Post on 19-Jan-2016
description
transcript
Joe Yeager, Security EngineerSPI Dynamics, Inc. – London, England
2
Overview
• Background– Secure Software Forum (SSF)– SPI Dynamics– Web applications and their vulnerabilities
• Offense– Case studies– Examples
• Cross Site Scripting (XSS)• Cross Site Request Forgery (CSRF)• SQL Injection• Blind SQL Injection
• Defense– Trustworthy Computing – Security Development Lifecycle– Application Security Assurance Program (ASAP)
3
Secure Software Forum (SSF)
• Started February 2005• Annual education series dedicated to secure software• Leading security experts collaborate on education
initiatives• Yearly programs include:
– February kick-off event at RSA– Free workshop series– Executive dinner series
• http://www.securesoftwareforum.com/
4
SPI Dynamics Overview
• Founded January 2000 by Web application and security experts
• The leader in Web application security assessment throughout the lifecycle
• Eight patents pending or issued
• 1000+ customers all over the World
• Strong in F500, all industries and government
• 2006 Inc. 500 list of fastest-growing private companies
• 2005 Deloitte Technology Fast 500
• 2005 Deloitte Georgia Technology Fast 50 Annual Revenue
History of Application Security
6
The Evolution of Web Applications
A typical web application in 2000:
• Basic static HTML pages
• Informational applications
• Not mission critical functions
Static web Page
Static web Page
Static web Page
Static web Page
Static web Page
7
The Evolution of Web Applications
Browser Web Server
Simple, single server solutions
8
Web Application Architecture of Today
Browser
Web Servers
Presentation Layer
Media Store
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Wireless
Web Services
Application Server
Business Logic
Content Services
9
Web Applications Breach the Perimeter
Internet DMZ Trusted Inside
Corporate Inside
HTTP(S)
IMAP FTP
SSH TELNET
POP3
Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server.
Any – Web Server: 80
Firewall only allows applications on the web server to talk to
application server.
Firewall only allows application server to talk to database server.
IIS
SunOne
Apache
ASP.NET
WebSphereJava
SQL
Oracle
DB2
10
Network Attacks
Layered Model of Security
Network LayerExposed Hosts/Protocols
Operating SystemKnown Vulnerabilities - Misconfigurations
Web ServerKnown Vulnerabilities - Misconfigurations
Web ApplicationCode - Content - Implementation
OS Attacks
Web Server Attacks
Web Application Attacks
11
Vulnerability Characteristics
• Extremely easy to exploit– Sometimes requires nothing more than a Web
browser– Orders of magnitude easier than buffer overflows
• Difficult to deal with at the perimeter– SSL Encrypted Traffic, huge volume– Rules granular to each input on each page, change
as app changes
12
CustomVulnerabilities
CustomTesting
CustomFix
NoNotification
UniformVulnerabilities
Vulnerability Remediation
GlobalNotification
SingleSource
Fix
StandardizedTesting
Current State of the Industry
14
Compelling Evidence
“Over 70 percent of security vulnerabilities exist at the application layer, not the network layer”Gartner
“The battle between hackers and security professionals has moved from the network layer to the Web applications themselves“ Network World
“Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money”Counterpane Internet Security
“64 percent of developers are not confident in their ability to write secure applications”Microsoft Developer Research
15
Prevalence of Web App Vulns
16
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
XSS
Buffe
r Ove
rflow
SQL
Injec
tion
Direct
ory
Trave
rsal
PHP File
Inclu
sion
Info
rmat
ion
Leak
age
DoS M
alfor
med
Inpu
t
Symbo
lic L
ink
Format
Stri
ng
Crypto
graph
ic Erro
r
2006
``
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
XSS
Buffe
r Ove
rflow
SQL
Injec
tion
Direct
ory
Trave
rsal
PHP File
Inclu
sion
Info
rmat
ion
Leak
age
DoS M
alfor
med
Inpu
t
Symbo
lic L
ink
Format
Stri
ng
Crypto
graph
ic Erro
r
2005
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
XSS
Buffe
r Ove
rflow
SQL
Injec
tion
Direct
ory
Trave
rsal
PHP File
Inclu
sion
Info
rmat
ion
Leak
age
DoS M
alfor
med
Inpu
t
Symbo
lic L
ink
Format
Stri
ng
Crypto
graph
ic Erro
r
2004
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
XSS
Buffe
r Ove
rflow
SQL
Injec
tion
Direct
ory
Trave
rsal
PHP File
Inclu
sion
Info
rmat
ion
Leak
age
DoS M
alfor
med
Inpu
t
Symbo
lic L
ink
Format
Stri
ng
Crypto
graph
ic Erro
r
2003
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
XSS
Buffe
r Ove
rflow
SQL
