Download presentation
Presentation is loading. Please wait.
1
CSCD 303 Essential Computer Security Fall 2017
Lecture 14 Creating Secure Programs via a Security Development Lifecycle
2
Overview Developing Secure Programs Traditional Software Models
Secure Code Model Security Threats What Microsoft Does
3
Secure Software What does it mean for software to be secure?
Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks
4
Build Security In Security First, Designing with Security,
Key phrases coined to address “new” concept to include security in with design of software Prior to this radical idea, security was and still is an afterthought to most popular software Good summary of this concept by Gary McGraw, one of original promoters of secure software McGraw-on-software-security-assurance-Build-it- in-build-it-right There are many reasons for Security First ….
5
Why Put Security First? Adding security later is wrapping security around existing features, not designing features with security in mind. Adding security later is expensive. Adding security may change how you implement application features. Adding security may change user interface.
6
How Software is Created
Modern Software Systems Developed through software development process or model Many different development models Look at most classic and then see how secure development fits within this model
7
Waterfall Model Requirements – defines needed information, function, behavior, performance and interfaces. Design – data structures, software architecture, interface representations, algorithmic details. Implementation – source code, database, user documentation, testing Test – Test each component and integrated tests Installation – self explained Maintenance – Fix minor problems, bug fixes and updates
8
Provides structure to inexperienced staff
Waterfall Strengths Easy to understand, easy to use Provides structure to inexperienced staff Milestones are well understood Sets requirements stability Good for management control (plan, staff, track) Works well when quality is more important than cost or schedule
9
Waterfall Deficiencies
All requirements must be known up front Deliverables created for each phase are considered frozen – inhibits flexibility 3. Can give a false impression of progress 4. Does not reflect problem-solving nature of software development – iterations of phases 5. Integration is one big bang at end 6. Little opportunity for customer to preview system (until it may be too late)
10
Using Waterfall Model Where could we inject security into the development process ? And, what could we do?
11
Security Development Lifecycle
05/21/13 Security Development Lifecycle Requirements Design Implementation Verification Release Response Guidelines & Best Practices Coding Standards Final Security Review ( FSR ) Security Testing based on threat Review threat models Response models Penetration Testing Feedback loop Tool usage Archiving of Compliance Info - Tools / Product Inception Threat Modeling Processes Assign resource Models created - Postmortems Security Docs & Security plan Mitigations in design Security Push - SRLs Tools and functional specs Customer deliverables Security push training Design for secure deployment Review threat models The Security Development Lifecycle is the process that is used internally at Microsoft to build more secure software. This is a sophisticated process, with threat modeling, audit, testing and signoff stages, coupled with developer education and tools. At Microsoft, we have trained over 13,000 engineers. Bridge to next slide, with “Now lets look at the results with 3 key products” Design guidelines applied Review code RTM & Security architecture Attack testing Deployment Security design review Review against new threats Signoff Ship criteria agreed upon Meet signoff criteria Model developed by Microsoft 11
12
Security Development Lifestyle Artifacts
Version 02U-1
13
Security in the Development Cycle
Security Modeling during Development is a Risk Mitigation Strategy You will not find all bugs… You will not see all the vulnerabilities… Your design will have errors of omission and oversight But, better than alternative which is do nothing
14
Security Modeling Includes ….. Techniques to
Evaluate an application’s overall security or Assess impact of specific threat Objectively identify vulnerabilities and address countermeasures Integrate steps to take in development process
15
Security Modeling – The Process
Define threats Consider data stored in system, and how it can be misused Consider architecture of system, and opportunities it affords malicious users Specific threat identification processes can be used Assess the Threat Impact You’ve found a vulnerability… what happens if someone actually finds it? How badly would you or your users be affected? Implement a Countermeasure to a Threat Mitigate the risk to the best of your ability – code a preventative action, limit the exposure
