security testing: myths, challenges, and opportunities - experiences in integrating security testing...
TRANSCRIPT
Security Testing Myths Challenges and OpportunitiesExperiences in Integrating Security Testing ldquoEnd-to-Endrdquo Into the Software Life-Cycle at SAP
Achim D Bruckerachimbruckersapcom httpwwwbruckerch
SAP SE Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany
SECTEST Keynote6th international Workshop on Security Testing (SECTEST)
Graz Austria April 13 2015
Security Testing Myths Challenges and OpportunitiesExperiences in Integrating Security Testing ldquoEnd-to-Endrdquo Into the Software Life-Cycle at SAP
Abstract
Security testing is an important part of any security development lifecycle (SDL) and thus should be a part ofany software (development) lifecycle Still security testing is often understood as an activity done by securitytesters in the time between ldquoend of developmentrdquo and ldquooffering the product to customersrdquoOn the one hand learning from traditional testing that the fixing of bugs is the more costly the later it is donein development security testing should be integrated into the daily development activities On the otherhand developing software for the cloud and offering software in the cloud raises the need for security testingin a ldquoclose-to-productionrdquo or even production environment Consequently we need an end-to-end integrationof security testing into the software lifecycleIn this talk we will report on our experiences on integrating security testing ldquoend-to-endrdquo into SAPrsquos softwaredevelopment lifecycle in general and in particular SAPrsquos Secure Software Development Lifecycle (S2DL)Moreover we will discuss different myths challenges and opportunities in the are security testing
copy 2015 SAP SE All Rights Reserved Page 2 of 27
A Security Testing Taxonomy
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
copy 2015 SAP SE All Rights Reserved Page 3 of 27
A Security Testing Taxonomy and a Disclaimer
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
Disclaimer
In this talk security testing refers to all kind of methods that find securityvulnerabilities in systems including (but not limited) to
bull static approaches (eg SAST code reviews)
bull dynamic approaches (eg DAST fuzzing)
bull combined approaches (eg IAST concolic testing)
copy 2015 SAP SE All Rights Reserved Page 3 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 4 of 27
Die SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenue touches anSAP system
bull approx 68 000 employees worldwide
bull Headquarters Walldorf(close to Heidelberg Germany)
copy 2015 SAP SE All Rights Reserved Page 5 of 27
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Security Testing Myths Challenges and OpportunitiesExperiences in Integrating Security Testing ldquoEnd-to-Endrdquo Into the Software Life-Cycle at SAP
Abstract
Security testing is an important part of any security development lifecycle (SDL) and thus should be a part ofany software (development) lifecycle Still security testing is often understood as an activity done by securitytesters in the time between ldquoend of developmentrdquo and ldquooffering the product to customersrdquoOn the one hand learning from traditional testing that the fixing of bugs is the more costly the later it is donein development security testing should be integrated into the daily development activities On the otherhand developing software for the cloud and offering software in the cloud raises the need for security testingin a ldquoclose-to-productionrdquo or even production environment Consequently we need an end-to-end integrationof security testing into the software lifecycleIn this talk we will report on our experiences on integrating security testing ldquoend-to-endrdquo into SAPrsquos softwaredevelopment lifecycle in general and in particular SAPrsquos Secure Software Development Lifecycle (S2DL)Moreover we will discuss different myths challenges and opportunities in the are security testing
copy 2015 SAP SE All Rights Reserved Page 2 of 27
A Security Testing Taxonomy
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
copy 2015 SAP SE All Rights Reserved Page 3 of 27
A Security Testing Taxonomy and a Disclaimer
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
Disclaimer
In this talk security testing refers to all kind of methods that find securityvulnerabilities in systems including (but not limited) to
bull static approaches (eg SAST code reviews)
bull dynamic approaches (eg DAST fuzzing)
bull combined approaches (eg IAST concolic testing)