Injec
tion
Direct
ory
Trave
rsal
PHP File
Inclu
sion
Info
rmat
ion
Leak
age
DoS M
alfor
med
Inpu
t
Symbo
lic L
ink
Format
Stri
ng
Crypto
graph
ic Erro
r
2002
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
XSS
Buffe
r Ove
rflow
SQL
Injec
tion
Direct
ory
Trave
rsal
PHP File
Inclu
sion
Info
rmat
ion
Leak
age
DoS M
alfor
med
Inpu
t
Symbo
lic L
ink
Format
Stri
ng
Crypto
graph
ic Erro
r
2001
Mitre CVE Statistics
17
The State of Application Security
'Phishing' scams on the rise, survey finds
Criminals are able to dodge spam filters and other defensive tactics
ReutersUpdated: 2:20 p.m. ET Sept. 25, 2006
POSTED: 9:56 a.m. EST, January 23, 2007
Study Find Flaws on
Web Sites of Major
BanksInternet security experts
have long known that
simple passwords do not
fully defend online bank
accounts from
determined fraud
artists.
By Brad Stone, NYT
February 5, 2007, Monday
MySpace Sues SpammerLawsuit claims Richter spoofed login pages to steal usernames and passwords in a "phishing" scam.
Web ApplicationVulnerability Overview
19
Web Application Vulnerabilities
Administration
Platform
Application
Web application vulnerabilities occur in three major areas:
20
Web Application Vulnerabilities
Platform• Known vulnerabilities can be
exploited immediately with a minimum amount of skill or experience – “script kiddies”
• Easiest to defend against among web application vulnerabilities
• Must have streamlined patching procedures
• Must have inventory process
Examples: IIS UNICODE Apache chunked encoding
Platform
21
Administration• More difficult to correct than known
issues
• Require increased awareness
• Remnant files can reveal applications and versions in use
• Backup files can reveal source code and database connection strings
Web Application Vulnerabilities
Examples: Extension Checking Common File Checks Data Extension Checking Backup Checking
Administration
Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing
22
Web Application Vulnerabilities
Examples: Application Mapping Cookie Manipulation
Application• Coding techniques do not include security• Input is assumed to be valid, but not
tested• Inappropriate file calls reveal source code
& system files • Unexamined input from a browser can
inject scripts into page for replay against later visitors
• Unhandled error messages reveal application and database structures
• Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser
Application
SQL Injection Hidden Web Paths Forceful Browsing
Custom Application Scripting
Parameter Manipulation
Cross Site Scripting (XSS)
24
Case Study - Google
Impact Fix References Cause Case Study
Demo
Google fixes security flaw in Reader
Google said it fixed a security flaw in Google Reader on Wednesday that could have allowed a hacker to steal sensitive information from Web surfers.
By Elinor MillsStaff Writer, CNET News.comPublished: July 5, 2006, 5:36 PM PDT 03:00 PM PDT
A Google RSS feed addition tool was vulnerable to a cross-site scripting attack, a poster to the Ha.ckers.org blog wrote on Tuesday. Such attacks involve an attacker embedding HTML scripts in Web postings or input fields on a Web site.
"What are the implications of this attack for Google?" the blog posting asked. "Well, for starters, I can put a phishing site on Google. 'Sign up for Google World Beta.' I can steal cookies to log in as the user in question...I can steal your phone number from the /sendtophone application...get your address because maps.google.com is mirrored....The list of potential vulnerabilities goes on and on. The vulnerabilities only grow as Google builds out their portal experience."
25
Case Study - Google
Impact Fix References Cause Case Study
Demo
26
Case Study - Google
Impact Fix References Cause Case Study
Demo
27
Case Study - PayPal
Phishing Scam Uses PayPal Secure Servers
Scripting flaw makes fake page with valid security certificate possible.Peter Sayer, IDG News ServiceFriday, June 16, 2006 03:00 PM PDT
A cross-site scripting flaw in the PayPal Web site allows a new phishing attack to masquerade as a genuine PayPal log-in page with a valid security certificate, according to security researchers. Fraudsters are exploiting the flaw to harvest personal details, including PayPal log-ins, Social Security numbers, and credit card details, according to staff at Netcraft, an Internet services company in Bath, England. The PayPal site, owned by eBay, allows users to make online payments to one another, charged to their credit cards, and log-in credentials for the service are a prized target of fraudsters.
