Applying the Secure Development Lifecycle to the WCF Maciej “Ski” Skierkowski Program Manager...
-
Upload
christopher-harvey -
Category
Documents
-
view
219 -
download
1
Transcript of Applying the Secure Development Lifecycle to the WCF Maciej “Ski” Skierkowski Program Manager...
Applying the Secure Applying the Secure Development Lifecycle to Development Lifecycle to the WCFthe WCF
Applying the Secure Applying the Secure Development Lifecycle to Development Lifecycle to the WCFthe WCF
Maciej “Ski” SkierkowskiMaciej “Ski” SkierkowskiProgram ManagerProgram ManagerMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle OverviewSecure Development Lifecycle Overview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle OverviewSecure Development Lifecycle Overview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
AbstractAbstract
This talk will describe how the Windows This talk will describe how the Windows Communication Foundation (Indigo) team Communication Foundation (Indigo) team applied the Trustworthy Computing applied the Trustworthy Computing Security Development Lifecycle to the WCF Security Development Lifecycle to the WCF infrastructure. I’ll elaborate on the infrastructure. I’ll elaborate on the processes we followed for design reviews, processes we followed for design reviews, threat modeling, and security testing. I’ll threat modeling, and security testing. I’ll also describe how these processes (and also describe how these processes (and lessons) can apply to securing your WCF lessons) can apply to securing your WCF applicationsapplications
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle OverviewSecure Development Lifecycle Overview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
MotivationMotivation
Motivation: Protect AssetsMotivation: Protect Assets
Key PlayersKey PlayersHackers (me at age 16) and “Script kiddies”Hackers (me at age 16) and “Script kiddies”
Disgruntled employeesDisgruntled employees
Spammers for profitSpammers for profit
AssetsAssetsCompany reputationCompany reputation
Personal Identifiable InformationPersonal Identifiable Information
Financial InformationFinancial Information
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle OverviewSecure Development Lifecycle Overview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
SDL & Format & ValueSDL & Format & Value
What is the SDL?What is the SDL?Process setup at Microsoft as a part of the Process setup at Microsoft as a part of the TrustWorthy Computing effort.TrustWorthy Computing effort.
Parallels standard software development Parallels standard software development lifecycle.lifecycle.
Focus on threat modeling and testing against Focus on threat modeling and testing against threat modelthreat model
Format: For each step of the process I will Format: For each step of the process I will introduce the step, application to WCF, and introduce the step, application to WCF, and how you can apply the process to your how you can apply the process to your software.software.
ValueValueThe SDL makes WCF secure.The SDL makes WCF secure.
Apply SDL to your product.Apply SDL to your product.
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle Secure Development Lifecycle OverviewOverview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
Secure by DesignSecure by Design: the software should be architected, : the software should be architected, designed, and implemented so as to protect itself and the designed, and implemented so as to protect itself and the information it processes, and to resist attacks. information it processes, and to resist attacks.
Secure by DefaultSecure by Default: in the real world, software will not : in the real world, software will not achieve perfect security, so designers should assume that achieve perfect security, so designers should assume that security flaws would be present. To minimize the harm that security flaws would be present. To minimize the harm that occurs when attackers target these remaining flaws, occurs when attackers target these remaining flaws, software's default state should promote security. For software's default state should promote security. For example, software should run with the least necessary example, software should run with the least necessary privilege, and services and features that are not widely privilege, and services and features that are not widely needed should be disabled by default or accessible only to a needed should be disabled by default or accessible only to a small population of users. small population of users.
Secure in DeploymentSecure in Deployment: Tools and guidance should : Tools and guidance should accompany software to help end users and/or administrators accompany software to help end users and/or administrators use it securely. Additionally, updates should be easy to use it securely. Additionally, updates should be easy to deploy.deploy.
Secure Development LifecycleSecure Development LifecycleOverviewOverview
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle OverviewSecure Development Lifecycle Overview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
Education and AwarenessEducation and AwarenessSDL & WCFSDL & WCF
All engineers have All engineers have to take 2 discipline to take 2 discipline specific courses.specific courses.
Recommendation:Recommendation:Writing Secure Code Writing Secure Code 22ndnd Edition Edition
Threat ModelingThreat Modeling
Keep tabs on Keep tabs on everyone's training everyone's training experience.experience.
Everyone has a Everyone has a copy of the “Threat copy of the “Threat Modeling” and Modeling” and “Writing Secure “Writing Secure Code”Code”
During Security During Security Push sent “security Push sent “security bug of the day”bug of the day”
Education and AwarenessEducation and AwarenessCustomerCustomer
Developers love challenges. Give prizes for Developers love challenges. Give prizes for finding security bugs.finding security bugs.
