Running a Software Security Program with Open Source Tools
-
Upload
denim-group -
Category
Technology
-
view
377 -
download
2
Transcript of Running a Software Security Program with Open Source Tools
© 2015 Denim Group – All Rights Reserved
Running a Software Security Program on Open Source Tools!
Dan Cornell CTO, Denim Group
@danielcornell
© 2015 Denim Group – All Rights Reserved
2
My Background!• Dan Cornell, founder and CTO of
Denim Group
• Software developer by background (Java, .NET, etc)
• OWASP San Antonio
© 2015 Denim Group – All Rights Reserved
Denim Group Background!
• Secure software services and products company • Builds secure software • Helps organizations assess and mitigate risk of in-house developed and third party
software • Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security • Application security experts are practicing developers • Development pedigree translates to rapport with development managers • Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution • Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix • OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI • World class alliance partners accelerate innovation to solve client problems
3
© 2015 Denim Group – All Rights Reserved
Agenda!• So You Want To Roll Out a Software Security
Program? • Software Assurance Maturity Model
(OpenSAMM) • Components Of Your Software Security
Program • Governance • Construction • Verification • Deployment
• Conclusions / Questions
4
© 2015 Denim Group – All Rights Reserved
So You Want To Roll Out a Software Security Program?!
• Great!
• What a software security program ISN’T • Question: “What are you doing to address software
security concerns?” • Answer: “We bought scanner XYZ”
• What a software security program IS • People, process, tools (naturally) • Set of activities intended to repeatedly produce
appropriately-secure software
5
© 2015 Denim Group – All Rights Reserved
Challenges Rolling Out Software Security Programs!
• Resources • Raw budget and cost issues • Level of effort issues
• Resistance: requires organizational change • Apparently people hate this
• Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort
• View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change
6
© 2015 Denim Group – All Rights Reserved
Software Assurance Maturity Model (OpenSAMM)!
• Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization
• Useful for: • Evaluating an organization’s existing software security practices • Building a balanced software security program in well-defined
iterations • Demonstrating concrete improvements to a security assurance
program • Defining and measuring security-related activities within an
organization • Main website:
• http://www.opensamm.org/
7
© 2015 Denim Group – All Rights Reserved
Using OpenSAMM You Can…
• Evaluate an organization’s existing software security practices • Build a balanced software security assurance program in well-
defined iterations • Demonstrate concrete improvements to a security assurance
program • Define and measure security-related activities throughout an
organization
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Drivers for a Maturity Model
• An organization’s behavior changes slowly over time
• Changes must be iterative while working toward long-term goals
• There is no single recipe that works for all organizations
• A solution must enable risk-based choices tailor to the organization
• Guidance related to security activities must be prescriptive
• A solution must provide enough details for non-security-people
• Overall, must be simple, well-defined, and measurable
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Therefore, a Viable Model Must...
• Define building blocks for an assurance program
• Delineate all functions within an organization that could be improved over time
• Define how building blocks should be combined
• Make creating change in iterations a no-brainer
• Define details for each building block clearly
• Clarify the security-relevant parts in a widely applicable way (for any org doing software dev)
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Understanding the Model
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
SAMM Business Functions
• Start with the core activities tied to any organization performing software development
• Named generically, but should resonate with any developer or manager
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
SAMM Security Practices
• From each of the Business Functions, 3 Security Practices are defined
• The Security Practices cover all areas relevant to software security assurance
• Each one is a ‘silo’ for improvement
[This slide content © Pravir Chandra]
© 2015 Denim Group – All Rights Reserved
Discussion: Tools!• Commercial tools in use? • Free / open source tools in use?
• What tool implementations have been successful? • What tool implementations have been less
successful?
• Why?
• What is your interest in using open source tools for software security?
14
© 2015 Denim Group – All Rights Reserved
Why Use Free / Open Source Tools?!
• They’re FREE! • No per-user license fees
• Can be customized • Don’t like the way a feature works – improve
it!
15
© 2015 Denim Group – All Rights Reserved
As a Project Maintainer…!
© 2015 Denim Group – All Rights Reserved
Potential Disadvantages of Free Tools!
• Often less mature than commercial analogs • Application and software security are new
when compared to other disciplines • Open source tools lag in a number of areas
• Task-focused rather than program-focused • Geared toward testing a single application
rather than a portfolio of applications
17
© 2015 Denim Group – All Rights Reserved
Discussion: Organizational Concerns!
• Does your organization allow the use of open source tools?
• What restrictions are placed on the use of free / open source tools? • Only certain licenses allowed • Each tool / library must have a sponsor
18
© 2015 Denim Group – All Rights Reserved
Open Source Tool Usage – Best Practices!