Impact Fix References Cause Case Study
Demo
28
Case Study - PayPal
Impact Fix References Cause Case Study
Demo
29
XSS Demo Overview
• Definition– Client side scripting languages injected into web page
• HTML• JavaScript• VBScript
• Facilitators– URL spoofing– URL obfuscation
• Mitigating factors– Social engineering
Impact Fix References Cause Case Study
Demo
30
XSS Demo
Impact Fix References Cause Case Study
Demo
31
URL Obfuscation
• Dotted Decimal IP addresses– URL – http://www.google.com– IP – http://216.239.51.99– Decimal - http://3639554915
• 216 * 2563 + 239 * 2562 + 51 * 2561 + 99– Octal - http://0330.0357.0063.0143– Hexadecimal - http://0xd8ef3363
• Hexadecimal encoded– http://%77%77%77%2E%67%6F%6F%67%6C%65%2E
%63%6F%6D• URLomatic (http://www.samspade.org/t/url)• TinyURL (eg. http://tinyurl.com/y8pgom)
Impact Fix References Cause Case Study
Demo
32
Phishing Attack
•Cross-Site-Scripting attack via emailed vector. •Innocent-looking link has embedded client side script
Impact Fix References Cause Case Study
Demo
33
Phishing Attack
No Alarms and No Surprises
• Original legitimate website• No login errors, no changes, user works normally• UserID and Password quietly handed off to remote website• No “<script>” injected
34
Reflected vs. Persistent XSS
Reflected– Embedded script forwarded to victim, generally via
email with script contained in obfuscated URLPersistent
– Permanently embed script into web applications• Blogs• Shared Calendars• Message Boards• Web Forums• System logs
– Convince victim to visit vulnerable web page
Impact Fix References Cause Case Study
Demo
35
XSS Cause
Cause– Unfiltered user input is embedded in web page
Example– Request
• http://www.example.com?name=joe&password=secret
– Response• ASP
– Welcome back <% Response.Write(request.querystring("name")) %>
• PHP– Welcome back <?php echo $_GET[“name"]; ?>
Impact Fix References Cause Case Study
Demo
36
XSS Fix
1. Filter user input Whitelist Blacklist
2. HTML encode user supplied data prior to inclusion in a web page– ASP/ASP.Net
• Server.HTMLEncode (strHTML String)
– PHP• string htmlspecialchars (string string [, int quote_style])
Impact Fix References Cause Case Study
Demo
37
XSS References
Whitepapers• http://www.spidynamics.com/spilabs/education/whitepapers/
CrossSiteScripting.html
FAQs• http://www.cgisecurity.com/articles/xss-faq.shtml• http://www.owasp.org/index.php/XSS
Cheat Sheet• http://ha.ckers.org/xss.html
Impact Fix References Cause Case Study
Demo
Cross Site Request Forgery (CSRF)
39
Case Study - Google
Impact Fix References Cause Case Study
Demo
40
CSRF Demo Overview
• Definition– An attack that tricks a victim into loading a page that contains a
malicious request• Exploits the trust established between a web browser and web app• Performs actions on behalf of the victim• Targets functions that cause a state change on the server
• Synonyms– XSRF, Session Riding, Cross-Site Reference Forgery, Hostile Linking,
One-Click attack (Microsoft)• Facilitators
– Persistent session credentials• Mitigating factors
– Social engineering
Impact Fix References Cause Case Study
Demo
41
CSRF Demo
From: Richard M Scheister
To: Michael Sutton
Subject: HackTel - Final Notification - Service to be Discontinued
Dear Customer,
Due to a missed payment on your account, we are going to be forced to disable your internet access. We trust that this is a simple oversight on your part and would strongly encourage you to visit our customer service center immediately to resolve this matter and continue to remain in good standing.
Regards,Richard M. Scheister,VP Customer ServiceHackTel Communications Inc.
Impact Fix References Cause Case Study
Demo
42
CSRF Impact
Impact Fix References Cause Case Study
Demo
• Actions are performed on behalf of the victim which were not intended– Posting to message board– Transferring funds– Changing password– Etc.