copy 2015 SAP SE All Rights Reserved Page 3 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 4 of 27
Die SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenue touches anSAP system
bull approx 68 000 employees worldwide
bull Headquarters Walldorf(close to Heidelberg Germany)
copy 2015 SAP SE All Rights Reserved Page 5 of 27
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
A Security Testing Taxonomy
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
copy 2015 SAP SE All Rights Reserved Page 3 of 27
A Security Testing Taxonomy and a Disclaimer
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
Disclaimer
In this talk security testing refers to all kind of methods that find securityvulnerabilities in systems including (but not limited) to
bull static approaches (eg SAST code reviews)
bull dynamic approaches (eg DAST fuzzing)
bull combined approaches (eg IAST concolic testing)
copy 2015 SAP SE All Rights Reserved Page 3 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 4 of 27
Die SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenue touches anSAP system
bull approx 68 000 employees worldwide
bull Headquarters Walldorf(close to Heidelberg Germany)
copy 2015 SAP SE All Rights Reserved Page 5 of 27
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
A Security Testing Taxonomy and a Disclaimer
Manual
Automated
Black-Box
Black-Box
White-Box
White-Box
Dynamic
Dynamic
Dynamic
Static
Static
Static
Static
Dynamic
Manual Penetration Testing
Manual Binary Analysis
Manual Penetration Testing
Manual Code Review
Web Vulnerability Scanning
Static Binary Analysis
Runtime Memory Analysis
Static Source Analysis
Disclaimer
In this talk security testing refers to all kind of methods that find securityvulnerabilities in systems including (but not limited) to
bull static approaches (eg SAST code reviews)
bull dynamic approaches (eg DAST fuzzing)
bull combined approaches (eg IAST concolic testing)
copy 2015 SAP SE All Rights Reserved Page 3 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 4 of 27
Die SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenue touches anSAP system
bull approx 68 000 employees worldwide
bull Headquarters Walldorf(close to Heidelberg Germany)
copy 2015 SAP SE All Rights Reserved Page 5 of 27
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 4 of 27
Die SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenue touches anSAP system
bull approx 68 000 employees worldwide
bull Headquarters Walldorf(close to Heidelberg Germany)
copy 2015 SAP SE All Rights Reserved Page 5 of 27
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Die SAP SE
bull Leader in Business Softwarebull Cloudbull Mobilebull On premise
bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java
bull More than 25 industries
bull 63 of the worldrsquos transaction revenue touches anSAP system
bull approx 68 000 employees worldwide
bull Headquarters Walldorf(close to Heidelberg Germany)
copy 2015 SAP SE All Rights Reserved Page 5 of 27
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
SAPrsquo Security TeamHow SAP Organizes Software Security
De-centralized development modelbull Central security expert team (S2DL owner)
bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process
bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)
Product Security
ldquoTraining amp Standardrdquo
Security Training
Security Standard
Merger amp Acquisitions
ldquoSecurity Testing amp
Validationrdquo
Security Enablement
Tools
Validation
ldquoResponserdquo
External Findings
Patch Process
Security Communication (Virtual Team)
copy 2015 SAP SE All Rights Reserved Page 6 of 27
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
My Background
bull I wear two hatsbull Research ExpertArchitectbull (Global) Security Testing Strategist
bull BackgroundSecurity Formal Methods Software Engineering
bull Current work areas
bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle
httpwwwbruckerch
copy 2015 SAP SE All Rights Reserved Page 7 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 8 of 27
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Costs of Vulnerabilities (Attacks on IT Systems)
bull TJX Company Inc (2007) $ 250 million
bull Sony (2011) $ 170 million
bull Heartland Payment Systems (2009) $ 41 million
ldquo A hack not only costs a company money but also its reputation and the trust of itscustomers It can take years and millions of dollars to repair the damage that a singlecomputer hack inflicts
(httpfinancialedgeinvestopediacomfinancial-edge0711Most-Costly-Computer-Hacks-Of-All-Timeaspx)
copy 2015 SAP SE All Rights Reserved Page 9 of 27
