welcome [sercuarc.org]€¦ · serc talks october 4, 2017 1 today’s session will be recorded. an...
TRANSCRIPT
![Page 1: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/1.jpg)
SERC Talks October 4, 2017 1
Today’s session will be recorded.
An archive of today’s talk will be available at: www.sercuarc.org/serc-talks/
Use the Q&A box to queue questions, reserving the chat box for comments, and
questions will be answered during the last 5-10 minutes of the session.
If you are connected via the dial-in information only, please email questions or
comments to Ms. Mimi Marcus at [email protected].
Any issues? Use the chat feature for any technical difficulties or other comments, or
email Ms. Mimi Marcus at [email protected].
WELCOME
“What are the Top Ten Software Security Flaws?”
Gary McGraw, Synopsys
Vice President Security Technology
October 4, 2017 | 1:00 pm ET
![Page 2: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/2.jpg)
SERC Talks October 4, 2017 2
The Systems Engineering Research Center (SERC) is a federally funded University Affiliated Research Center managed by Stevens Institute of Technology.
Any views, opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense, ASD(R&E), nor the SERC.
No Warranty. This Stevens Institute of Technology Material is furnished on an “as-is” basis. Stevens Institute of Technology makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material. Stevens Institute of Technology does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
This material has been approved for public release and unlimited distribution.
![Page 3: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/3.jpg)
© 2017 Synopsys, Inc. 3
Avoiding the Top Ten Software Security FlawsGary McGraw, Ph.D.Vice President, Security TechnologySynopsys
@cigitalgem
![Page 4: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/4.jpg)
© 2017 Synopsys, Inc. 4
![Page 5: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/5.jpg)
© 2017 Synopsys, Inc. 5
IEEE CSD Mission
The IEEE CSD will gather software security expertise from industry, academia, and government. The CSD provides guidance on:
•Recognizing software system designs that are likely vulnerable to compromise.
•Designing and building software systems with strong, identifiable security properties.
•http://bit.ly/ieee-CSD
•https://cybersecurity.ieee.org/center-for-secure-design/
![Page 6: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/6.jpg)
© 2017 Synopsys, Inc. 6
On Bugs, Flaws, and Defects
Commercial SAST Tools:HP Fortify, Coverity, etc
![Page 7: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/7.jpg)
© 2017 Synopsys, Inc. 7
Avoiding the Top Ten Flaws
• Earn or give, but never assume, trust
• Use an authentication mechanism that cannot be bypassed or tampered with
• Authorize after you authenticate
• Strictly separate data and control instructions, and never process control instructions received from untrusted sources
• Define an approach that ensures all data are explicitly validated
§ Use cryptography correctly
§ Identify sensitive data and how they should be handled
§ Always consider the users
§ Understand how integrating external components changes your attack surface
§ Be flexible when considering future changes to objects and actors
![Page 8: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/8.jpg)
© 2017 Synopsys, Inc. 8
1. Earn or give, but never assume, trust
![Page 9: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/9.jpg)
© 2017 Synopsys, Inc. 9
Earn or give, but never assume, trust
üMake sure all data from an untrusted client are validated
üAssume data are compromised
§ Avoid authorization, access control, policy enforcement, and use of sensitive data in client code
![Page 10: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/10.jpg)
© 2017 Synopsys, Inc. 10
2. Use an authentication mechanism that can’t be bypassed
![Page 11: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/11.jpg)
© 2017 Synopsys, Inc. 11
Use an authentication mechanism that can’t be bypassed
üPrevent the user from changing identity without re-authentication, once authenticated.