• Non-repudiation – victim cannot prove that the actions were not performed intentionally
43
CSRF Cause
• Cause– Actions are performed without forcing human
interventionor
– Source of request not confirmed• Example
– GET http://site.com/trade?stock=goog&no=500&action=sellor
– POST /trade HTTP/1.1Host: site.com...Cookie: SessionID=w5l3xp55viao1455aqkqsajistock=goog&no=500&action=sell
Impact Fix References Cause Case Study
Demo
44
CSRF Fix
Countermeasures that do NOT work– Secret cookies
• All cookies are transmitted when requests are made– Using POST instead of GET request
• Numerous options for crafting POST requests Countermeasures that do work
– Server side• Per-request nonce for URLs/forms
– ASP.Net - <%@ Page EnableEventValidation="true"%>– J2EE – CSRF Guard (http://www.owasp.org/index.php/CSRF_Guard)– PHP CSRF Guard (http://www.owasp.org/index.php/PHP_CSRF_Guard)
• Force human intervention– Secondary login– Confirmation email or SMS message– CAPTCHA
– Client side• Always log out of applications when finished
Impact Fix References Cause Case Study
Demo
45
CSRF References
Whitepapers• http://www.isecpartners.com/files/XSRF_Paper_0.pdf
FAQs• http://www.cgisecurity.com/articles/csrf-faq.shtml• http://www.owasp.org/index.php/CSRF• http://www.owasp.org/index.php/Testing_for_CSRF
Impact Fix References Cause Case Study
Demo
SQL Injection
47
Case Study - RI.gov
Impact Fix References Cause Case Study
Demo
Hackers steal credit card info from R.I. Web site
Dibya Sarkar
Published on Jan. 27, 2006
A Russian hackers broke into a Rhode Island government Web site and allegedly stole credit card data from individuals who have done business online with state agencies.
The story was first reported by The Providence Journal this morning and comes two days after state and local government officials released national surveys indicating they need more cybersecurity guidance and help in strengthening their systems.
48
Case Study - RI.gov
Impact Fix References Cause Case Study
Demo
49
Case Study - CardSystems
Impact Fix References Cause Case Study
Demo
Credit card breach exposes 40 million accounts
In what could be the largest data security breach to date, MasterCard International on Friday said information on more than 40 million credit cards may have been stolen.
By By Joris Evers Staff Writer, CNET News.comPublished: June 17, 2005, 4:38 PM PDT
A Of those exposed accounts, about 13.9 million are for MasterCard-branded cards, the company said in a statement. Some 20 million Visa-branded cards may have been affected and the remaining accounts were other brands, including American Express and Discover.
MasterCard and Visa both say they have notified their member banks of the specific accounts involved so the banks can take action to protect cardholders. "In sheer numbers, this is probably one of the largest data security breaches," said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.
50
Case Study - CardSystems
Impact Fix References Cause Case Study
Demo
51
Case Study - CardSystems
Impact Fix References Cause Case Study
Demo
52
Case Study - CardSystems
Impact Fix References Cause Case Study
Demo
53
SQL Injection Demo Overview
• Definition– User input is concatenated into SQL queries
• Verbose – Server provides detailed error messages• Blind – Error messages are suppressed
• Facilitators– Majority of websites are database driven
• Mitigating factors– Database ACLs can limit access to data
Impact Fix References Cause Case Study
Demo
54
SQL Injection Demo
Impact Fix References Cause Case Study
Demo
55
Sample SQL - Authentication
POST /hacktel/Login.aspx HTTP/1.1Host: localhosttxtEmail=jyeager@spidynamics.com&txtPassword=password
“SELECT * FROM Customers WHERE Email = '{0}' andPassword = '{1}'", txtEmail.Text, txtPassword.Text)
SqlDataAdapter adapter = new SqlDataAdapter(sql, connection);DataSet ds = new DataSet();adapter.Fill(ds);
if (ds.Tables[0].Rows.Count > 0){
…
Impact Fix References Cause Case Study
Demo
56
SQL Injection Impact
• Confidentiality– SELECT
• Data integrity– INSERT, DROP, DELETE
• Authentication bypass– ‘ OR 1=1 --
• System compromise– Stored procedures– Extended stored procedures
Impact Fix References Cause Case Study
Demo
57
Database Driven Page
•Page reads ErrorCode from request
•Uses ErrorCode in a SQL Query
•Writes the results of the query
Impact Fix References Cause Case Study
Demo
58
Common Database Query
sSql = "select ErrorMessage from ErrorMessages where ErrorCode = " & Request("ErrorCode")
select ErrorMessage from ErrorMessages where ErrorCode = 2
Query parameter appended to query
Query written as text string
Impact Fix References Cause Case Study
Demo
59
Problem: Unvalidated Input
•Invalid character entered is used in query•Resulting back-end query results in an ODBC error message
select ErrorMessage from ErrorMessages where ErrorCode = 2’
Impact Fix References Cause Case Study
Demo
60
Piggybacking queries with UNION
Values entered into the parameter ErrorCode now have the ability to modify the query itself ( instead of just being a parameter to the query) :
select ErrorMessage from ErrorMessages where ErrorCode = 9 union select name from sysobjects where xtype=‘u’
UNION keyword tells SQL to combine two statements into one
Impact Fix References Cause Case Study
Demo
61
Enumerate all tablesin the database
Sysobjects stores names of tables in database
Name = name of table
Xtype = type of table (system, user)
Xtype=‘u’ = all user tables, no system tables.
