Application Security in a DevOps WorldThree Methods for Shifting Left

One weak spot is all it takes

Software Security Defined“Software security is the idea of engineering software so that it continues to function correctly under malicious attack.”

“Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.”

(Gary McGraw, Cigital)

https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security

Agenda

DevOps and DevSecOps or is it DevOpsSec

Pen-testing

Static analysis & Prevention

Hybrid testing

Risk management – OWASP style

Prevalence Detectability Exploitability Impact

Real Business Impacts

Penetration Testing

• Verify that security policy is working

• Tests from the outside in

• Variety of scenarios such as– Parameter fuzzing

– Unexpected packets on the BUS

– XML Bombs

– Unauthorized Bluetooth

– Unexpected TPMS

IoT specifics

• Multi-layered systems

• Disparate technologies

• Functionality

spanning across many

layers

Effectiveness of Pen-testing

• Labor intensive

• Difficult to automate

• Difficult to start early

• Requires inter-team synchronization

• Difficult to test error handlers

• Failed tests do not provide precise information about failure points

Static Analysis

Pattern

•Low false positives

•Fast

•Prevention Focus

Flow

•Real bugs

•Complex issues

•Mirror real use

•Fix focus

Fix or Prevent

Purpose of Coding Standards• “Proven programming practices leading to safe,

reliable, testable, and maintainable code”

• “Address potentially unsafe language features, and provide programming rules to avoid those pitfalls”

• “By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”

Simple Prevention Process – an example

Detect the error

•Load testing shows leaking connections to the database

Find the cause

•Open connections aren’t being closed, causing resource leaks

Locate the point in production that caused the error

•Developer has forgotten to close db connections upon client termination

Implement preventative process

•Use a coding standard to ensure each open connection is closed before exit

Monitor the process

•Use static analysis to enforce the standard

Add regression test

•Add a test to see the problem was fixed and doesn’t return

Coding Defensively: Validating inputs

9 paths through the code

3 entry points

The Solution = validate inputs upon entry

4 potential vulnerabilities

Validate Validate

Validate

Preventing SQL InjectionString username = request.getParameter("USER");

String password = request.getParameter("PASSWORD");

String query = “SELECT * FROM Users WHERE username=‘” +

username + "' AND password='" + password + "'";

Statement.execute(query);

An attacker passes "' or 1=1" for username creating:

SELECT * FROM Users WHERE username='' or 1=1 AND password='foo'

Prevention: wrap input in validation:

String username = validate(request.getParameter("USER"));

String password = validate(request.getParameter("PASSWORD”));

Selecting Static Analysis

• Severity levels

• Suppressions

• Code based on age

Handling of

Integration with SCM

Integration with BugTracking (internal & field)

Integration with Peer review

Analytics

Hybrid Security Analysis - IAST• Penetration testing to automatically generate

and run penetration attack scenarios

• Runtime error detection to monitor the back-end during test execution to determine whether security is actually compromised

• Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case

Hybrid Security Analysis

How to do it better?• Use stubs, mocks and service virtualization to

improve testing automation

– Isolate at the message layer

– Simulate functional scenarios and performance conditions

Divide & Conquer with Service Virtualization

Separate critical

components

Move testing earlier

Isolate attack surfaces

Run functional tests vs. security

scenarios

Security Cases with Service Virtualization

Virtual Services

SSL CertificatesAcceptable/Unacceptable

System Under Test

Dependent Application

Accounts Database

Mainframe

SQL Injection

System Under Test

Virtual Services

Security Cases with Service Virtualization

SQL Injection

Malicious Response

System Under Test

Security Cases with Service Virtualization

Virtual Services

Conclusion• Standards and static analysis applied properly

prevent errors

• Integrated results provides control, measurement, and traceability

• Cost of solid prevention methodology is less than the cost of dealing with bad software

Security Resources

CWE – Common Weakness Enumeration

• http://cwe.mitre.org

CERT - Secure Coding Guidelines

• https://www.securecoding.cert.org

Build Security In – Collaborative security effort

• https://buildsecurityin.us-cert.gov

Parasoft

• http://www.parasoft.com

• Web– http://www.parasoft.com

• IoT Hall-of-Shame – http://bit.ly/iotshame

• Blog– http://alm.parasoft.com– http://codecurmudgeon.com

•Social–Facebook: https://www.facebook.com/parasoftcorporation

–Twitter: @Parasoft @CodeCurmudgeon

–LinkedIn: http://www.linkedin.com/company/parasoft