16
Defining and Assessing Threats
Decompose your application to ask questions about how each use case or component could go awry Two Processes defined by Microsoft ... STRIDE STRIDE is a classification scheme for characterizing known threats according to the kinds of exploits or motivation of the attacker DREAD DREAD is a classification scheme for quantifying, comparing and prioritizing the risk presented by each evaluated threat
17
Threat Modeling in a Nutshell
OWASP overview of Stride, Dread and other threat models, OWASP = Open Web Application Security Project There are 5 steps in Threat Modeling Using Microsoft Process 1. Identify Security Objectives 2. Survey the Application 3. Decompose it 4. Identify Threats 5. Identify Vulnerabilities
18
STRIDE Threat Categorization Microsoft Developed This
Spoofing ex: Replaying authentication transaction. Tampering ex: Modifying authentication files to add new user. Repudiation ex: Denying that you purchased items you actually did. Information disclosure ex: Obtaining a list of customer credit card numbers. Denial of service ex: Consuming CPU time via hash algorithm weakness. Elevation of privilege ex: Subverting a privileged program to run your cmds. See also CERT’s OCTAVE assessment technique at
19
Evaluate Risk with DREAD
Damage Potential Extent of damage if vulnerability exploited. Reproducibility How often attempt at exploitation works. Exploitability Amount of effort required to exploit vulnerability. Affected Users. Ration of installed instances of system that would be affected if exploit became widely available. Discoverability Likelihood that vulnerability will be discovered.
20
Assessing Impact DREAD aims to quantify a threat
DREAD modeling influences the thinking behind setting the risk rating, and is also used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories. Assign a value between 1 and 10 and use the average Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5 Damage Potential, If a threat exploit occurs, how much damage will be caused? 0 – no damage; 10 – complete system damage Reproducibility, How easy is it to reproduce the threat exploit? 0 – Almost impossible to reproduce; 10 – can reproduce at any time Exploitability, How easy is it to reproduce the threat exploit? 0 – Extremely sophisticated skills required; 10 – anybody with a browser Affected Users, How many users will be affected? 0 – No users; 10 – All users (or beyond… think VA data leak) Discoverability, How easy is it to discover this threat? 0 – Requires source code; 9 – ,details of exploit are in public domain; 10 – it’s in easily discoverable data in the application itself.
21
Threat Modeling in General
22
Goals of Threat Modeling
Understand threats to guard against during requirements analysis. Provide basis for which security mechanisms to include during design. Verify security of system design. Provide basis for prescribing secure implementation practices. Provide basis for testing system security after implementation.
23
Threat Modeling Process
Understand adversary’s view of system Evaluate threats
24
Understanding Adversary’s View
1. Identify System Assets System resources that an adversary might attempt to access, modify, or steal. Ex: credit cards, network bandwidth, user access. 2. Identify Entry Points Any location where data or control transfers between the system being modeled and another system. Ex: network sockets, RPCs, web forms, files 3. Determine Trust Levels Privileges external entities have to legitimately use system resources.
25
Identify Threats Can an unauthorized network user view confidential information such as addresses or passwords? Can an unauthorized user modify data like payments or purchases in the database? Could someone deny authorized users access to the application? Could an authorized user exploit a feature to raise their privileges to administrator level?
26
Analyze Threats + Decompose threats into individual, testable conditions using attack trees Attack Trees Hierarchical decomposition of threat Root of tree is adversary’s goal in attack Each level below root decomposes attack into finer approaches Child nodes are OR'd together by default Special notes may indicate to AND them
27
Attack Trees—Graph Notation
Goal: Read file from password-protected PC Read File Get Password Network Access Physical Access Search Desk Social Engineer Boot with CD Remove hard disk Graph represents decision-making process of attacker. Root node represents goal; leaves represent methods of achieving goals. Leaves become more specific lower in tree. Most child nodes represent logical ORs, but some represent ANDs (get encrypted key file AND password used to encrypt it.) Assign values to nodes, representing perceived risk, i.e. how feasible is the attack.