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Vulnerability Types of CVE Reports Since 1999
Execute Code 28
Denial of Service 17
Overflow 12
XSS 11
SQL Injection 8
Gain Information 5
Bypass Something 4
Other 15
bull Causes for most vulnerabilities arebull programming errorsbull configuration errors
bull Patchingbull is expensivebull may introduce new bugs
bull How can we help developers to avoid this mistakes
copy 2015 SAP SE All Rights Reserved Page 10 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 11 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
copy 2015 SAP SE All Rights Reserved Page 12 of 27
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
How We Started What We Wanted to FindProgramming Patterns That May Cause Security Vulnerabilities
Mainly two patternsLocal issues (no data-flow dependency) eg
bull Insecure functions
1 var x = Mathrandom()
bull Secrets stored in the source code
1 var password = rsquosecretrsquo
Data-flow related issues eg
bull Cross-site Scripting (XSS)
1 var docref = documentlocationhref2 var input = docrefsubstring(3 docrefindexOf(default=)+8)4 var fake = function (x) return x5 var cleanse = function (x) 6 return rsquohello worldrsquo7 documentwrite(fake(input))8 documentwrite(cleanse(uinput))
bull Secrets stored in the source code
1 var foo = rsquosecretrsquo2 var x = decrypt(foodata)
We trust our developers ie we are
focusing on finding ldquoobviousrdquo bugs
copy 2015 SAP SE All Rights Reserved Page 12 of 27
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
SAST at SAP
ABAP
Java
C
JavaScript
Others
bull Since 2010 mandatory for all SAP products
bull Multiple billions lines analyzed
bull Constant improvement of tool configuration
bull SAST tools used at SAP
Language Tool Vendor
ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx
CC++ Coverity CoverityOthers Fortify HP
bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014
copy 2015 SAP SE All Rights Reserved Page 13 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)
bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerability
bull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
So Everything is Secure Now Right
ldquo Our tool reports all vulnerabilities in your software ndash you only need to fix them and youare secure
Undisclosed sales engineer from a SAST tool vendor
Yes this tools exists It is called Code Assurance Tool (cat)bull The cat tool reports each line that might contain a vulnerabilitybull It supports also a mode that reports no false positives
copy 2015 SAP SE All Rights Reserved Page 14 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 15 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java) Coverity (CC++)
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx (JavaScript)
Fortify (Java)
DO
Min
ato
r
Coverity (CC++)
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Combining Multiple Security Testing Methods and Tools
Client Application
Web Browser
Server Application
Runtime Container
Backend Systems
Checkmarx
Fortify (Java)
DO
Min
ato
r
HP
We
bIn
sp
ect
IB
M A
pp
Sca
n
bull Risks of only using only SASTbull Wasting effort that could be used more wisely
elsewherebull Shipping insecure software
bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack
copy 2015 SAP SE All Rights Reserved Page 16 of 27
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
A Risk-based Test Plan
Select from a list of
predefined application
types
Implementation detaos eg programming languages frameworks
Priority of SAP Security
Requirements
Security Test Plan
RISK ASSESMENT
(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg
code scans dynamic analysis manual penetrationtesting or fuzzing
bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject
bull Re-adjusts priorities of test cases based on identifiedrisks for the project
bull Monitors false negative findings in the results of riskassessment
copy 2015 SAP SE All Rights Reserved Page 17 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 18 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
SAPrsquo Secure Software Development Lifecycle (S2DL)
Figure SAP SSDLcopy 2015 SAP SE All Rights Reserved Page 19 of 27
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
SAPrsquo Secure Software Development Lifecycle (S2DL)Security Testing Plan and Security Testing Report
7
Security Test
Plan
Security
Validation Report
Start of development Shipment decision
Training Risk
Identification Plan Security
Measures Secure
development Security testing
Security Validation
Security Response
Security Test
Report
Security Measure Plan
Security Testing Plan
