Treating Security Vulnerabilities As Software Defects
-
Upload
denim-group -
Category
Technology
-
view
4.256 -
download
0
description
Transcript of Treating Security Vulnerabilities As Software Defects
![Page 1: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/1.jpg)
Treating Security Vulnerabilities As Software Defects
SANS What Works In AppSec 2010
Friday February 5th, 2010
![Page 2: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/2.jpg)
1
Agenda
• Something Most Security Vendors Won’t Tell You
• The Wrong Way to Do It
• A More Excellent Way
• Strategies
• Demo
• Questions?
![Page 3: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/3.jpg)
Something Most Security Vendors Won’t Tell You
2
![Page 4: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/4.jpg)
Something Most Security Vendors Won’t Tell You
Finding Vulnerabilities is Easy
Fixing Vulnerabilities is Valuable
3
![Page 5: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/5.jpg)
The Wrong Way to Do It
4
![Page 6: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/6.jpg)
The Wrong Way to Do It
Dan: What is your application security strategy
A: We bought Scanner XYZ
Dan: Cool! Have you started using it?
A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got
the license key.
Dan: All right! Did you find anything?
A: Oh yeah! We found all sorts of scary stuff.
Dan: Well what did you do about it?
A: We sent the PDF report to the development team and told them to fix the
problems.
Dan: Were they successful?
A: I don’t know. I guess I should check in on that…
5
![Page 7: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/7.jpg)
Why Is This Bad?
• PDFs are blobs
• Email is infinitely ignorable
• Lumps all vulnerabilities together
• No guidance for developers
• Just plain rude
6
![Page 8: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/8.jpg)
A More Excellent Way
7
![Page 9: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/9.jpg)
A More Excellent Way
• Treat (Application) Security Vulnerabilities as Software Defects
• Why?
– Developers have to fix the issues eventually
– Developers understand defects
– Even most “loosely-structured” development teams have defect tracking systems
8
![Page 10: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/10.jpg)
What Makes a Good Security Defect?
9
![Page 11: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/11.jpg)
What Makes a Good Security Defect?
• Why do I care?
• Scope
• Where is it?
• How do I fix it?
10
![Page 12: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/12.jpg)
Why Do I Care?
11
![Page 13: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/13.jpg)
Why Do I Care?
• Do not rely solely on the defect to communicate this
– Simply pumping defects into the defect tracking system is unlikely to be effective
• Provide context
• Provide steps to reproduce
– Automated if possible
• Transparency!
12
![Page 14: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/14.jpg)
Scope
13
![Page 15: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/15.jpg)
Scope
• Defects that take 5 minutes to fix take far longer to administer
– Especially with mature (elaborate) QA processes
• Maximum time: 16 hours– http://www.joelonsoftware.com/items/2007/10/26.html
• Target: 1-16 hours
– Long enough to be an actual task, short enough to be predictable
– Defects for technical vulnerabilities should be shorter
– Defects for logical vulnerabilities can be longer
14
![Page 16: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/16.jpg)
Where Is It?
15
![Page 17: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/17.jpg)
Where Is It?
• Providing location information removes a “barrier” to fixing
• Better location information leads to quicker fix times
• Dynamic analysis: attack surface location
– Vulnerability type, URL, possibly parameter
– (For web applications)
• Static analysis: code location
– Filename
– Line (and hopefully column)
– Include actual code if possible in case underlying codebase has changed
16
![Page 18: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/18.jpg)
How Do I Fix It?
17
![Page 19: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/19.jpg)
How Do I Fix It?
• Prescriptive guidance is required here
– Removes a reason not to fix
– Leads to consistency
• Does your organization have an ESAPI? Does it address this issue?
18
![Page 20: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/20.jpg)
Why Is This Approach Better?
• Defects are structured data
• Defects are durable
• Vulnerabilities have been portioned out into tractable chunks of “work”
• We have provided prescriptive guidance
• Communicates with developers via systems they already use
19
![Page 21: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/21.jpg)
Strategies
20
![Page 22: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/22.jpg)
Strategies
• Group by location
• Group by type
• Group by severity
21
![Page 23: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/23.jpg)
Grouping By Location
• By file/URL or by directory
• Pros:
– Helpful if there is one “owner” for that area of the code
– Can help to minimize requirements for QA regression testing
• Cons:
– Different vulnerability types require different fixes
– Can be hard to keep things straight
22
![Page 24: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/24.jpg)
Grouping By Type
• By vulnerability type (XSS, SQL injection, authorization issue, etc)
• Pros:
– Similar vulnerabilities often have very similar fixes
– Economies of assembly lines – get Henry Ford on vulnerabilities
– Approach with a “punchlist” mentality
• Cons:
– There can be LOTS of vulnerabilities of a given type if bad coding idioms are in use
23
![Page 25: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/25.jpg)
Grouping By Severity
• High, medium, low
• Pros:
– Can help you game certain metric programs
• Cons:
– Least tied to how developers work
– Different types of vulnerabilities
– Cutting across functional areas
24
![Page 26: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/26.jpg)
Strategies (continued)
• Combine more than one
– Group by type or severity and then by location
25
![Page 27: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/27.jpg)
What About BIG Issues?
• Serious issues can map to multiple defects
• REALLY serious issues can map to enterprise change management
initiatives
26
![Page 28: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/28.jpg)
What About Non-Software Vulnerabilities?
• Transition to change management systems rather than defect tracking
systems
27
![Page 29: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/29.jpg)
Demo
28
![Page 30: Treating Security Vulnerabilities As Software Defects](https://reader034.fdocuments.net/reader034/viewer/2022051816/54708ae8b4af9fb90a8b47ac/html5/thumbnails/30.jpg)
Contact
Dan Cornell
(210) 572-4400
@danielcornell
Web: www.denimgroup.com
Blog: blog.denimgroup.com
Vuln Mgr: vulnerabilitymanager.denimgroup.com
29