• Maintain a relationship with the project lead / development community • How responsive are they? • Good to have a relationship for escalating issues
• Consider commercial support • If available • When it makes sense
• Give back • Installation instructions for your platform(s) • Other documentation opportunities • Code updates – if possible / desirable
19
© 2015 Denim Group – All Rights Reserved
ThreadFix - Overview!• ThreadFix is a software vulnerability
aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
• Freely available under the Mozilla Public License (MPL)
• Hosted at GItHub: https://github.com/denimgroup/threadfix
20
© 2015 Denim Group – All Rights Reserved
OpenSAMM: Governance!• Strategy and Metrics • Policy and Compliance • Education and Guidance
21
© 2015 Denim Group – All Rights Reserved
Governance: Strategy and Metrics!
• Overall strategic direction of the assurance program
• How are processes instrumented? • How are measurements taken?
22
© 2015 Denim Group – All Rights Reserved
ThreadFix: Reporting!• Can be done at multiple levels:
• Enterprise-wide • Team • Individual application
• Reports for: • Vulnerability count trending • Progress – vulnerability resolution and timelines • Scanner effectiveness • Frequency of scanning across the portfolio
• Will revisit ThreadFix reporting later in the course for examples
23
© 2015 Denim Group – All Rights Reserved
Governance: Policy and Compliance!
• What compliance regimes are your organizations and applications subject to? • PCI • HIPAA • SOX
• What policies will you put in place to meet these obligations?
24
© 2015 Denim Group – All Rights Reserved
SimpleRisk!• Governance Risk and Compliance (GRC) • http://www.simplerisk.org/ • Created by Josh Sokol
25
© 2015 Denim Group – All Rights Reserved
Governance: Education and Guidance!
• Software security requires the input of a variety of stakeholders
• Software security is a relatively new area of study • Many of the involved parties (i.e. software
developers) have never been exposed
• You cannot hold people responsible if they have not been properly trained
26
© 2015 Denim Group – All Rights Reserved
Governance: Education and Guidance!
• Variety of potential consumers • Executives / Management • Developers • Quality Assurance (QA) • Security Testers
• Need for information at several levels • Introduction / overview • Topic-specific • Technology-specific
• Several ways to deliver guidance and training • Self-serve portal • Instructor-led training • E-Learning
27
© 2015 Denim Group – All Rights Reserved
OWASP Development Guide!• Provides guidance to developers on how to build secure
applications • Attempts to cover broad topics with some technology-specific
examples
• Several translations: English, Spanish, Japanese
• Originally released in 2001, revised in 2005 • Somewhat dated
• Currently undergoing a significant rewrite
• Main site: https://www.owasp.org/index.php/OWASP_Guide_Project
28
© 2015 Denim Group – All Rights Reserved
OWASP Cheat Sheets!• Provide targeted, consumable guidance on specific topics or
technologies • Authentication • Transport layer protection • Input validation • Session management • And so on…
• Tend to be “fresher” than the related sections in the Development Guide • Also easier to provide to developers for use
• Main site: https://www.owasp.org/index.php/Cheat_Sheets
29
© 2015 Denim Group – All Rights Reserved
OWASP Secure Coding Practices Quick Reference Guide!
• Technology agnostic set of general software security coding practices
• Consumable • ~17 pages long • Checklist format
• Main site: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
30
© 2015 Denim Group – All Rights Reserved
OWASP WebGoat - Overview!• Deliberately insecure JEE web application • Presented as a series of lessons
• SQL injection • Cross-site Scripting (XSS) • Cross-site Request Forgery (CSRF) • Hidden form manipulation • And so on…
• Main site: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
31
© 2015 Denim Group – All Rights Reserved
OpenSAMM: Construction!• Threat Assessment • Security Requirements • Secure Architecture
32
© 2015 Denim Group – All Rights Reserved
Construction: Threat Assessment!
• Identify and characterize potential attacks • These will determine investment level and
required countermeasures
• WHO do you need to be worried about? • Nation-states • Chaotic actors • Organized crime • And so on…
33
© 2015 Denim Group – All Rights Reserved
Construction: Security Requirements!
• Up-front determination of required security properties of the system
• Drive future activities
34
© 2015 Denim Group – All Rights Reserved
Construction: Secure Architecture!
• Use the design process to: • Build in security controls • Avoid injecting security issues
• Threat modeling • Architectural risk analysis
35
© 2015 Denim Group – All Rights Reserved
ESAPI - Overview!• Enterprise Security API (ESAPI) • Open source web application security control library
• Several languages available: JavaEE, .NET, PHP, Classic ASP, etc • WIDE variation in maturity and support • Stick to Java unless you are very brave (and even then)
• Main site: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
36
© 2015 Denim Group – All Rights Reserved
Microsoft Web Protection Library - Overview!