Impact Fix References Cause Case Study
Demo
62
A SubQuery Enumerates Columns in the Table
• Columns are stored in syscolumns• Keyed on ID• Subquery against ID in sysobjects for the table you want
Select name from syscolumns where id=(select id from sysobjects where name=‘table’)
Impact Fix References Cause Case Study
Demo
63
Select the data from the column
4 HTTP packets to your data
1. Find the injection2. Select tables from sysobjects3. Select columns from syscolumns4. Select data from column
Impact Fix References Cause Case Study
Demo
64
Stored ProceduresExtended Stored Procedures
Impact Fix References Cause Case Study
Demo
• xp_cmdshell– exec master..xp_cmdshell ‘dir’
• xp_regread– Read registry keys
• xp_makecab– Build compressed archives
• xp_terminate_process• sp_addextendedproc
– Custom extended stored procedures• sp_makewebtask
– Export results to web page
Blind SQL Injection
66
Blind SQL Injection Demo
Impact Fix References Cause Case Study
Demo
67
SQL Injection Fix
1. Harden SQL server2. Filter user input
Whitelist Blacklist
3. Parameterized SQL queriesSqlConnection objConnection = new SqlConnection(_ConnectionString); objConnection.Open(); SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection); objCommand.Parameters.Add("@Name", NameTextBox.Text); objCommand.Parameters.Add("@Password", PasswordTextBox.Text); SqlDataReader objReader = objCommand.ExecuteReader();
Impact Fix References Cause Case Study
Demo
68
SQL Injection References
Whitepapers• http://www.spidynamics.com/spilabs/education/whitepapers/SQLinjection.html• http://www.spidynamics.com/assets/documents/Blind_SQLInjection.pdf• http://www.nextgenss.com/papers/advanced_sql_injection.pdf
FAQs• http://www.cgisecurity.com/development/sql.shtml• http://www.owasp.org/index.php/SQL_injection
Cheat Sheets• http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/• http://www.jungsonnstudios.com/blog/?i=14&bin=1110
Impact Fix References Cause Case Study
Demo
Managing Software Assurance
70
Web Application Security Programs
2000 2006
Web application security programs• Enabled across the software development lifecycle (SDLC)• Leverage automated assessment software• Involve cross functional teaming• Require executive sponsorship
NetworksSecured,
Applications Vulnerable
Early AdoptersBegin Manual Application
Testing
Certain industriesmake automated
application assessments
standard practice
These early adopter industries establish application security
programs
71
Policies are a good start…
• Policies can:– Give guidance and articulate what is
expected during the software lifecycle– Can mandate verification
• VISA PCI• HIPAA, SOX, GLBA, Privacy policies
• Polices do not– Take the place of a mature SDLC– Ensure that application are secure
72
NSA using Persistent Cookies
73
White House using Persistent Cookies
74
Requirements Development QA Test Design Release Support
& Services
Security and the SDLC
• Problems are a part of the way we build software
• Solutions need to be part of the process
SECURITY
75
People: Providing guidance on secure application
development
Tools: Providing the most innovative tools
Process: Security cannot be an afterthought
Elements that Drive Change
76
EducationTrain every Developer and IT Professional on security
Patterns & PracticesDedicated team focused on security
guidance
MSDN and TechNetSharing whitepapers and “how tos”
People: Education As a Driver
77
Process: Security Development Lifecycle (SDL)
• Reduce the number of security errors• Reduce the severity of any security errors not found• Reduce the attack surface
78
Tools facilitate creating secure applications
Tools: Innovation and AutomationTools: Innovation and Automation
Static AnalysisStatic Analysis
Scan your code for Scan your code for security security
vulnerabilitiesvulnerabilities
Seamless create Seamless create applications for a applications for a
custom zonecustom zone
Create non-admin appsCreate non-admin apps Secure by Secure by DefaultDefault
