Applying the Secure Development Lifecycle to the WCF Maciej “Ski” Skierkowski Program Manager...

Applying the Secure Applying the Secure Development Lifecycle to Development Lifecycle to the WCFthe WCF

Applying the Secure Applying the Secure Development Lifecycle to Development Lifecycle to the WCFthe WCF

Maciej “Ski” SkierkowskiMaciej “Ski” SkierkowskiProgram ManagerProgram ManagerMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

IntroductionIntroductionAbstractAbstract

MotivationMotivation

What is the SDL?What is the SDL?

FormatFormat

Value PropositionValue Proposition

Secure Development Lifecycle OverviewSecure Development Lifecycle Overview

SDL StagesSDL StagesSDL & WCF ImplementationSDL & WCF Implementation

Customer ImpactCustomer Impact

Q & AQ & A

AbstractAbstract

This talk will describe how the Windows This talk will describe how the Windows Communication Foundation (Indigo) team Communication Foundation (Indigo) team applied the Trustworthy Computing applied the Trustworthy Computing Security Development Lifecycle to the WCF Security Development Lifecycle to the WCF infrastructure. I’ll elaborate on the infrastructure. I’ll elaborate on the processes we followed for design reviews, processes we followed for design reviews, threat modeling, and security testing. I’ll threat modeling, and security testing. I’ll also describe how these processes (and also describe how these processes (and lessons) can apply to securing your WCF lessons) can apply to securing your WCF applicationsapplications

AgendaAgenda




FormatFormat





Q & AQ & A


Motivation: Protect AssetsMotivation: Protect Assets

Key PlayersKey PlayersHackers (me at age 16) and “Script kiddies”Hackers (me at age 16) and “Script kiddies”

Disgruntled employeesDisgruntled employees

Spammers for profitSpammers for profit

AssetsAssetsCompany reputationCompany reputation

Personal Identifiable InformationPersonal Identifiable Information

Financial InformationFinancial Information

AgendaAgenda




FormatFormat





Q & AQ & A

SDL & Format & ValueSDL & Format & Value

What is the SDL?What is the SDL?Process setup at Microsoft as a part of the Process setup at Microsoft as a part of the TrustWorthy Computing effort.TrustWorthy Computing effort.

Parallels standard software development Parallels standard software development lifecycle.lifecycle.

Focus on threat modeling and testing against Focus on threat modeling and testing against threat modelthreat model

Format: For each step of the process I will Format: For each step of the process I will introduce the step, application to WCF, and introduce the step, application to WCF, and how you can apply the process to your how you can apply the process to your software.software.

ValueValueThe SDL makes WCF secure.The SDL makes WCF secure.

Apply SDL to your product.Apply SDL to your product.

AgendaAgenda




FormatFormat


Secure Development Lifecycle Secure Development Lifecycle OverviewOverview



Q & AQ & A

Secure by DesignSecure by Design: the software should be architected, : the software should be architected, designed, and implemented so as to protect itself and the designed, and implemented so as to protect itself and the information it processes, and to resist attacks. information it processes, and to resist attacks.

Secure by DefaultSecure by Default: in the real world, software will not : in the real world, software will not achieve perfect security, so designers should assume that achieve perfect security, so designers should assume that security flaws would be present. To minimize the harm that security flaws would be present. To minimize the harm that occurs when attackers target these remaining flaws, occurs when attackers target these remaining flaws, software's default state should promote security. For software's default state should promote security. For example, software should run with the least necessary example, software should run with the least necessary privilege, and services and features that are not widely privilege, and services and features that are not widely needed should be disabled by default or accessible only to a needed should be disabled by default or accessible only to a small population of users. small population of users.

Secure in DeploymentSecure in Deployment: Tools and guidance should : Tools and guidance should accompany software to help end users and/or administrators accompany software to help end users and/or administrators use it securely. Additionally, updates should be easy to use it securely. Additionally, updates should be easy to deploy.deploy.

Secure Development LifecycleSecure Development LifecycleOverviewOverview

AgendaAgenda




FormatFormat





Q & AQ & A

Education and AwarenessEducation and AwarenessSDL & WCFSDL & WCF

All engineers have All engineers have to take 2 discipline to take 2 discipline specific courses.specific courses.

Recommendation:Recommendation:Writing Secure Code Writing Secure Code 22ndnd Edition Edition

Threat ModelingThreat Modeling

Keep tabs on Keep tabs on everyone's training everyone's training experience.experience.

