Presentation is loading. Please wait.

Presentation is loading. Please wait.

James Walden Northern Kentucky University

Published byMatilda Cooper Modified over 6 years ago

Similar presentations

Presentation on theme: "James Walden Northern Kentucky University"— Presentation transcript:

1 James Walden Northern Kentucky University
Software Security James Walden Northern Kentucky University

2 Speaker Biography Assistant Professor at NKU
Interests: security, software engineering. Offerings: certificate in secure software engineering. Industrial experience (CMU, Intel) Secure web applications. Secure UNIX applications. Security administration (UNIX, network).

3 Traditional Security is Reactive
Perimeter defense (firewalls) Intrusion detection Over-reliance on cryptography Penetrate and patch Penetration testing

4 The Problem is Software
“75 percent of hacks happen at the application.” Theresa Lanowitz, Gartner Inc.

5 John Viega & Gary McGraw
Hackers “Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” John Viega & Gary McGraw

6 Developers Aren’t Ready
“64% of developers are not confident in their ability to write secure applications” Bill Gates, RSA 2005

7 Discover flaws after deployment.
Penetrate and Patch Discover flaws after deployment. Often by attackers. Users may not deploy patches. Patches may have security flaws (15%?) Patches are maps to vulnerabilities. Attackers reverse engineer to create attacks.

8 A Growing Problem

9 CVE Top 5 Vulnerabilities
Cross-site Scripting SQL Injection PHP Includes Buffer Overflows Path Traversal

10 CVE #1: Cross-site Scripting
Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. Typical Goal: obtain user auth cookies for Bank site (transfer money to attacker) Shopping site (buy goods for attacker)

11 Anatomy of an XSS Attack
Web Server 8. Attacker uses stolen cookie to hijack user session. 1. Login 2. Cookie User Attacker 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil Site saves cookie.

12 CVE #2: SQL Injection Web applications pass parameters when accessing a SQL database. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. $sql = “SELECT count(*) from users where username = ‘$username’ and password = ‘$password’”; Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is ‘’ OR 1=1, which is true.

13 CVE #3: PHP Includes A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php //config.php $server_root = '/my/path'; ?> <?php //include.php include($server_root . '/someotherfile.php'); <?php // index.php include('config.php'); include('include.php'); // Script body ?> Example from “The #1 Flaw in PHP Applications,” GET /include.php?server_root=

14 CVE #4: Buffer Overflows
A program accepts too much input and stores it in a fixed length buffer that’s too small. char A[8]; short B; A B 3 gets(A); A B o v e r f l w s

15 CVE #5: Directory Traversal
The software, when constructing file or directory names from input, does not properly cleanse special character sequences that resolve to a file or directory name that is outside of a restricted directory. $filename = “/usr/local/www/template/$usertemp”; open TEMP, $filename; while (<TEMP>) { print; } GET /vulnerable?usertemp=../../../../etc/passwd

16 Essential Facts Software Security ≠ Security Features
Cryptography will not make you secure. Application firewalls will not make you secure. 50/50 Architecture/Implementation Problems An Emergent Property of Software Like Usability or Reliability Not a Feature

17 Security Problems SECURITY BUGS ARCHITECTURAL FLAWS 50% 50%
Buffer overflow Command injection Cross-site scripting Integer overflow Race condition ARCHITECTURAL FLAWS 50% Cryptography misuse Lack of compartmentalization More privilege than necessary Relying on secret algorithms Usability problems

18 Security as Risk Management
Helps communicate security need to customer. Cost of security vs. amount of potential losses. No system is 100% secure. Some risks aren’t cost effective to mitigate. Humans make mistakes. New types of vulnerabilities are discovered.

19 Risk Management What assets are you trying to protect?
What are the risks to those assets? Which risks do we need to mitigate? What security measures would mitigate those risks? Which of those measures is most effective, when considering cost, side effects, etc.?

20 Software Security Practices
Code Reviews Risk Analysis Penetration Testing Security Testing Abuse Cases Security Operations Security Operations Requirements Design Coding Testing Maintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration

21 Code Reviews Find defects sooner in development lifecycle.
(IBM finds 82% of defects before testing.) Find defects with less effort than testing. (IBM—review: 3.5 hrs/bug, testing: hrs/bug.) Find different defects than testing. (Can identify some design problems too.) Educate developers about security bugs. (Developers frequently make the same mistakes.)

22 Code Review Tips Know your limits.
Typical review speed is lines/hour. Limit meeting length to 1-2 hours. Know what bugs to look for. Checklists Static analysis tools Require preparation before the meeting.

23 Code Review Problems Requires substantial expertise in area of coding and security to be effective. Human readers are fallible, and will miss mistakes.

24 Static Analysis Tools Automated assistance for code reviews
Speed: review code faster than humans can Accuracy: 100s of secure coding rules False Positives Tool reports bugs in code that aren’t there. Complex control or data flow can confuse tools. False Negatives Tool fails to discover bugs that are there. Code complexity or lack of rules to check. Tainting in perl/ruby.

25 Architectural Risk Analysis
Fix design flaws, not implementation bugs. Risk analysis steps Develop an architecture model. Identify threats and possible vulnerabilities. Develop attack scenarios. Rank risks based on probability and impact. Develop mitigation strategy. Report findings

26 Architecture Model Background materials
Use scenarios (use cases, user stories) External dependencies (web server, db, libs, OS) Security assumptions (external auth security, &c) User security notes Determine system boundaries / trust levels Boundaries between components. Trust level of each component. Sensitivity of data flows between components.

27 Level 0 Data Flow Diagram

28 Penetration Testing Test software in deployed environment.
Allocate time at end of development to test. Often time-boxed: test for n days. Schedule slips often reduce testing time. Fixing flaws is expensive late in lifecycle. Penetration testing tools Test common vulnerability types against inputs. Fuzzing: send random data to inputs. Don’t understand application structure or purpose.

29 Security Testing Injection flaws, buffer overflows, XSS, etc.
Functional testing will find missing functionality. Intendended Functionality Actual Functionality

30 Security Testing Two types of testing
Functional: verify security mechanisms. Adversarial: verify resistance to attacks generated during risk analysis. Different from traditional penetration testing White box. Use risk analysis to build tests. Measure security against risk model.

31 Abuse Cases Anti-requirements
Think explicitly about what software should not do. A use case from an adversary’s point of view. Obtain Another User’s CC Data. Alter Item Price. Deny Service to Application. Developing abuse cases Informed brainstorming: attack patterns, risks.

32 Security Operations User security notes Incident response
Software should be secure by default. Enabling certain features/configs may have risks. User needs to be informed of security risks. Incident response What happens when a vulnerability is reported? How do you communicate with users? How do you send updates to users?

33 Going Further Books Web Sites
Gary McGraw, Software Security, Addison-Wesley, 2006. Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, 2005. Web Sites Build Security In Fortify’s Vulnerability Catalog

34 Conclusions Software Security ≠ Security Features
Security is emergent feature of software like reliability. Cryptography, authentication, etc. will not make you secure. 50/50 Architecture/Implementation Problems Use Risk Analysis for architecture flaws. Use Code Reviews for implementation bugs. Security Testing Penetration testing can’t tell you how secure your software is. Use Risk Analysis to drive white box security testing. Vulnerabilities Web: XSS, SQL injection, PHP include General: buffer overflow, path traversal

Download ppt "James Walden Northern Kentucky University"

Similar presentations

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University

March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University.

Penetration Testing James Walden Northern Kentucky University.

Similar presentations

Ads by Google