Upload
others
View
31
Download
0
Embed Size (px)
Citation preview
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Source code security testing Vít Šembera
HP Consultant
HP Enterprise Security Products
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Topics
Story time
Application security
Source Code analysis
Security Solutions
Q&A
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Space: The Final Frontier.
•Mission
–Unlock the Secrets of Earth’s Magnetosphere
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Project goes to most interesting phase...
• Investment
– 10 years of effort
– $7 Billion
• The rocket lifts off! The crowd cheers!
• 37 seconds after launch…
Well… That was unexpected.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Incident
• PlayStation Network breach reported April 2011
• 77M customer accounts compromised
• PS Network completely offline for 25 days
• Total cost of damages / loss > $171M
• …could be as high as $24B…
What’s the Worst that Could Happen?
The Attack
• DDoS attack followed by SQL Injection
• 130+ servers completely compromised
• Account data, credit cards, email addresses stolen
• Required full network shutdown to contain
• More than just PlayStation Network…
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Networks Hardware
Security Measures
• Switch/Router security
• Firewalls
• NIPS/NIDS
• VPN
• Net-Forensics
• Anti-Virus/Anti-Spam
• DLP
• Host FW
• Host IPS/IDS
• Vuln. Assessment tools
Cyber attackers are targeting applications
Intellectual
Property
Customer
Data
Business
Processes
Trade
Secrets
Applications
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What does a Software Developer Do All Day?
Requirement
“Clarified” New
Requirement
Interrupted
by Tech
Support Interrupted by
Sales Interrupted by
PreSales
Urgent
Status
Report
Debug broken
development
tool
Debug
broken 3rd
party API
Hallway chat
that leads to
breakthrough
Bug Meeting
Google it Read poorly
written docs
Code up a
prototype Cut-n-paste
Set up unit
test env
Run ad hoc
test
Explain how
feature works
to Doc Team
Estimate
how long it
will take for
PM
Comment
code
Demonstrate
Customer
call
Learn by
doing
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reality Check: About that code you wrote
Your
Cod
e
• Business Logic
• “Glue” / “Wiring”
• Configuration
• Web Framework
• Mobile Framework
• UI Controls
• Parsers
• DB Connectivity
• Math
• Speech
• Media
• Graphics
• Geospatial
• Web Services
• Persistence
• Messaging
• Job Scheduler
• Chart / Report
• Localization
• Graphics
• Geospatial
• Validation
• Search Engine
• etc. etc.
Not Y
our
Code
Virtual Machine / Command Interpreter…
Device Drivers…
Firmware…
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Answer: Unfortunately, all too easily!
So, How Could This Happen?
• Vague Requirements
• Complex Process
• Time Pressure
• Poor Documentation
• Typical Software Program
• 1000s of variables
• 100s of “function calls”
• 100s of Lines Of Code per file
• 1000s of files
• 10,000s of LOC of 3rd party code
• Language dependent idiosyncrasies
– …
1 – 5 Bugs per 10,000 LOC
AFTER RELEASE!
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
In-house development
Outsourced Commercial Open source
Procuring secure
software
Demonstrating
compliance
Certifying new
releases
Securing
legacy
applications
Application security challenges
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
We convince &
pay the developer
to fix it
4
We are breached or
pay to have
someone tell us our
code is bad
3
Today’s approach > expensive, reactive
IT deploys the
bad software
2
Somebody builds
bad software
1
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
30X
15X
10X
5X
2X
30x more costly to secure in production
Why it doesn’t work
• After an application is released into Production, it costs 30x more than during design.