üConsider the strength of the authentication a user has provided before taking action
üMake use of time outs
§ Do not stray past the big three• Something you are• Something you have• Something you know
§ Avoid shared resources like IP numbers and MAC addresses
§ Avoid predictable tokens
![Page 12: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/12.jpg)
© 2017 Synopsys, Inc. 12
3. Authorize after you authenticate
![Page 13: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/13.jpg)
© 2017 Synopsys, Inc. 13
Authorize after you authenticate
üPerform authorization as an explicit check
üRe-use common infrastructure for conducting authorization checks
§ Authorization depends on a given set of privileges, and on the context of the request
§ Failing to revoke authorization can result in authenticated users exercising out-of-date authorizations
![Page 14: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/14.jpg)
© 2017 Synopsys, Inc. 14
4. Strictly separate data and control instructions, and never process control instructions from untrusted sources
![Page 15: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/15.jpg)
© 2017 Synopsys, Inc. 15
Strictly separate data and control instructions, and never process control instructions from untrusted sources
üUtilize hardware capabilities to enforce separation of code and data
üKnow and use appropriate compiler/linker security flags
üExpose methods or endpoints that consume structured types
§ Co-mingling data and control instructions in a single entity is bad
§ Beware of injection-prone APIs • XSS, SQL injection, shell
injection
§ Watch out for (eval)
![Page 16: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/16.jpg)
© 2017 Synopsys, Inc. 16
5. Define an approach that ensures all data are explicitly validated
![Page 17: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/17.jpg)
© 2017 Synopsys, Inc. 17
Define an approach that ensures all data are explicitly validated
üEnsure that comprehensive data validation actually takes place
üMake security review of the validation scheme possible
üUse a centralized validation mechanism and canonical data forms (avoid strings)
§ Watch out for assumptions about data
§ Avoid blacklisting, use whitelisting
![Page 18: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/18.jpg)
© 2017 Synopsys, Inc. 18
6. Use cryptography correctly
![Page 19: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/19.jpg)
© 2017 Synopsys, Inc. 19
Use cryptography correctly
üUse standard algorithms and libraries
üCentralize and re-use
üDesign for crypto agility
üGet help from real experts
§ Getting crypto right is VERY hard
§ Do not roll your own
§ Watch out for key management issues
§ Avoid non-random “randomness”
![Page 20: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/20.jpg)
© 2017 Synopsys, Inc. 20
7. Identify sensitive data and how they should be handled
![Page 21: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/21.jpg)
© 2017 Synopsys, Inc. 21
Identify sensitive data and how they should be handled
üKnow where your sensitive data are
üClassify your data into categories
üConsider data controlsü File, memory, database
protection
üPlan for change over time
§ Do not forget that data sensitivity is often context sensitive
§ Confidentiality is not data protection
§ Watch out for trust boundaries
![Page 22: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/22.jpg)
© 2017 Synopsys, Inc. 22
8. Always consider the users
![Page 23: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/23.jpg)
© 2017 Synopsys, Inc. 23
Always consider the users
üThink about: deployment, configuration, use, update
üKnow that security is an emergent property of the system
üConsider user culture, experience, biases, …
üMake things secure by default
§ Security is not a feature!
§ Don’t impose too much security
§ Don’t assume the users care about security
§ Don’t let the users make security decisions
![Page 24: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/24.jpg)
© 2017 Synopsys, Inc. 24
9. Understand how integrating external components changes your attack surface
![Page 25: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/25.jpg)
© 2017 Synopsys, Inc. 25
Understand how integrating external components changes your attack surface
üTest your components for security
üInclude external components and dependencies in review
üIsolate components
üKeep an eye out for public security information about components
§ Composition is dangerous
§ Security risk can be inherited
§ Open source is not secure
§ Don’t trust until you have applied and reviewed controls
§ Watch out for extra functionality
![Page 26: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/26.jpg)
© 2017 Synopsys, Inc. 26
10. Be flexible when considering future changes to objects and actors
![Page 27: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/27.jpg)
© 2017 Synopsys, Inc. 27
Be flexible when considering future changes to objects and actors
üDesign for change
üConsider security updates
üMake use of code signing and code protection
üAllow isolation and toggling
üHave a plan for “secret compromise” recovery
§ Watch out for fragile and/or brittle security
§ Be careful with code signing and system administration/operation
§ Keeping secrets is hard
§ Crypto breaks
![Page 28: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/28.jpg)
© 2017 Synopsys, Inc. 28
Center for Secure Design Early Contributors
Synopsys
![Page 29: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/29.jpg)
© 2017 Synopsys, Inc. 29
Where to learn more
![Page 30: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/30.jpg)
© 2017 Synopsys, Inc. 30
Silver Bullet + Writings
• Monthly Silver Bullet podcast with Gary McGraw: www.synopsys.com/silverbullet
• Writings, Blogs, Musicgarymcgraw.com
![Page 31: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/31.jpg)
© 2017 Synopsys, Inc. 31
The Book + BSIMM8
• How to DO software security– Best practices– Tools– Knowledge– bsimm.com
• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com
![Page 32: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/32.jpg)
© 2017 Synopsys, Inc. 32
Build Security In
• Download the IEEE CSD documenthttp://bit.ly/ieee-CSD
• Send me e-mail: [email protected]
• @cigitalgem
![Page 33: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/33.jpg)
SERC Talks October 4, 2017 3
SERC 2017 Annual Events
For more information or any questions regarding this event, please contact:Ms. Monica Brito or Ms. Megan Clifford
![Page 34: WELCOME [sercuarc.org]€¦ · SERC Talks October 4, 2017 1 Today’s session will be recorded. An archive of today’s talk will be available at:](https://reader033.vdocuments.mx/reader033/viewer/2022042407/5f211a976310654b82315c17/html5/thumbnails/34.jpg)
SERC Talks October 4, 2017 4
UPCOMING TOPICS:
“The Dilemmas of Cybersecurity -- Why is Everything Broken?”
Dr. William Scherlis, Institute for Software Research, Carnegie Mellon University
November 1, 2017 | 3:00 pm ET
Thank you for joining us! Please check back on the SERC website for today’s recording and future SERC Talks information!
Cybersecurity Series