Are Security and Quality Assurance Part of Your Software Development Life Cycle?
description
Transcript of Are Security and Quality Assurance Part of Your Software Development Life Cycle?
Are Security and Quality Assurance Part of Your Software
Development Life Cycle?
Joshua Drummond, Security Architect
Carmen Roode, Associate Director of Systems Development
Marina Arseniev, Associate Director of Enterprise Architecture
University of California, Irvine
Statistics you need to know!
• 3 out of 4 vendor apps we tested had serious SQL Injection bugs!
• 75% of attacks today happen at the Application (Gartner)
• “The cost of correcting code in production increases up to 100 times as compared to in development...”
- (1) MSDN (November, 2005) “Leveraging the Role of Testing and Quality Across the Lifecycle to Cut Costs and Drive IT/Business Responsiveness “
- http://msdn.microsoft.com/vstudio/why/testingquality/default.aspx
• The cost and reputation savings of avoiding a security breach are “priceless”
Higher-Ed Security Incidentshttp://www.privacyrights.org
People Date Type 178,000 April 2004 Hacking
380,000 May 2004 Hacking
207,000 May 2004 Stolen laptop/Hack
600,000 Sept 2004 Hacking
98,400 March 2005 Stolen laptop
59,000 March 2005 Hacking
120,000 March 2005 Hacking
106,000 April 2005 Hacking
40,000 April 2005 Hacking
150,000 June 2005 Dishonest Insider
72,000 June 2005 Hacking
15,000 June 2005 Stolen laptop
27,000 July 2005 Hacking
People Date Type 42,000 July 2005 Hacking
270,000 July 2005 Exposed online- Injection
31,077 July 2005 Hacking
36,000 August 2005 Hacking
61,709 August 2005 Hacking
100,000 August, 2005 Hacking
49,000 August 2005 Hacking
100,000 Sept 2005 Stolen computer
21,762 Sept 2005 Exposed Online
2,800 October 2005 Exposed Online
9,100 October 2005 Exposed Online
93,000 March 2006 Stolen laptop
41,000 March 2006 Hacking
Agenda
• Demo of Common Application Hacks
• 7 Steps to Integrating SDLC and Security
• SDLC and Sample Checklists
• Security Architecture
• Useful URLs and Q&A
What do Hackers do?
• Application security testing is a “nascent market”. *– Browser caching – Cookie and URL hacks– SQL Injection – Cross-site Scripting
*Gartner
Browser Page Caching
• Be aware of differences between browsers!• Pages with sensitive data should not be cached:
page content is easily accessed using browser’s history
• Use the following tags to disable page caching:
<META HTTP-EQUIV="Pragma" CONTENT="no-cache"><META HTTP-EQUIV="Cache-Control" CONTENT=“no-store, no-cache"><META HTTP-EQUIV="Expires" CONTENT="-1">
Browser Page Caching
Cookies and URLs
• Sensitive data in cookies and URLs?– Issues that arise are:
• Information is stored on a local computer (as files or in the browser’s history)• Unencrypted data can be intercepted on the network and/or logged into unprotected web log files
– To prevent unauthorized data access:• Do NOT store sensitive data of any kind in cookies or URLs• Use non-persistent cookies (that disappear once a browser is closed) instead of persistent ones.• Use HTTP POST instead of GET when submitting data
SQL Injection Attacks
Web App
Hacker
Uses SQL scriptinjection to
access data
“SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)
SQL Injection Attacks
• Example of attack:– SQL Query in Web application code:
• “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’;”
– Hacker logs in as: ‘ or ‘’ = ‘’; -- • SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --'; and password=‘’;
– Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; --• SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP TABLE users; --'; and password=‘’;
• SQL Injection examples are outlined in:– http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf – http://www.unixwiz.net/techtips/sql-injection.html
SQL Injection Attacks Demo
SQL Injection Attacks Demo
SQL Injection Attacks Demo
Cross-Site Scripting (XSS) Attacks
• Malicious code can secretly gather sensitive data from user while using authentic website (login, password, cookie)
Cross-Site Scripting (XSS) Attacks
• Modified URL– URL parameters are modified on the URL to
contain script code – Input is not validated and displayed as entered
on the resulting dynamic webpage
Cross-Site Scripting (XSS) Attacks
Web App
Hacker
Injects scriptinto web site
CompromisedWeb App
Retrieves compromisedpage content
Unknowinglyexecutes script
End User
XSS: Script Injection Demo
XSS: Script Injection Demo
Preventing SQL injection and XSS
• VALIDATE all user entered parameters– CHECK data types and lengths– DISALLOW unwanted data (e.g. HTML tags,
JavaScript)– ESCAPE questionable characters (ticks,
--,semi-colon, brackets, etc.)
