software security initiative

Software Security Initiative

James WaldenNorthern Kentucky University

CSC 666: Secure Software Engineering

Topics

1. Security Operations2. Web Application Firewalls3. Build Security In Maturity Model


Software Security Practices

1. Code Reviews2. Risk Analysis3. Penetration

Testing

SecurityOperations

Requirements Design Coding Testing Maintenance

RiskAnalysis

AbuseCases

Code Reviews +Static Analysis

PenetrationTesting

SecurityTesting

4. Security Testing5. Abuse Cases6. Security

Operations


Security Operations

User security notes• Software should be secure by default.• Enabling certain features/configs may have

risks.• User needs to be informed of security risks.

Incident response• What happens when a vulnerability is

reported?• How do you communicate with users?• How do you send updates to users?


Code Deployment

Manage deployment process Change management process. Scrub debug/test code from software. Use automated tools for deployment.

Maintain three sets of servers Development Staging Production


Web Application Firewalls

Analyze + filter HTTP traffic Intrusion Detection Intrusion Prevent

Open Source WAFs AQTronix WebKnight Breach ModSecurity

Commercial WAFs Armorlogic Profense Breach WebDefend Citrix Application Firewall Fortify Defender


Modes of Operation

Bridge: transparent bridging firewall. Router: install at single point of entry. Reverse Proxy: traffic redirected to flow

through WAF by DNS or routing. Embedded: server plugin; no need to

configure network but only works with some web servers.


Modes of Operation

Bridge orRouter

Embedded

ReverseProxy


SSL

Terminates SSL: Reconfigure network to move SSL operations to WAF itself. WAF to server communication can be plaintext or SSL encrypted.

Passively decrypts SSL: WAF decrypts SSL traffic using copy of server’s SSL private key. Data travels untouched to web server.

Occurs after SSL: Embedded WAFs can be posititioned to analyze traffic after server decrypts SSL data.


Traffic Blocking

Connection Intermediation: Traffic intercepted by WAF. Attacks blocked by not forwarding packets to destination.

Connection Reset: Traffic inspected by WAF, which blocks attacks by resetting TCP connections.

3rd Party Blocking: Traffic inspected by WAF, which notifies other devices to block.


Traffic BlockingWAFs can block

IP addresses TCP connections HTTP requests Application sessions Application users Too many new requests/sessions

WAFs can rewrite parts of HTTP request Request headers Response headers Cookies URLs HTTP message bodies


Canonicalization

WAFs convert data to standard form URL-decoding Paths (., .., \) Mixed case Whitespace condensation HTML entity decoding Escaped cahracter decoding Unicode standardization


Signatures and Rules

Signatures Text strings Regular expressions

Rules Signatures + Operators (length, field) Logical expressions Control flow Session management


BSI Maturity ModelGuide for building and improving a SSI.Based on survey of top software security programs:

Adobe Depository Trust and Clearing Corporation EMC Google Microsoft QUALCOMM Wells Fargo

Software Security Initiative Statistics 2-10 years old (average 4) 12-100 people (average 41) Approximate 100:1 developer:security person ratio.


Using the Maturity Model

Executive leadership Accountability and empowerment. Difficultieis: Grassroots and network security.

Identify organization security goals. Identify which practices fit best with

organizational culture.Use all 12 practices.

Better to put some level 1 activities in each practice in place than go to level 3 in one.

Not necessary to do all practices in level 1 before moving to level 2.


Software Security Framework

Governance: Practices that help manage and measure a software security program.

Intelligence: Practices producing collection sof corporate knowledge used in swsec.

SSDL Touchpoints: Practices associated with analysis and assurance of particular software development artifacts & processes.

Deployment: Practices interfacing with network security and software configuration abd maintenance organizations.


Software Security Framework


Practices and Business Goals


Strategy and Metrics


Compliance and Policy


Training


Attack Models


Security Features and Design


Standards and Requirements


Architecture Analysis


Code Review


Security Testing


Penetration Testing


Software Environment


Configuration Management


Ten Core Activities Everyone Does


References1. Brian Chess, Gary McGraw, Sammy Migues, Building Security In—Maturity Model,

http://www.bsi-mm.com/2. CLASP, OWASP CLASP Project,

http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, 2008.3. Noopur Davis et. al., Processes for Producing Secure Software. IEEE Security &

Privacy, May 2004.4. Karen Goertzel, Theodore Winograd, et al. for Department of Homeland Security

and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008.

5. Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.

6. Gary McGraw, Software Security, Addison-Wesley, 2006.7. Ivan Ristic, Apache Security, O’Reilly, 2005.8. Ofer Shezaf, ModSecurity “The Core Rule Set”: Generation detection of

application layer attacksModSecurity "The Core Rule Set": Generic detection of application layer attacks, 6th OWASP AppSec Conference, 2007.

9. Web Application Security Consortium, “WAFEC, or how to choose WAF technology,” http://www.webappsec.org/projects/wafec/, 2006.

http://www.owasp.org/index.php/Category:OWASP_CLASP_Project

https://www.thedacs.com/techs/enhanced_life_cycles/

http://www.webappsec.org/projects/wafec/

software security initiative

Documents

network security

waf decrypts ssl traffic

security risks

software security programs

traffic blockingwafs

server decrypts ssl

ssl operations

security person ratio