Software Security Course

Course Outline2-27-09

Course Overview

• Introduction to Software Security• Common Attacks and Vulnerabilities• Overview of Security Engineering• How To - Secure Design• How To - Secure Implementation• How To - Security Testing• How To - Secure Deployment• Compliance and Regulatory Standards• Special Topics• Additional Resources

Introduction to Software Security

Introduction to Software Security

• Definition and Context• Why Security Matters• Myths and Urban Legends• Threats and Examples• Case Studies• Concepts and Definitions

Definition and Context

• Software security as part of the larger problem of developing robust, reliable code

• Describe the relationship between software security and:– Corporate information security policies– Corporate risk strategies

• Explain the differences between software and network security– Areas of overlap– Areas of divergence– Pros and cons of each area of investment

Definition and Context

• CIA as a way to think about security• STRIDE as a way to assess impact of a threat• DREAD as a way to categorize the severity of a

threat

Why Security Matters

• Customers care – now more than ever• Patching is expensive• Regulatory compliance• Security failures == business risk• Competitive advantage• Critical part of TCO• The threat environment is bad and getting worse• Attackers have the advantage

Myths and Urban Legends

• Security is only required in the OS– 15% are OS vulns

• I only need a good patch strategy– Mean time to attack: 330 days -> 2 weeks

• I have a firewall, AV and IDS– 92% of vulns are software, not network

• Functional testing finds security defects– Good practices from design->deploy are required

• I use Java (or .NET)– Only helps with some classes of problem

• I use cryptography– Helps with some threats, but just one tool in the toolbox

Threats and Examples

Threats and Examples

Case Studies

• Show real world impact, examine past mistakes– Love Virus– Saphire Worm– TJX– Heartland

Concepts and Definitions• Asset• Attack• Control• Countermeasure or mitigation• Guideline• Information Security• Insider Threat• Policy• Privacy• Risk• Risk Analysis• Risk Assessment• Security Engineering• Security Requirement• Threat• Vulnerability

Common Attacks and Vulnerabilities

Common Attacks and Vulnerabilities

• Types of Attackers• Attacker Motivation• Attacker Origin• Anatomy of an Attack• Attacker Tools• OWASP Top 10• CWE/SAN Top 25

Types of Attackers

• Script Kiddies• Amateur Experts• Crack Experts• Professionals

Attacker Motivation

• White Hat• Black Hat• Grey Hat

Attacker Origin

• Internal attackers – the insider threat• External attackers

Anatomy of an Attack

• Targeting• Probing• Attempting penetration• Securing hold• Cleanup and propagation

Attacker Tools

• Whitebox• Greybox• Blackbox

OWASP Top 10

• Cross Site Scripting• Injection Flaws• Malicious File Execution• Insecure Direct Object Reference• Cross Site Request Forgery• Information Leakage and Improper Error Handling• Broken Authentication and Session Management• Insecure Cryptographic Storage• Insecure Communications• Failure to restrict URL access

CWE/SANS 25 Most Dangerous

• CWE and SANS put together a list of the 25 most dangerous coding errors– Insecure interaction between components– Risky resource management– Porous defenses

http://www.sans.org/top25errors/

Overview of Security Engineering

Overview of Security Enginering

• How it Fits• Key Activities

How it Fits

Key Activities

• Threat Modeling• Security Design Best Practices• Security Design Review• Security Coding Best Practices• Security Code Review• Penetration Test• Security Deployment Review

How To - Secure Design

How To – Secure Design

• Design Principles• Design Patterns

Design Principles

• Simplify the design• Least privilege• Defense in depth• Fail secure• Secure by default• Compartmentalize• Attack Surface Reduction• …

Design Patterns

• Trusted Subsystem• Brokered Authentication• …

How To - Secure Implementation

How To – Secure Implementation

• Coding Principles• OS Fundamentals• Common Errors• Common Web Errors

Coding Principles

• Validate all user input• Auditing and logging• Limit resource consumption• …

OS Fundamentals

• Access controls• .NET code access security• Java sandbox• Cryptography• …

Common Errors

• Integer overflows• Failure to validate input• Failure to protect sensitive data• Failure to understand and protect across trust

boundaries• Insecure error messages• Buffer overflows and other errors that occur only

in compiled languages such as C/C++• …

Common Web Errors

• Trusting client-side validation• Failure to validate input and encode output• Failure to protect the session• Failure to protect against zero and one-click

attacks• Disclosing too much information• …

How To - Security Testing

How To – Security Testing

• Security Testing is Different• Think Like an Attacker• Categories of Attack• How to Test the Top 10

Security Testing is Different

Intended Behavior

Actual Behavior

Traditional Bugs

Most Security Bugs

Think Like an Attacker

• Security bugs:– Are much harder to spot…they often have no

visible (to the human eye) behavior…we need better tools

– Require us to think about side effects and what sensitive data might be exposed

– Require us to “think backwards”…that is, instead of thinking what should happen, we need to think about what shouldn’t happen

Categories of Attack

• External dependencies• Unanticipated user input• Vulnerable design• Vulnerable implementation

How to Test the Top 10

• Cross Site Scripting• Injection Flaws• Malicious File Execution• Insecure Direct Object Reference• Cross Site Request Forgery• Information Leakage and Improper Error Handling• Broken Authentication and Session Management• Insecure Cryptographic Storage• Insecure Communications• Failure to restrict URL access

How To - Secure Deployment

How To – Secure Deployment

• Deployment Principles• Deployment Patterns

Deployment Principles

• The importance of configuration• How physical deployment impacts security• How software design can make it easier to

manage security and detect attacks post-deployment

Deployment Patterns• Understand the common application types:

– Mobile Client– Rich Client– Rich Internet Application– Service Interfaces (SAAS, S+S)– Web Application

• Understand the common deployment patterns:– Single server, non-distributed– Multiple server, distributed

• Understand the impact:– Impersonation and delegation– Layer interfaces– Trust boundaries

Compliance and Regulatory Standards

Regulatory Standards

• Overview of the regulation:– PCI– HIPPA

• Cover what these mean from a developer point of view– http://msdn.microsoft.com/en-us/library/

aa480484.aspx

Special Topics

Additonal Topics to Consider

• Privacy Issues• Digital Rights Management (DRM)• Social Engineering Attacks

Additional Resources

Resource List• On the Web:

– OWASP– CWE– SANS– SDL– BugTraq, NTBugTraq– patterns & practices security guides

• Books:– Writing Secure Code– Hacking Exposed Series– How to Break Software Security– The Security Development Lifecycle– Hunting Security Bugs