• Set of .NET assemblies which help protect web applications
• AntiXSS encoding library • Encoding functions for HTML, HTML attributes, XML, etc
• HTML sanitization routines (for “safely” accepting rich content) • Security Runtime Engine (SRE)
• Provides runtime protection against SQL injection and Cross-Site Scripting (XSS)
• Sites: • http://wpl.codeplex.com/ • https://www.microsoft.com/en-us/download/details.aspx?
id=28589
37
© 2015 Denim Group – All Rights Reserved
OpenSAMM: Verification!• Design Review • Code Review • Security Testing
38
© 2015 Denim Group – All Rights Reserved
Verification: Design Review!• Incorporate security into review of
architecture/design materials
• Were the previous assurance activities successful?
39
© 2015 Denim Group – All Rights Reserved
Microsoft Threat Analysis and Modeling Tool - Overview!
• Create threat models for your applications • Identify potential issues • Plan for mitigations
• Requires Visio 2007 or 2010
• Main site: http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
40
© 2015 Denim Group – All Rights Reserved
Mapping Threats to Data Flow Asset Types
Threat Type External Interactor
Process Data Flow Data Store
S – Spoofing Yes Yes
T – Tampering Yes Yes Yes
R – Repudia>on Yes Yes Yes
I – Informa>on Disclosure Yes Yes Yes
D – Denial of Service Yes Yes Yes
E – Eleva>on of Privilege Yes
41
© 2015 Denim Group – All Rights Reserved
Verification: Code Review!• Review software artifacts “at-rest” • Can be both automated and manual
• Reach and frequency • How much of your software is subject to
review? • How thorough is the analysis? • How often is it performed?
42
© 2015 Denim Group – All Rights Reserved
Static Analysis • Source Code Scanning • Manual Code Reviews • Advantages
• Identifies flaws during integration, when it is easier to address issues
• Developers can identify flaws in their own code before checking it in
• Many projects already have a code review process in-place • Disadvantages
• Freeware tools often do not address security well (specifically dataflow analysis)
• Licensed tools are a significant investment • Manual review can be unstructured and time-consuming without
licensed tools • Not ideal for discovering logical vulnerabilities
43
© 2015 Denim Group – All Rights Reserved
Static Analysis Tools • Commercial Tools
• Fortify (now HP) • Ounce (now IBM Rational) • Checkmarx • Veracode (SaaS)
• Freeware Tools • RATS/Flawfinder - C/C++, Python, PHP • Findbugs – Java • PMD - Java • FxCop - .NET • Brakeman – Ruby on Rails
44
© 2015 Denim Group – All Rights Reserved
FindBugs - Overview!• Freely-available binary static analysis tool
for Java • Main site: http://findbugs.sourceforge.net/
45
© 2015 Denim Group – All Rights Reserved
FxCop - Overview!• Free static analysis tool from Microsoft • Integrated into Visual Studio • Similar capabilities to FindBugs (but
for .NET)
• Blog: http://blogs.msdn.com/b/codeanalysis/
46
© 2015 Denim Group – All Rights Reserved
CAT.NET - Overview!• Free static analysis tool from Microsoft • Does dataflow analysis (rare among the free tools) • Version 1:
http://www.microsoft.com/en-us/download/details.aspx?id=19968 • Version 2:
http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-beta.aspx
• Dinis Cruz has done some interesting work with CAT.NET and O2 • https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/
CAT.NET • Plans for future development are not clear
47
© 2015 Denim Group – All Rights Reserved
Brakeman - Overview!• Security scanner for Ruby on Rails
applications • Static analysis
• Finds things like SQL injection and XSS • Also checks for certain CVE-type
vulnerabilities
• Main site: http://brakemanscanner.org/
48
© 2015 Denim Group – All Rights Reserved
Agnitio - Overview!• Tool for supporting manual code reviews • Set of checklists to verify security controls • Some grep-like search capabilities
• Main site: http://sourceforge.net/projects/agnitiotool/
49
© 2015 Denim Group – All Rights Reserved
DependencyCheck – Overview!• Checks for out-of-date JAR libraries with known CWE
issues • Looks beyond JAR hashes
• We used it to find a vulnerable library used by ThreadFix • Apache POI library • http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe
%3A%2Fa%3Aapache%3Apoi%3A3.7&page_num=0&cid=1
• Main site: https://github.com/jeremylong/DependencyCheck
50
© 2015 Denim Group – All Rights Reserved
Verification: Security Testing!• Runtime testing for security vulnerabilities
• Web applications: automated scanners, web proxies
• Other applications: fuzzing, protocol analysis
51
© 2015 Denim Group – All Rights Reserved
Dynamic Analysis • Integrate abuse cases into unit and automated testing • Use application scanning tools • Perform a dedicated penetration test by security staff or a 3rd
party
• Advantages • Generally more time-efficient than manual code review • Good for discovering logical vulnerabilities
• Disadvantages • Requires fully functional features to test • Security staff may not have application security training or
experience • Scanning tools may have difficulty with unusual applications
