Post on 16-Apr-2017
Application Security in a DevOps WorldThree Methods for Shifting Left
One weak spot is all it takes
Software Security Defined“Software security is the idea of engineering software so that it continues to function correctly under malicious attack.”
“Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.”
(Gary McGraw, Cigital)
https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
Agenda
DevOps and DevSecOps or is it DevOpsSec
Pen-testing
Static analysis & Prevention
Hybrid testing
Risk management – OWASP style
Prevalence Detectability Exploitability Impact
Real Business Impacts
Penetration Testing
• Verify that security policy is working
• Tests from the outside in
• Variety of scenarios such as– Parameter fuzzing
– Unexpected packets on the BUS
– XML Bombs
– Unauthorized Bluetooth
– Unexpected TPMS
IoT specifics
• Multi-layered systems
• Disparate technologies
• Functionality
spanning across many
layers
Effectiveness of Pen-testing
• Labor intensive
• Difficult to automate
• Difficult to start early
• Requires inter-team synchronization
• Difficult to test error handlers
• Failed tests do not provide precise information about failure points
Static Analysis
Pattern
•Low false positives
•Fast
•Prevention Focus
Flow
•Real bugs
•Complex issues
•Mirror real use
•Fix focus
Fix or Prevent
Purpose of Coding Standards• “Proven programming practices leading to safe,
reliable, testable, and maintainable code”
• “Address potentially unsafe language features, and provide programming rules to avoid those pitfalls”
• “By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”
Simple Prevention Process – an example
Detect the error
•Load testing shows leaking connections to the database
Find the cause
•Open connections aren’t being closed, causing resource leaks
Locate the point in production that caused the error
•Developer has forgotten to close db connections upon client termination
Implement preventative process
•Use a coding standard to ensure each open connection is closed before exit
Monitor the process
•Use static analysis to enforce the standard
Add regression test
•Add a test to see the problem was fixed and doesn’t return
Coding Defensively: Validating inputs
9 paths through the code
3 entry points
The Solution = validate inputs upon entry
4 potential vulnerabilities
Validate Validate
Validate
Preventing SQL InjectionString username = request.getParameter("USER");
String password = request.getParameter("PASSWORD");
String query = “SELECT * FROM Users WHERE username=‘” +
username + "' AND password='" + password + "'";
Statement.execute(query);
An attacker passes "' or 1=1" for username creating:
SELECT * FROM Users WHERE username='' or 1=1 AND password='foo'
Prevention: wrap input in validation:
String username = validate(request.getParameter("USER"));
String password = validate(request.getParameter("PASSWORD”));
Selecting Static Analysis
• Severity levels
• Suppressions
• Code based on age
Handling of
Integration with SCM
Integration with BugTracking (internal & field)
Integration with Peer review
Analytics
Hybrid Security Analysis - IAST• Penetration testing to automatically generate
and run penetration attack scenarios
• Runtime error detection to monitor the back-end during test execution to determine whether security is actually compromised
• Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case
Hybrid Security Analysis
How to do it better?• Use stubs, mocks and service virtualization to
improve testing automation
– Isolate at the message layer
– Simulate functional scenarios and performance conditions
Divide & Conquer with Service Virtualization
Separate critical
components
Move testing earlier
Isolate attack surfaces
Run functional tests vs. security
scenarios
Security Cases with Service Virtualization
Virtual Services
SSL CertificatesAcceptable/Unacceptable
System Under Test
Dependent Application
Accounts Database
Mainframe
SQL Injection
System Under Test
Virtual Services
Security Cases with Service Virtualization
SQL Injection
Malicious Response
System Under Test
Security Cases with Service Virtualization
Virtual Services
Conclusion• Standards and static analysis applied properly
prevent errors
• Integrated results provides control, measurement, and traceability
• Cost of solid prevention methodology is less than the cost of dealing with bad software
Security Resources
CWE – Common Weakness Enumeration
• http://cwe.mitre.org
CERT - Secure Coding Guidelines
• https://www.securecoding.cert.org
Build Security In – Collaborative security effort
• https://buildsecurityin.us-cert.gov
Parasoft
• http://www.parasoft.com
• Web– http://www.parasoft.com
• IoT Hall-of-Shame – http://bit.ly/iotshame
• Blog– http://alm.parasoft.com– http://codecurmudgeon.com
•Social–Facebook: https://www.facebook.com/parasoftcorporation
–Twitter: @Parasoft @CodeCurmudgeon
–LinkedIn: http://www.linkedin.com/company/parasoft