Send out emails about funny, brilliant, or Send out emails about funny, brilliant, or just pathetic security bugs.just pathetic security bugs.
Provide knowledge (e.g. books, training)Provide knowledge (e.g. books, training)
Security questions also make good Security questions also make good developer interview questions. (skills: think developer interview questions. (skills: think outside the box, creative solutions, and outside the box, creative solutions, and design)design)
Requirement PhaseRequirement PhaseSDL & WCFSDL & WCF
Get a “SWI Buddy”Get a “SWI Buddy”
Establish point-of-Establish point-of-contactcontact
Configure tools for Configure tools for tracking security tracking security informationinformation
Effect: STRIDEEffect: STRIDE
Cause: Buffer Cause: Buffer Overflow, Script Overflow, Script Injection, Race Injection, Race Condition, ETC.Condition, ETC.
Define Security Bug Define Security Bug BarBar
SWI Buddy for each SWI Buddy for each Windows divisionWindows division
Secure WCF driving Secure WCF driving team.team.
Track Effect, cause Track Effect, cause AND threat model AND threat model informationinformation
Each milestone has Each milestone has a security bug bar.a security bug bar.
Requirement PhaseRequirement PhaseCustomerCustomer
Security “Go-To” person!!.Security “Go-To” person!!.
For all development processes (bug For all development processes (bug tracking, documentation, etc) include tracking, documentation, etc) include security information.security information.
Keep track of everything security related. Keep track of everything security related. (bug/work item tracking, security news, (bug/work item tracking, security news, status against security bar, share general status against security bar, share general findings, etc).findings, etc).
Track threat models through phases (Discovery, Track threat models through phases (Discovery, mitigation, implementation)mitigation, implementation)
Design changes are captured by processDesign changes are captured by process
Design PhaseDesign PhaseSDL & WCFSDL & WCF
V1 software and V1 software and major re-major re-architectures architectures should undergo a should undergo a SWI reviewSWI review
Crypto design Crypto design requirementsrequirements
All design All design documents should documents should include security include security impactimpact
Configure toolsConfigure tools
Firewall exceptionsFirewall exceptions
CryptoCryptoEncrypted by defaultEncrypted by default
Undergone weak crypto Undergone weak crypto reviewreview
Crypto agileCrypto agile
DocsDocsThreat Model Doc & Threat Model Doc & BugsBugs
Attack SurfaceAttack Surface
Security DesignSecurity Design
Don’t store/transfer PII Don’t store/transfer PII if not absolutely if not absolutely needed, and if needed needed, and if needed pay extra attention to pay extra attention to security (ACL logs)security (ACL logs)
Design PhaseDesign PhaseCustomerCustomer
Security Go-To person should work closely with Architect. Security Go-To person should work closely with Architect. Design with security in mind from the start.Design with security in mind from the start.
Are you using strong enough crypto? If custom crypto is Are you using strong enough crypto? If custom crypto is needed undergo extra scrutiny (e.g. what if vulnerability is needed undergo extra scrutiny (e.g. what if vulnerability is discovered)discovered)
Include security impact section in design and functional Include security impact section in design and functional specs. Ask many questions. (consider threats from similar specs. Ask many questions. (consider threats from similar designed systems).designed systems).
Use FxCop (pre 2005) or Visual Studio Code Analysis (2005). Use FxCop (pre 2005) or Visual Studio Code Analysis (2005). Link with work-item tracking system.Link with work-item tracking system.
Don’t store/transfer any information that is not needed.Don’t store/transfer any information that is not needed.
IT Pros should provide information on medium. (e.g. firewalls, IT Pros should provide information on medium. (e.g. firewalls, network bottlenecks, etc)network bottlenecks, etc)
THREAT MODELS!! This is your roadmap to securityTHREAT MODELS!! This is your roadmap to security
(side-note) Threat Modeling(side-note) Threat Modeling1. Data-Flow-Diagram 1. Data-Flow-Diagram (DFD)(DFD)
2. Attacks (STRIDE)2. Attacks (STRIDE)
SpoofingSpoofing
TemperingTempering
RepudiationRepudiation
Information DisclosureInformation Disclosure
Denial of ServiceDenial of Service
Elevation of PrivilegeElevation of Privilege
3. DFD and STRIDE 3. DFD and STRIDE Categories Categories
Implementation PhaseImplementation PhaseSDL & WCFSDL & WCF
Dev, PM, and UE Dev, PM, and UE managers meet to managers meet to discuss what discuss what information is required information is required by customers to use by customers to use product securely.product securely.