Agenda
• Demo of Common Application Hacks
• 7 Steps to Integrating SDLC and Security
• SDLC and Sample Checklists
• Security Architecture
• Useful URLs and Q&A
Integrating SDLC and Security Step 1: Training
You can build the most secure system, however, if users are not educated on how to use it or on today’s security concerns, regulations, and laws, the system will fail.
Email can be unintentionally used to transmit regulated or confidential information – due to lack of education
Private data can be entered into a text field Training is about a specific purpose or certification Education is more general and conceptual Train Project Leaders, Developers, End users, Business
units on global issues and scope of functions they want. Too much trust and assumptions that technical staff and
vendors are aware of all the issues. Assign appropriately trained staff, mentors/reviewers
Integrating SDLC and Security Step 2: Requirements
Acquisition or development Identify Security requirements at requirements
gathering phase Examples of questions to ask and put into formal
template? Compliance requirements – PCI, SB1386, FERPA, HIPAA Risk assessment – normal or high risk application?
Requirements Template
1.1 User Classes and Characteristics<Identify the various user classes that you anticipate will use this product (i.e. users doing updating vs. users with browse access only). User classes may be differentiated based on frequency of use, subset of product functions used, technical expertise, security or privilege levels, educational level, or experience...>
2.5 Design and Implementation Constraints<Describe any items or issues that will limit the options available to the developers. These might include: …corporate or regulatory policies; …interfaces to other applications; specific technologies, tools, and databases to be used; …communications protocols; security considerations.>
3.4 Communications Interfaces<Describe the requirements associated with any communications functions required by this product, including e-mail, web browser, network server communications protocols, electronic forms, and so on. Define any pertinent message formatting. Identify any communication standards that will be used, such as FTP or HTTP. Specify any communication security or encryption issues, data transfer rates, and synchronization mechanisms.>
5.3 Security Requirements<Specify any requirements regarding security or privacy issues surrounding use of the product or protection of the data used or created by the product. Define any user identity authentication requirements. Refer to any external policies or regulations containing security issues that affect the product. Define any security or privacy certifications that must be satisfied.>
ASP Vendor Security Checklist
What certification or audits does the University have that the system will be managed per our guidelines and contract agreement?
How do you manage the system for detection of intrusion.
How often is the system patched, by whom and when?
How are we notified if system security is breached? Notification handling?
How is data purged from the vendor's hardware?
How are disks, tapes, or computers that might store sensitive data disposed of? Are the media erased before disposal or reuse?
Where is the hardware location? Is it inside or outside of the United States? Is it subject to our laws?
Are the personnel who administer and use the hardware located within the United States and subject to our laws?
Is data encrypted? If private data is transmitted, either via
Internet, on CD-ROM or file transfer, is it encrypted?
Is SSL enabled to the application so that traffic over the Internet, including authentication is secure and private?
Data loss, data backups: what are the guarantees? Are backups stored offsite? If backups have sensitive data, are the backups encrypted? Can we store the backup at UCI? How about disaster recovery planning?