Use features like Use features like the /GS switch and the /GS switch and
SafeCRT libraries to SafeCRT libraries to create secure appscreate secure apps
Nurturing the Partner Ecosystem
79
5555
1717
455455
Engineering ExcellenceFocus Yielding Results
Application Security Assurance ProgramMaturity Model & Best Practices
81
Application Security Assurance Program (ASAP)
TECHNOLOGY PEOPLE PROCESS
Organizational Silos
Cross-Functional
Teams
Management
Executive Buy-in,
Integrated Organization
Integrated Development &
QA Tools
Security Department
Testing Tools
Policy-driven Secure SDL
Developer Awareness
Technical & Management Curriculum
Proactive &
Strategic
Reactive &
Tactical
• ASAP Maturity Model is about defining a roadmap and execution of the SDL• Organizations should implement their own Trustworthy Computing Initiative tailored to
their own needs• Describes the programs needed to integrate security throughout the software
development lifecycle and throughout the production lifespan of the application• A holistic program providing end to end lifecycle coverage while spanning People,
Process and Technology
82
Proactive &
Strategic
Reactive &
Tactical
ASAP Maturity Model
Level 1: Reactive & Tactical
Organizational Silos
Security Department
Testing Tools
Characterized By:
• Security team finds application vulnerabilities from initial scanning efforts
• Most vulnerabilities require development fixes
• Vulnerability reports sent to development
• Development pushes back due to short timelines & business impact of security rework
• Due to a lack of application security training, issue acceptance and resolution is difficult
TECHNOLOGY PEOPLE PROCESS
83
Proactive &
Strategic
Reactive &
Tactical
ASAP Maturity Model
Level 2: Planned & Purposeful
TECHNOLOGY PEOPLE PROCESS
Organizational Silos
Cross-Functional
Teams
Integrated Development &
QA Tools
Security Department
Testing Tools
Developer Awareness
Characterized By:
• Security team conducts assessment
• Developers trained on security
• Vulnerabilities still require development fixes
• Vulnerability reports sent to development
• Now, developers understand the issues
• The development process still doesn’t include proactive secure development.
84
Proactive &
Strategic
Reactive &
Tactical
ASAP Maturity Model
Level 3: Proactive & Strategic
TECHNOLOGY PEOPLE PROCESS
Organizational Silos
Cross-Functional
Teams
Management
Executive Buy-in,
Integrated Organization
Integrated Development &
QA Tools
Security Department
Testing Tools
Policy-driven Secure SDL
Developer Awareness
Technical & Management Curriculum
Characterized By:
• Vulnerability management software used across SDLC
• Security processes in place across SDLC
• Security integrated into entire development lifecycle
• All levels of the organization committed to security
• Complete security curriculum standard practice
85
Requirements Development QA Test Design Release Support
& Services
Regulatory Compliance
Infrastructure assessment
Automated assessment tools
Security services
Pen Testing
Security training
Security kickoff
Infrastructure Design
Developmentassessment
tools
QAassessment
tools
Create development standards
Threat Modeling
Secure codelibrary
Source code review
ASAP Best Practices
Proactive &
Strategic
Reactive &
Tactical
86
Design
1X
Development
Static Analysis
6.5X
Testing
Integration Testing
System/Acceptance Testing
15X
Deployment
Customers In the Field
100X
Cost of Fixing Vulnerabilities
Source IDC and IBM Systems Sciences Institute
87
Questions?
88
Workshop Overview (slides and URLs)http://www.securesoftwareforum.com/sutton
Secure Software Forumhttp://www.securesoftwareforum.com
Bloghttp://portal.spidynamics.com/blogs/msutton
Whitepapershttp://www.spidynamics.com/spilabs/education/whitepapers.html
– SQL Injection– Blind SQL Injection– Cross-Site-Scripting– LDAP Injection – SOAP Attacks
Joe Yeager – Me (SE)jyeager@spidynamics.comDan Buckley – Salesdbuckley@spidynamics.com
Resources Contact Information