Everyone has a Everyone has a copy of the “Threat copy of the “Threat Modeling” and Modeling” and “Writing Secure “Writing Secure Code”Code”

During Security During Security Push sent “security Push sent “security bug of the day”bug of the day”

Education and AwarenessEducation and AwarenessCustomerCustomer

Developers love challenges. Give prizes for Developers love challenges. Give prizes for finding security bugs.finding security bugs.

Send out emails about funny, brilliant, or Send out emails about funny, brilliant, or just pathetic security bugs.just pathetic security bugs.

Provide knowledge (e.g. books, training)Provide knowledge (e.g. books, training)

Security questions also make good Security questions also make good developer interview questions. (skills: think developer interview questions. (skills: think outside the box, creative solutions, and outside the box, creative solutions, and design)design)

Requirement PhaseRequirement PhaseSDL & WCFSDL & WCF

Get a “SWI Buddy”Get a “SWI Buddy”

Establish point-of-Establish point-of-contactcontact

Configure tools for Configure tools for tracking security tracking security informationinformation

Effect: STRIDEEffect: STRIDE

Cause: Buffer Cause: Buffer Overflow, Script Overflow, Script Injection, Race Injection, Race Condition, ETC.Condition, ETC.

Define Security Bug Define Security Bug BarBar

SWI Buddy for each SWI Buddy for each Windows divisionWindows division

Secure WCF driving Secure WCF driving team.team.

Track Effect, cause Track Effect, cause AND threat model AND threat model informationinformation

Each milestone has Each milestone has a security bug bar.a security bug bar.

Requirement PhaseRequirement PhaseCustomerCustomer

Security “Go-To” person!!.Security “Go-To” person!!.

For all development processes (bug For all development processes (bug tracking, documentation, etc) include tracking, documentation, etc) include security information.security information.

Keep track of everything security related. Keep track of everything security related. (bug/work item tracking, security news, (bug/work item tracking, security news, status against security bar, share general status against security bar, share general findings, etc).findings, etc).

Track threat models through phases (Discovery, Track threat models through phases (Discovery, mitigation, implementation)mitigation, implementation)

Design changes are captured by processDesign changes are captured by process

Design PhaseDesign PhaseSDL & WCFSDL & WCF

V1 software and V1 software and major re-major re-architectures architectures should undergo a should undergo a SWI reviewSWI review

Crypto design Crypto design requirementsrequirements

All design All design documents should documents should include security include security impactimpact

Configure toolsConfigure tools

Firewall exceptionsFirewall exceptions

CryptoCryptoEncrypted by defaultEncrypted by default

Undergone weak crypto Undergone weak crypto reviewreview

Crypto agileCrypto agile

DocsDocsThreat Model Doc & Threat Model Doc & BugsBugs

Attack SurfaceAttack Surface

Security DesignSecurity Design

Don’t store/transfer PII Don’t store/transfer PII if not absolutely if not absolutely needed, and if needed needed, and if needed pay extra attention to pay extra attention to security (ACL logs)security (ACL logs)

Design PhaseDesign PhaseCustomerCustomer

Security Go-To person should work closely with Architect. Security Go-To person should work closely with Architect. Design with security in mind from the start.Design with security in mind from the start.

Are you using strong enough crypto? If custom crypto is Are you using strong enough crypto? If custom crypto is needed undergo extra scrutiny (e.g. what if vulnerability is needed undergo extra scrutiny (e.g. what if vulnerability is discovered)discovered)

Include security impact section in design and functional Include security impact section in design and functional specs. Ask many questions. (consider threats from similar specs. Ask many questions. (consider threats from similar designed systems).designed systems).

Use FxCop (pre 2005) or Visual Studio Code Analysis (2005). Use FxCop (pre 2005) or Visual Studio Code Analysis (2005). Link with work-item tracking system.Link with work-item tracking system.

Don’t store/transfer any information that is not needed.Don’t store/transfer any information that is not needed.

IT Pros should provide information on medium. (e.g. firewalls, IT Pros should provide information on medium. (e.g. firewalls, network bottlenecks, etc)network bottlenecks, etc)

THREAT MODELS!! This is your roadmap to securityTHREAT MODELS!! This is your roadmap to security

(side-note) Threat Modeling(side-note) Threat Modeling1. Data-Flow-Diagram 1. Data-Flow-Diagram (DFD)(DFD)

2. Attacks (STRIDE)2. Attacks (STRIDE)

SpoofingSpoofing

TemperingTempering

RepudiationRepudiation

Information DisclosureInformation Disclosure

Denial of ServiceDenial of Service

Elevation of PrivilegeElevation of Privilege

3. DFD and STRIDE 3. DFD and STRIDE Categories Categories

Implementation PhaseImplementation PhaseSDL & WCFSDL & WCF

Dev, PM, and UE Dev, PM, and UE managers meet to managers meet to discuss what discuss what information is required information is required by customers to use by customers to use product securely.product securely.