28
Attack Trees—Text Notation
Goal: Read message sent from one PC to another 1. Convince sender to reveal message. 1.1 Blackmail. 1.2 Bribe. 2. Read message when entered on sender’s PC. 2.1 Visually monitor PC screen. 2.2 Monitor EM radiation from screen. 3. Read message when stored on receiver’s PC. 3.1 Get physical access to hard drive. 3.2 Infect user with spyware. 3. Read message in transit. 3.1 Sniff network. 3.2 Usurp control of mail server.
29
Other Stages Secure Development
30
https://insights.sei.cmu.edu/sei_blog/2017/04/c ert-c-
Implementation Coding standards Acceptable libraries and functions Below is recommended secure coding for Java seccodeguide html Secure coding guidelines from CERT for C++ ert-c- secure-coding- guidelines.html Checklists Static analysis tools Identifies common errors, input validation errors, buffers Code reviews More effective than testing in many reports
31
Verification Fuzz Testing Unit Tests Penetration Testing
Automatic testing with random data. Unit Tests Test security features Penetration Testing Driven by application risks. Threat model identifies most important assets and entry points.
32
Maintenance Prepare before release time.
Receiving vulnerability reports. Releasing security advisories. Developing, testing, and distributing patches.
33
Microsoft Security Development
34
SDLC at Microsoft Security Development Lifecycle
Management support Bill Gates letter about 2002 security push, Got to do better! 6 Mandatory education For managers and engineers. Annual updates. Metrics Education coverage. Vulnerabilities discovered. Central Security Team Ensures someone is responsible. Keeps process and education updated.
35
Advance the state of the art of secure software development
05/21/13 Engineering Excellence Advance the state of the art of secure software development Raise the bar of software security Improved development process New tools designed to help developers Guidance and training focused on secure coding Microsoft has invested in internal training, and is mandating ongoing process changes to improve the security of its software. These processes have begun to pay off with measurable improvements in the security of newer versions of its software. 35
36
Quality & Engineering Excellence Improved Development Process SD3+C
05/21/13 Threat modeling Code inspection Penetration testing Unused features off by default Reduce attack surface area Least Privilege Prescriptive Guidance Security Tools Training and Education Products go through our improved Trustworthy Computing release process, based upon the concepts of Secure by design, secure by default, secure in deployment and great communications. Microsoft is committed to enabling every customer to work, communicate, and transact business more securely. Behind the global security mobilization announced in October 2003, we will continue toward that goal by working closely with customers, partners, and the industry. We measure our efforts using the SD³+C framework. •Secure by Design. Implementing threat modeling and other key security considerations in design and development stages. These considerations include: mandatory training in writing secure code; code reviews and penetration testing; automated code diagnostic tools; and redesigned architecture to maximize software resilience. •Secure by Default. Maximizing security in default configurations of shipped software. To reduce risk of attack, Microsoft has changed default configurations so that service settings are not enabled at delivery. •Secure in Deployment. Promoting more secure deployment and management of our software. These efforts include scanning tools, services—including patch management with configuration verification functions, and localized versions of security bulletins and tools, such as Software Update Services and Baseline Security Analyzer. •Communications. Keeping customers informed. These efforts include timely communication about software update releases and our worldwide Security Response Process. In addition, we are working with government, partners, and academia to deliver security education, offer security certification programs for IT professionals, and conduct consumer protection campaigns worldwide. Lets take a look at how we are applying these principles internally in our Security Development Lifeclycle. Community Engagement Transparency Clear policy 36
37
65 35 30 90 150 210 270 330 390 450 510 570 630 690 720 Days Source: Microsoft Security Bulletin Search
38