Co
st
Source: NIST
Production System
testing
Integration/
component testing
Coding Requirements
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Embed security into SDLC
development process 1
This is application security
The right approach > systematic, proactive
In-house Outsource
d
Commercial Open source
Leverage Security Gate to
validate resiliency of internal or
external code before Production
2
Monitor and protect software
running in Production
3 Improve SDLC
policies
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify SCA - Static analysis
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Static analysis – find and fix security issues in your code during development
HP Fortify Static Code Analyzer (SCA)
• Features:
• Automate static application security testing to identify security vulnerabilities in application source code during development
• Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance
• Prioritize all application vulnerabilities by severity and importance
• Supports 21 languages, 500+ vulnerability categories
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Most Common Programming Languages 2013
Rank 2013 Language Ratings
1 Java 18.156%
2 C 17.141%
3 Objective-
C 10.230%
4 C++ 9.115%
5 C# 6.597%
6 PHP 4.809%
7 Visual
Basic 4.607%
8 Python 4.388%
9 Ruby 2.150%
10 Perl 1.959%
Rank 2013 Language Ratings
11 JavaScript 1.370%
12 Bash 1.009%
13 Lisp 0.942%
14 PL/SQL 0.921%
15 Delphi 0.889%
16 VB.NET 0.888%
17 T-SQL 0.836%
18 Pascal 0.697%
19 Lua 0.697%
20 Assembly 0.633%
Rank 2013 Language Ratings
21 SAS 0.617%
22 Ada 0.613%
23 MATLAB 0.613%
24 Lisp 0.555%
25 R 0.527%
26 COBOL 0.518%
27 ABAP 0.491%
28 Fortran 0.451%
29 Scheme 0.416%
30 D 0.345%
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Static Application Security Testing
ABAP
ASP.NET,
VB.NET,
C# (.NET)
C/C++
Classic ASP
COBOL
CFML
HTML
Java
JavaScript/AJAX
JSP
PHP
PL/SQL
Python
T-SQL
Visual Basic
VBScript
XML
SCA Translation
XML
Java T-SQL
JSP
Normalized Representation
Results
XML
Java
T-SQL
JSP
User Input
SQL Injection Source Code
Accurately identify root cause and remediate underlying security flaw
SCA Analysis
Security
Research
Group
Rules
Client
Developed
Rules
Analysis Rules
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Complete coverage of mobile app ecosystem
Fortify Mobile Application Security Testing
• Mobile support for:
• Apple iOS (Objective C)
• Android
• Windows Phone
• Blackberry
• Utilize Hybrid Analysis
• Source Code
• Running Application
• Protocol Analysis
• Test all three tiers
Client Server Network
• Credentials in
memory
• Credentials on
filesystem
• Data stored on
filesystem
• Poor cert
management
• Cleartext credentials
• Cleartext data
• Backdoor data
• Data leakage
• SQL Injection
• Cross-Site Scripting
• Local File Include
• Authentication
• Session Management
• Logic Flaws
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP WebInspect – Dynamic analysis / pentest
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Dynamics analysis – find critical security issues in running applications
HP WebInspect
• Features:
• Quickly identify risk in existing applications
• Automate dynamic application security testing of any technology, from development through production
• Validate vulnerabilities in running applications, prioritizing the most critical issues for root-cause analysis
• Streamline the process of remediating vulnerabilities
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Runtime – Runtime analysis
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Detect, prevent and log application security events in production
HP Fortify Runtime
• Runtime Platform
• Application-layer security visibility in production
• Detects security events and mitigates attacks
• Configuration editor and diagnostics tools
• Runtime Application Protection
• Rules-based attack detection and prevention
• Runtime Application Logging
• Log application security and user activity events to SIEM without code change
• Native integration with ArcSight ESM
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify SSC – Corellation, Planning, Reporting
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Management, tracking and remediation of enterprise software risk
HP Fortify Software Security Center server
• Features:
• Specify, communicate and track security activities on software projects
• Role-based, process-driven management of software security program
• Integrations into key development environments
• Build integration, defect tracking, source control, 3rd party analysis engines
• Flexible repository and reporting platform for security status, trending and compliance
• Normalized, correlated vulnerability repository
• Aggregated risk metrics
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Software Scanning Process
Fortify SSC
Developers
Auditor /Security
Build / Scan
Static Code Analysis
(SCA)
Code
Repository
Bug
Tracking
Check in Code Scheduled Check-out,
Build and Scan
Upload
Scan
Results
Auditor Reviews
Results
Submit Findings
to Bug Tracker
Developer Fixes
Bug / Security
Finding
Repeat as
Necessary
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify on Demand
Get results fast with security testing software-as-a-service
•Simple – Launch your application
security initiative in <1 day
• No hardware or software investments
• No security experts to hire, train and retain
•Fast – Scale to test all applications in
your organization
• 1 day turn-around on application security results
• Support 1000s of applications for the desktop, mobile or cloud
•Flexible – Test any application from
anywhere
• Secure commercial, open source and 3rd party applications
• Test applications on-premise or on demand, or both
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify + WAF + TippingPoint + ArcSight = Adaptive
defense + WebInspect TippingPoint, ArcSight, WAF…
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Software Security Center
Summary: Find, Fix and Fortify
1
2
3
4
Find & Fix security issues in development
Fortify applications against attack
Save money in development
Reduce risk from applications
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Practical experience
• Static analysis takes about 5 days
• Cooperation with an application architect is necessary
• Older apps have usually more bugs per LoC
• Frameworks contain more bugs than own code
• Almost every tested web app contains XSS
• Developers get Fortify reports as very useful
• WAF (and/or IPS) is easier to employ than to fix apps
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you