UE creates plan for UE creates plan for authoring customer authoring customer facing security facing security documents.documents.

Build and Code Build and Code Analysis toolsAnalysis tools

Prohibit use of Bad Prohibit use of Bad APIsAPIs

Help files, samples, Help files, samples, whitepapers, etc, whitepapers, etc, on developing on developing secure codesecure code

Numerous build and Numerous build and code analysis toolscode analysis tools

FuzzingFuzzing

Static analysis toolsStatic analysis tools

Implementation PhaseImplementation PhaseCustomerCustomer

Visual Studio 2005 comes with code Visual Studio 2005 comes with code analysis tools in build process.analysis tools in build process.

Fuzzing products availableFuzzing products available

Use documentation to be secure, help your Use documentation to be secure, help your customers be secure, and help their customers be secure, and help their customers be secure.customers be secure.

Avoid reliance on historically insecure APIsAvoid reliance on historically insecure APIs

IT Pros make sure that developers provide IT Pros make sure that developers provide information on deploying securily.information on deploying securily.

Verification PhaseVerification PhaseSDL & WCFSDL & WCF

File, Wire, RPC File, Wire, RPC FuzzingFuzzing

Security test planSecurity test plan

Penetration testingPenetration testing

Update security Update security documentsdocuments

Re-evaluate attack Re-evaluate attack surface.surface.

Code review for at-Code review for at-risk componentsrisk components

Focus entire teamFocus entire team

Security pushSecurity push3 weeks, 200+ 3 weeks, 200+ peoplepeople

All documents All documents updatedupdated

All “punted” bugs All “punted” bugs reevaluated for reevaluated for security impactsecurity impact

Code reviewsCode reviews

End-to-end threat End-to-end threat analysisanalysis

A whole lot moreA whole lot more

External vendor External vendor conducted black conducted black and white hat and white hat testingtesting

Verification PhaseVerification PhaseCustomerCustomer

This is not an overhaul; everything should This is not an overhaul; everything should already be securealready be secure

Run all tools and security proceduresRun all tools and security procedures

Look at product from attackers perspective.Look at product from attackers perspective.

Do an end-to-end analysis of the productDo an end-to-end analysis of the product

Release PhaseRelease PhaseWCF & SDLWCF & SDL

Final Security ReviewFinal Security Review

Is Pen testing needed?Is Pen testing needed?

Bug ScrubBug Scrub

ChecklistChecklist

Release planningRelease planning

Publicly defined support Publicly defined support policypolicy

Go-to person for security Go-to person for security issuesissues

Identify resourcesIdentify resources

All code must have All code must have identified owneridentified owner

Giblet dependentsGiblet dependents

ReleaseReleaseSign-Off on response plan, Sign-Off on response plan, documentation, FSRdocumentation, FSR

CHECK!CHECK!

Code accountability Code accountability was part of Security was part of Security Push.Push.

Release planning Release planning under developmentunder development

Release PhaseRelease PhaseCustomerCustomer

Check off that everything is done.Check off that everything is done.

Public support policyPublic support policy

Identify go-to person, and resourcesIdentify go-to person, and resources

Accountability!Accountability!Code ownersCode owners

Code that you use but didn’t author.Code that you use but didn’t author.

Post Release PhasePost Release PhaseSDL & WCF & customerSDL & WCF & customer

IT Pros deploy with S+DIT Pros deploy with S+D33

If a vulnerability is found, is the software If a vulnerability is found, is the software configured to detect origin and preventconfigured to detect origin and prevent

How will attacks be detected.How will attacks be detected.

Initiate execute of securing software after Initiate execute of securing software after vulnerability is detected.vulnerability is detected.

Work with customers.Work with customers.

AgendaAgenda




FormatFormat





Q & AQ & A

ResourcesResourcesSecure Development Lifecyclehttp://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

IT Pros Secure Centerhttp://www.microsoft.com/technet/security/default.mspx

Microsoft Secure Development Center http://msdn.microsoft.com/security/

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

http://www.microsoft.com/technet/security/default.mspx

http://msdn.microsoft.com/security/

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Applying the Secure Development Lifecycle to the WCF Maciej “Ski” Skierkowski Program Manager...

Documents

Transcript of Applying the Secure Development Lifecycle to the WCF Maciej “Ski” Skierkowski Program Manager...