05/21/13 Quality & Engineering Excellence Helping Developers Write More Secure Code .NET Framework 1.1 Cryptographic APIs Integrated PKI Visual Studio .NET 2003 Security Tools Web Services Enhancements I’ve talked about our improvements in our internal efforts to build and release secure code, and I almost always get a question – “What are you doing to promote these lessons to the companies and people that build applications on Microsoft platforms?” While we are always our first test cases, we do intend to productize our successful innovations and deliver them to the development community. I am pleased with some of the ways we’ve been able to do this so far: Secure Platform: We’ve delivered the .NET framework, that encapsulates many fundamental security mechanisms, making it simpler for developers to add security to their applications. Cryptographic APIs and integrated PKI round out the tools for building from a more secure platform. Development Tools: Visual Studio .NET 2003, in conjunction with security tools like FxCop help enable your ability to develop line of business applications with inherent security. Work on the WS-I standards process and work to implement web services security enhancements help developers as well. Developer Guidance: One of our best security web sites is the Microsoft Security Developer Center at msdn.microsoft.com/security, centralizing vooks, guidance, training and articles to help the development community. Go there and check it out and check out the many technical developer webcasts. Microsoft Security Developer Center Writing Secure Code v2 Developer webcasts 39
39
Education for the SDL
40
Outreach And Communications
Pre Release Security Bulletin Advance Notification - three business days prior to release Second Tuesday Release Day Updates posted on Download Center, Windows Update and/or Office Update Bulletins posted RSS Feeds Customer and instant message notifications Community outreach MS Field alerts and call downs Post Release Security Bulletins Webcast (Wednesday following release, 11AM PT) Supplementary Webcasts if needed Monitor bulletin uptake and customer issues through PSS and Windows Update Bulletin maintenance Microsoft introduced "Patch Tuesday" in October 2003
41
SSIRP - Software Security Incident Response Plan
Companywide process to deal with critical security threats Mobilize Microsoft resources worldwide Goals: Quickly gain a thorough understanding of the problem Provide customers with timely, relevant, consistent information Deliver tools, security updates and other assistance to restore normal operation
42
Guidance, Tools & Response Delivering Support and Creating Community
05/21/13 Guidance, Tools & Response Delivering Support and Creating Community Security tools Microsoft Baseline Security Analyzer Security Bulletin Search Tool Guidance and training Security Guidance Center E-Learning Clinics Community engagement Newsletters Webcasts and chats Microsoft will continue to stress security readiness via evolving tools, training, and education. It will provide better, more thorough guidance on its web sites: for IT professionals and the Protect Your PC site ( for consumers Other Top Line Messages, in addition to the slide text: A predictable and transparent Security Update Bulletin Program. Microsoft now releases updates on the regularly scheduled basis of every second Tuesday of the month. A dedicated developer Security Symposium was held at Microsoft’s Professional Developer’s Conference in October 2003 to focus on secure coding practices TechNet seminars since the fall of 2003 to educate IT professionals on good security practices. Microsoft Security Guidance Kit. A CD that includes much of the guidance already posted on-line. It provides customers with valuable security information and resources to help support IT administrators in small, medium or large organizations. Monthly security webcasts. These webcasts are designed to inform participants about the latest developments on the security front. They include monthly webcasts with Mike Nash, the Corporate Vice President of the Security Business And Technology Unit and a monthly webcast to cover the security bulletins. For consumers, Microsoft is working on a worldwide education campaign with computer manufacturers, retailers, ISPs and other partners to create broader awareness of best practices tpo protect their PCs. This has three aspects: installing antivirus software using an Internet firewall using the Automatic Update features in Windows to automatically download the latest Microsoft security updates. 43
43
Microsoft Resources General XP SP2 Resources for the IT Professional
05/21/13 Microsoft Resources General XP SP2 Resources for the IT Professional Security Guidance Center Tools How Microsoft IT Secures Microsoft E-Learning Clinics Events and Webcasts URLs for your reference 44
44
Secure Software Resources
Waterfall Model and-cons-of-the-waterfall-model-of-software- development/ David LeBlanc's Blog about Dread adful.aspx Gary McGraw's site Secure Code stuff
45
End System Security Flaws ( …Its the people)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.