52
© 2015 Denim Group – All Rights Reserved
Dynamic Analysis Tools • Automated Tools
• IBM Rational AppScan • HP WebInspect • Acunetix Vulnerability Scanner • Netsparker
• Manual Testing • Zed Attack Proxy • Burp • Google RatProxy • Browser plugins • Testing Scripts –Watir • Load and Performance testing tools – JMeter, Grinder
53
© 2015 Denim Group – All Rights Reserved
Arachni - Overview!• Open source automated web application scanner • Written in Ruby • Can be deployed in a “grid” format for faster scanning
• Uses several different types of analysis to identify vulnerabilities • Fuzzing • Taint analysis • Time analysis
• Main site: http://arachni-scanner.com/
54
© 2015 Denim Group – All Rights Reserved
w3af - Overview!• Open source automated web application
scanner • Written in Python
• Main site: http://w3af.sourceforge.net/
55
© 2015 Denim Group – All Rights Reserved
OWASP ZAProxy - Overview!• Open source web proxy and web application
scanner • Supports both manual and automated
assessment • Fork of Paros Proxy • Exposes RESTful API
• Main site: http://code.google.com/p/zaproxy/
56
© 2015 Denim Group – All Rights Reserved
Skipfish - Overview!• Fast web application scanner written in C • Maintained by Google • Does a lot of file/directory guessing by
default
• Main site: • https://code.google.com/p/skipfish/
57
© 2015 Denim Group – All Rights Reserved
OpenSAMM: Deployment!• Vulnerability Management • Environment Hardening • Operational Enablement
58
© 2015 Denim Group – All Rights Reserved
Deployment: Vulnerability Management!
• Processing for managing vulnerabilities in both internal and external software
• Goal is consistency • Use data from vulnerability handling to
improve processes • Decrease number and severity of future
vulnerabilities • Decrease time-to-fix
59
© 2015 Denim Group – All Rights Reserved
Turning Vulnerabilities Into Software Defects!
• Security teams talk about “vulnerabilities” • Software developers talk about “defects”
• Developers Don’t Speak PDF • http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html
• Why should developers manage 90% of their workload in defect trackers • And the magic, special “security” part of their workload … some
other way?
• ThreadFix lets you slice, dice and bundle vulnerabilities into software defects • And track their remediation status over time to schedule re-
scans
60
© 2015 Denim Group – All Rights Reserved
ThreadFix: Defect Tracker Integration!
• Turn vulnerabilities that security staff care about into software bugs that developers know how to handle
• Bundle multiple vulnerabilities into a single defect
• How to organize? • By severity • By type • By location in the application • Some combination
• When the defect status changes you can schedule re-scans
61
© 2015 Denim Group – All Rights Reserved
Deployment: Environment Hardening!
• Attackers do not care about applications – attacking infrastructure might be just as effective and valuable for them
• Controls for operating environments: • Reduce vulnerabilities in the infrastructure • Enable logging and tracking
62
© 2015 Denim Group – All Rights Reserved
Microsoft Baseline Security Analyzer (MBSA) - Overview!
• Runs standard checks on Windows Workstations and Servers • Internet Explorer • IIS • SQL Server
• Checks registry and file settings
• 2.2 Downloads: http://www.microsoft.com/en-us/download/details.aspx?id=7558
63
© 2015 Denim Group – All Rights Reserved
Deployment: Operational Enablement!
• How do you install, configure and run your applications? • Also updates and upgrades
• Runtime checks and logging for intrusion detection and incident response • John Dickson has done some work in this area • http://www.slideshare.net/denimgroup/top-
strategies-to-capture-security-intelligence-for-applications
64
© 2015 Denim Group – All Rights Reserved
Continuous Integration and Security Testing!
• Reduce the time between introducing security defects and knowing about them
• Free tools mean that any project can be instrumented • No licensing fees
• ThreadFix has a REST-based API and command-line client for scripting
65
© 2015 Denim Group – All Rights Reserved
mod_security - Overview!• Open source web application firewall engine • Also has a Core RuleSet (CRS)
• Traditionally has been Apache-only • Runs as an apache module (mod_security) • Recently announced both IIS and Nginx support
• Main site: http://www.modsecurity.org/
66
© 2015 Denim Group – All Rights Reserved
Recap!• A software security program is more than a tool or set of tools
• But tools help provide automation and facilitate scale
• OpenSAMM is a maturity model that can be used as a framework for building and advancing software security programs
• Open source tools exist to support many key activities in a software security program
• Build and maintain relationships with the open source projects you use
67
© 2015 Denim Group – All Rights Reserved
68
Conclusions / Questions!Dan Cornell [email protected] TwiKer: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-‐4400