){ string query = "SELECT * FROM items WHERE itemname =
@Iname"; SqlCommand cmd = new SqlCommand(query, conn); cmd.Parameters.AddWithValue("@Iname",
Request.QueryString["Iname"]); conn.Open(); ... }
#watitis2012
Examples: java• random number generation
• Random– sequence determined by initial seed
• SecureRandom– cryptographically strong random number
generator
#watitis2012
Examples: javaSecureRandom random = new SecureRandom();byte bytes[] = new byte[20];random.nextBytes(bytes);
• don’t bypass internal seeding with non-random value (e.g. time)
• occasionally create new instance
#watitis2012
Examples: php• securing cookies used for session
management– session.cookie_lifetime
• lifetime of the cookie in seconds– session.cookie_secure
• should cookies be sent over secure connections– session.cookie_httponly
• limit to the HTTP protocol
#watitis2012
Examples: php• set configuration in php.ini
session.cookie_lifetime = 7200session.cookie_secure = 1session.cookie_httponly = 1
#watitis2012
Examples: php• php can read HTTP GET values using the
$_GET variable– could allow malicious input– removing dangerous input not trivial
#watitis2012
Examples: php• filter_input (from php 5.2)
– provides many filtering types• to apply filter to $_GET[‘my_string’]
<?php$my_string = filter_input(INPUT_GET, ‘my_string’, FILTER_SANITIZE_STRING); ?>
#watitis2012
Examples: HTTP• GET and POST used to transfer user
requests• GET
– query passed as part of URL– can be cached, stored in browser history
• GET should not be used to transmit sensitive data
#watitis2012
Examples: HTTP• POST
– data passed in body of the HTTP request– encrypted when using SSL connections
#watitis2012
Examples: ruby• filename validation with regular expression
– /^[\w\.\-\+]+$/– Meant to allow only alphanumeric, ., +, -.– ^ and $ match the beginning and end of line
#watitis2012
Examples: ruby• flaw
– However, the above will allow the filename file.txt%0A<script>alert('hello')</script>
– $ matches at %0A (URL-encoded line break)– Should use \A and \z to match entire string– /\A[\w\.\-\+]+\z
#watitis2012
Conclusions“Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.”
- Bruce Schneier
#watitis2012
Conclusions• secure software development is not
necessarily an onerous thing• it does require awareness and discipline• common sense development practices
and a concern with correct operation of the program will prevent many security problems
#watitis2012
Resources• HP Fortify Taxonomy: Software Security Er
rors• Seven Pernicious Kingdoms: A Taxonomy
of Software Security Errors• CSIS: 20 Critical Security Controls Version
4.0
#watitis2012
Resources• OWASP Top Ten Project• OWASP Prevention Cheat Sheet Series• 2011 CWE/SANS Top 25 Most Dangerous
Software Errors
• IST Information Security Services
#watitis2012