How is the hardware or database distributed by the vendor among customers? Is one hardware used for all customers? Is a single database used for all customers or does each customer have a private database?
How are user accounts managed?
Integrating SDLC and Security Step 3: Design
Use your most experienced security experts! Identify vulnerable points
authentication and authorization/access control database or file stores of sensitive data logging/auditing
Identify, design and use common and tested components
Dedicated Security role required in any organization
Integrating SDLC and Security Step 4: Implementation
Implementation/Acquisition – make security “routine” Schedule code reviews Require developers to build unit test harnesses – Junit
Automate nightly code and application security scanning – Jtest, AppScan, Nessus, database security scanning
Schedule network and configuration scanning - Foundstone
Write and use manual security test procedures Perform concurrency and stress testing - Jmeter, OpenSTA
Integration testing Services and APIs Are services or distributed components using encryption? How does an application authenticate to a service?
Integrating SDLC and Security Step 4: Implementation cont.
Functional testing Do you use formal Test Plans or AdHoc? Tied to Requirements? Done by developers and end users? Do Pilot Users test methodically using Test Plans? How do you ensure testing coverage is adequate? SQL Injection testing Browser Compatibility Testing (ex: browser cache) Regression testing
Use Security Checklists / Assessments – code, database, network Test data – “de-identified?” If storage of private data absolutely required, is it encrypted?
Transmission encrypted? Error messages divulge information that can be used by hacker? PCI Compliance scanning/self-assessment passed? HIPAA? Firewalls configured?
Integrating SDLC and Security Step 5,6,7
5. Deployment Create secured test and production environment Helpdesk, Sys Admin, support staff cross-trained? Application security risks Policy issues identified? System and data backups, disaster recovery
6. Operations/Maintenance Repeated “routine” reviews and scanning Change control
7. Decommissioning of Application and Data Retention/preservation of information and data Sanitize media, properly dispose hardware and software
Our Change Control Process
• Coordinate and schedule changes in network, database, applications, OS, firewalls and configurations
– Avoid downtime due to collisions– Avoid accidental security exposures – We use Oracle Calender
• All developers, system and network admins meet every Tuesday morning for at least 15 minutes!
• 2 week notice of all planned changes– Test Plan and checklist required– Identification of required security tasks
• High/low risk identified on all changes• Changes recorded in AdCom ServiceDesk
Security Architecture Governance – Multi-layer
U serIden tity M anagem ent
A u then tica tionE duca tion
N etw ork /W ebA ccoun t A dm in
F irew a lls , E ncryp tionLogg ing/A ud iting
A p plicationA u tho riza tionLogg ing /A ud it
T est T oo ls
D ataA u tho riza tionLogg ing /A ud it
E ncryp tion ,Inven to ry
O p era tio nsB ackups ( inc l o ff-s ite)
Logg ing /A ud itD isaste r R ecove ry
P o licies , S tan d ard s , P ro ced ures , T ech n ica l R efe ren ce A rch itec tu reA pp roved T oo ls and L ifecyc le
E xcep tions by A pp rovalR egu la rly rev iew ed
Security Architecture Lifecycle
Summary of Tools to Try
• Unit Test– Junit for Java, Integrated with Eclipse
• Code Scanning– JTest
• Application/Network/Web Scanning Tools – Foundstone, SiteDigger, AppScan, Nessus
• Load/Stress Test– OpenSTA, JMeter
• Database Scanning– Microsoft Analyzer
• Wiki
Agenda
• Demo of Common Application Hacks
• 7 Steps to Integrating SDLC and Security
• SDLC and Sample Checklists
• Security Architecture
• Useful URLs and Q&A
Q&A
Useful Links• Campus security site: http://www.security.uci.
edu• AdCom's application security checklist:
http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440
• AdCom's Java code review checklist: http://snap.uci.edu/viewXmlFile.jsp?resourceID=1529
• Open Web Application Security Project (OWASP): http://www.owasp.org