Source code security testing - Eventworld.cz€¦ · HP Fortify Static Code Analyzer (SCA) •Features: • Automate static application security testing to identify security vulnerabilities

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Source code security testing Vít Šembera

HP Consultant

HP Enterprise Security Products


Topics

Story time

Application security

Source Code analysis

Security Solutions

Q&A


Space: The Final Frontier.

•Mission

–Unlock the Secrets of Earth’s Magnetosphere


Project goes to most interesting phase...

• Investment

– 10 years of effort

– $7 Billion

• The rocket lifts off! The crowd cheers!

• 37 seconds after launch…

Well… That was unexpected.


The Incident

• PlayStation Network breach reported April 2011

• 77M customer accounts compromised

• PS Network completely offline for 25 days

• Total cost of damages / loss > $171M

• …could be as high as $24B…

What’s the Worst that Could Happen?

The Attack

• DDoS attack followed by SQL Injection

• 130+ servers completely compromised

• Account data, credit cards, email addresses stolen

• Required full network shutdown to contain

• More than just PlayStation Network…


Networks Hardware

Security Measures

• Switch/Router security

• Firewalls

• NIPS/NIDS

• VPN

• Net-Forensics

• Anti-Virus/Anti-Spam

• DLP

• Host FW

• Host IPS/IDS

• Vuln. Assessment tools

Cyber attackers are targeting applications

Intellectual

Property

Customer

Data

Business

Processes

Trade

Secrets

Applications


What does a Software Developer Do All Day?

Requirement

“Clarified” New

Requirement

Interrupted

by Tech

Support Interrupted by

Sales Interrupted by

PreSales

Urgent

Status

Report

Debug broken

development

tool

Debug

broken 3rd

party API

Hallway chat

that leads to

breakthrough

Bug Meeting

Google it Read poorly

written docs

Code up a

prototype Cut-n-paste

Set up unit

test env

Run ad hoc

test

Explain how

feature works

to Doc Team

Estimate

how long it

will take for

PM

Comment

code

Demonstrate

Customer

call

Learn by

doing


Reality Check: About that code you wrote

Your

Cod

e

• Business Logic

• “Glue” / “Wiring”

• Configuration

• Web Framework

• Mobile Framework

• UI Controls

• Parsers

• DB Connectivity

• Math

• Speech

• Media

• Graphics

• Geospatial

• Web Services

• Persistence

• Messaging

• Job Scheduler

• Chart / Report

• Localization

• Graphics

• Geospatial

• Validation

• Search Engine

• etc. etc.

Not Y

our

Code

Virtual Machine / Command Interpreter…

Device Drivers…

Firmware…


Answer: Unfortunately, all too easily!

So, How Could This Happen?

• Vague Requirements

• Complex Process

• Time Pressure

• Poor Documentation

• Typical Software Program

• 1000s of variables

• 100s of “function calls”

• 100s of Lines Of Code per file

• 1000s of files

• 10,000s of LOC of 3rd party code

• Language dependent idiosyncrasies

– …

1 – 5 Bugs per 10,000 LOC

AFTER RELEASE!


In-house development

Outsourced Commercial Open source

Procuring secure

software

Demonstrating

compliance

Certifying new

releases

Securing

legacy

applications

Application security challenges


We convince &

pay the developer

to fix it

4

We are breached or

pay to have

someone tell us our

code is bad

3

Today’s approach > expensive, reactive

IT deploys the

bad software

2

Somebody builds

bad software

1


30X

15X

10X

5X

2X

30x more costly to secure in production

Why it doesn’t work

• After an application is released into Production, it costs 30x more than during design.

Co

st

Source: NIST

Production System

testing

Integration/

component testing

Coding Requirements


Embed security into SDLC

development process 1

This is application security

The right approach > systematic, proactive

In-house Outsource

d

Commercial Open source

Leverage Security Gate to

validate resiliency of internal or

external code before Production

2

Monitor and protect software

running in Production

3 Improve SDLC

policies


HP Fortify SCA - Static analysis


Static analysis – find and fix security issues in your code during development

HP Fortify Static Code Analyzer (SCA)

• Features:

• Automate static application security testing to identify security vulnerabilities in application source code during development

• Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance

• Prioritize all application vulnerabilities by severity and importance

• Supports 21 languages, 500+ vulnerability categories


Most Common Programming Languages 2013

Rank 2013 Language Ratings

1 Java 18.156%

2 C 17.141%

3 Objective-

C 10.230%

4 C++ 9.115%

5 C# 6.597%

6 PHP 4.809%

7 Visual

Basic 4.607%

8 Python 4.388%

9 Ruby 2.150%

10 Perl 1.959%


11 JavaScript 1.370%

12 Bash 1.009%

13 Lisp 0.942%

14 PL/SQL 0.921%

15 Delphi 0.889%

16 VB.NET 0.888%

17 T-SQL 0.836%

18 Pascal 0.697%

19 Lua 0.697%

20 Assembly 0.633%


21 SAS 0.617%

22 Ada 0.613%

23 MATLAB 0.613%

24 Lisp 0.555%

25 R 0.527%

26 COBOL 0.518%

27 ABAP 0.491%

28 Fortran 0.451%

29 Scheme 0.416%

30 D 0.345%


Static Application Security Testing

ABAP

ASP.NET,

VB.NET,

C# (.NET)

C/C++

Classic ASP

COBOL

CFML

HTML

Java

JavaScript/AJAX

JSP

PHP

PL/SQL

Python

T-SQL

Visual Basic

VBScript

XML

SCA Translation

XML

Java T-SQL

JSP

Normalized Representation

Results

XML

Java

T-SQL

JSP

User Input

SQL Injection Source Code

Accurately identify root cause and remediate underlying security flaw

SCA Analysis

Security

Research

Group

Rules

Client

Developed

Rules

Analysis Rules


Complete coverage of mobile app ecosystem

Fortify Mobile Application Security Testing

• Mobile support for:

• Apple iOS (Objective C)

• Android

• Windows Phone

• Blackberry

• Utilize Hybrid Analysis

• Source Code

• Running Application

• Protocol Analysis

• Test all three tiers

Client Server Network

• Credentials in

memory

• Credentials on

filesystem

• Data stored on

filesystem

• Poor cert

management

• Cleartext credentials

• Cleartext data

• Backdoor data

• Data leakage

• SQL Injection

• Cross-Site Scripting

• Local File Include

• Authentication

• Session Management

• Logic Flaws


HP WebInspect – Dynamic analysis / pentest


Dynamics analysis – find critical security issues in running applications

HP WebInspect

• Features:

• Quickly identify risk in existing applications

• Automate dynamic application security testing of any technology, from development through production

• Validate vulnerabilities in running applications, prioritizing the most critical issues for root-cause analysis

• Streamline the process of remediating vulnerabilities


HP Fortify Runtime – Runtime analysis


Detect, prevent and log application security events in production

HP Fortify Runtime

• Runtime Platform

• Application-layer security visibility in production

• Detects security events and mitigates attacks

• Configuration editor and diagnostics tools

• Runtime Application Protection

• Rules-based attack detection and prevention

• Runtime Application Logging

• Log application security and user activity events to SIEM without code change

• Native integration with ArcSight ESM


HP Fortify SSC – Corellation, Planning, Reporting


Management, tracking and remediation of enterprise software risk

HP Fortify Software Security Center server

• Features:

• Specify, communicate and track security activities on software projects

• Role-based, process-driven management of software security program

• Integrations into key development environments

• Build integration, defect tracking, source control, 3rd party analysis engines

• Flexible repository and reporting platform for security status, trending and compliance

• Normalized, correlated vulnerability repository

• Aggregated risk metrics


Software Scanning Process

Fortify SSC

Developers

Auditor /Security

Build / Scan

Static Code Analysis

(SCA)

Code

Repository

Bug

Tracking

Check in Code Scheduled Check-out,

Build and Scan

Upload

Scan

Results

Auditor Reviews

Results

Submit Findings

to Bug Tracker

Developer Fixes

Bug / Security

Finding

Repeat as

Necessary


HP Fortify on Demand

Get results fast with security testing software-as-a-service

•Simple – Launch your application

security initiative in <1 day

• No hardware or software investments

• No security experts to hire, train and retain

•Fast – Scale to test all applications in

your organization

• 1 day turn-around on application security results

• Support 1000s of applications for the desktop, mobile or cloud

•Flexible – Test any application from

anywhere

• Secure commercial, open source and 3rd party applications

• Test applications on-premise or on demand, or both


Fortify + WAF + TippingPoint + ArcSight = Adaptive

defense + WebInspect TippingPoint, ArcSight, WAF…


HP Fortify Software Security Center

Summary: Find, Fix and Fortify

1

2

3

4

Find & Fix security issues in development

Fortify applications against attack

Save money in development

Reduce risk from applications


Practical experience

• Static analysis takes about 5 days

• Cooperation with an application architect is necessary

• Older apps have usually more bugs per LoC

• Frameworks contain more bugs than own code

• Almost every tested web app contains XSS

• Developers get Fortify reports as very useful

• WAF (and/or IPS) is easier to employ than to fix apps


Thank you

Documents

Source code security testing - Eventworld.cz€¦ · HP Fortify Static Code Analyzer (SCA) •Features: • Automate static application security testing to identify security vulnerabilities