UE creates plan for UE creates plan for authoring customer authoring customer facing security facing security documents.documents.
Build and Code Build and Code Analysis toolsAnalysis tools
Prohibit use of Bad Prohibit use of Bad APIsAPIs
Help files, samples, Help files, samples, whitepapers, etc, whitepapers, etc, on developing on developing secure codesecure code
Numerous build and Numerous build and code analysis toolscode analysis tools
FuzzingFuzzing
Static analysis toolsStatic analysis tools
Implementation PhaseImplementation PhaseCustomerCustomer
Visual Studio 2005 comes with code Visual Studio 2005 comes with code analysis tools in build process.analysis tools in build process.
Fuzzing products availableFuzzing products available
Use documentation to be secure, help your Use documentation to be secure, help your customers be secure, and help their customers be secure, and help their customers be secure.customers be secure.
Avoid reliance on historically insecure APIsAvoid reliance on historically insecure APIs
IT Pros make sure that developers provide IT Pros make sure that developers provide information on deploying securily.information on deploying securily.
Verification PhaseVerification PhaseSDL & WCFSDL & WCF
File, Wire, RPC File, Wire, RPC FuzzingFuzzing
Security test planSecurity test plan
Penetration testingPenetration testing
Update security Update security documentsdocuments
Re-evaluate attack Re-evaluate attack surface.surface.
Code review for at-Code review for at-risk componentsrisk components
Focus entire teamFocus entire team
Security pushSecurity push3 weeks, 200+ 3 weeks, 200+ peoplepeople
All documents All documents updatedupdated
All “punted” bugs All “punted” bugs reevaluated for reevaluated for security impactsecurity impact
Code reviewsCode reviews
End-to-end threat End-to-end threat analysisanalysis
A whole lot moreA whole lot more
External vendor External vendor conducted black conducted black and white hat and white hat testingtesting
Verification PhaseVerification PhaseCustomerCustomer
This is not an overhaul; everything should This is not an overhaul; everything should already be securealready be secure
Run all tools and security proceduresRun all tools and security procedures
Look at product from attackers perspective.Look at product from attackers perspective.
Do an end-to-end analysis of the productDo an end-to-end analysis of the product
Release PhaseRelease PhaseWCF & SDLWCF & SDL
Final Security ReviewFinal Security Review
Is Pen testing needed?Is Pen testing needed?
Bug ScrubBug Scrub
ChecklistChecklist
Release planningRelease planning
Publicly defined support Publicly defined support policypolicy
Go-to person for security Go-to person for security issuesissues
Identify resourcesIdentify resources
All code must have All code must have identified owneridentified owner
Giblet dependentsGiblet dependents
ReleaseReleaseSign-Off on response plan, Sign-Off on response plan, documentation, FSRdocumentation, FSR
CHECK!CHECK!
Code accountability Code accountability was part of Security was part of Security Push.Push.
Release planning Release planning under developmentunder development
Release PhaseRelease PhaseCustomerCustomer
Check off that everything is done.Check off that everything is done.
Public support policyPublic support policy
Identify go-to person, and resourcesIdentify go-to person, and resources
Accountability!Accountability!Code ownersCode owners
Code that you use but didn’t author.Code that you use but didn’t author.
Post Release PhasePost Release PhaseSDL & WCF & customerSDL & WCF & customer
IT Pros deploy with S+DIT Pros deploy with S+D33
If a vulnerability is found, is the software If a vulnerability is found, is the software configured to detect origin and preventconfigured to detect origin and prevent
How will attacks be detected.How will attacks be detected.
Initiate execute of securing software after Initiate execute of securing software after vulnerability is detected.vulnerability is detected.
Work with customers.Work with customers.
AgendaAgenda
IntroductionIntroductionAbstractAbstract
MotivationMotivation
What is the SDL?What is the SDL?
FormatFormat
Value PropositionValue Proposition
Secure Development Lifecycle OverviewSecure Development Lifecycle Overview
SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation
Customer ImpactCustomer Impact
Q & AQ & A
ResourcesResourcesSecure Development Lifecyclehttp://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp
IT Pros Secure Centerhttp://www.microsoft.com/technet/security/default.mspx
Microsoft Secure Development Center http://msdn.microsoft.com/security/
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.