bullBased on Security Risk Identification and Mitigation Report (Threat Modelling SECURIM)
bullDescribes planned security testing activities
bullCompleteness and plausibility check by validation or security enablement team
Security Measure Report
Security Testing Report
bullResult of executed security testing activities (eg code scan report)
bullDescribes deviations from plan
bullInput for validation and operation (cloud)
Figure SAP SSDL
copy 2015 SAP SE All Rights Reserved Page 20 of 27
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Agenda
1 SAP in a Nutshell
2 Motivation
3 The Beginning Large Scale Introduction of SAST
4 A Risk-based Security Testing Strategy
5 SAPrsquos Secure Software Development Lifecycle (S2DL)
6 Myths and Lessonrsquos Learned
copy 2015 SAP SE All Rights Reserved Page 21 of 27
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Continuously Measure Your Work and Improve Your SetupBut How to Measure and What to Expect
What we dobull Externally reported vulnerabilitiesfound by validation check why we missed it earlierbull Potential reasons for missing a vulnerability (and actions)
bull Vulnerability not detected by our tools (strategy)bull could be detected in principle by our tools
rArr analyze necessary changes (with tool vendor) and decide if risk justifies effort for enhancing toolbull cannot be detected in principle by our tools
rArr research for suitable tools and and decide if risk justifies effort for introducing new toolbull Vulnerability can be detected by our tools
bull With recent configuration but not configuration at release daterArr no immediate actions necessary
bull With configuration at release daterArr analyze why it was not detected and take further actions
What we expectbull Issues not covered by current tool configuration should increase (ideally to 100)
What we observebull Increase of logic-based flaws
copy 2015 SAP SE All Rights Reserved Page 22 of 27
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Penetration Tests at the End of Development testensure the security of the developed product right
Main purpose of penetration tests at end of development is
bull to check for ldquoflawsrdquo in the the S2DL (and not the product)
bull Ideally they only findbull no issues that can be fixeddetected earlier (eg configuration)
Note penetration tests in productive environments are different
bull They test the actual configuration
bull They test the productive environment (eg cloudhosting)
copy 2015 SAP SE All Rights Reserved Page 23 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
False Positives are not Your Biggest ConcernA Pragmatic Solution for Too Many Findings Prioritize Them
bull What needs to be audited
bull What needs to be fixedbull as security issue
(response effort)bull quality issue
bull Different rules forbull old codebull new code
copy 2015 SAP SE All Rights Reserved Page 24 of 27
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Listen to Your Developers Development AwarenessDevelopers Should be the Best Friends of Security Experts (not Their Enemies)
We are often talking about a lack of security awarenessand by that forget the problem oflacking development awareness
Always keep in mindBuilding a a secure system more difficult than finding a successful attack
We need
bull Easier to use security APIs
bull More tools that make it easy to implement system securely
bull Frameworks that make it hard to implement insecure systems
bull
And btw this also holds for DevOps (Cloud)
copy 2015 SAP SE All Rights Reserved Page 25 of 27
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Thank you
httpxkcdcom327
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
Related Publications
Ruediger Bachmann and Achim D Brucker
Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014
Achim D Brucker Lukas Bruumlgger and Burkhart Wolff
Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014
Achim D Brucker and Uwe Sodan
Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014
Achim D Brucker and Burkhart Wolff
On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012
copy 2015 SAP SE All Rights Reserved Page 27 of 27
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-
copy 2015 SAP SE All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries
Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages
copy 2015 SAP SE All Rights Reserved Page 28 of 27
- SAP in a Nutshell
- Motivation
- The Beginning Large Scale Introduction of SAST
- A Risk-based Security Testing Strategy
- SAPs Secure Software Development Lifecycle (Smath text inlined[fg]math text inlinedfg2DL)
- Myths and Lessons Learned
-