Software Security

Software Security:
Practical application of tools,
training and techniques
Mr. Rustin Sides
Senior Consultant Cigital Federal, Inc.
rsides@cigital.com
+1 (334) 416-2705
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
The premiere software and product delivery event.
Major Software Security Headlines
The Problem Area
ad
r
T
l
a
n
ti io
us
c
Fo
Insider Threat
(Trusted Agent)
Network
Apps
S/W
Data
orized
Unauth access
orized
or Auth
ng
i
s
s
a
Byp
r
e
k
on
c
i
t
c
e
t
Atta
Pro
k
r
o
w
Net
e
d
e
e
N
us
c
o
F
d
What is ASACoE?
ASACoE History
33,000 + Air Force officer records
compromised
Sampled AF applications using
automated tools
Significant risks exist in Air Force
applications
ASACoE History
Compromise of the Air Force Assignment
Management System (AMS) led to pilot in
2006
Pilot conducted on 8 systems within ESC
Static Analysis using automated tools
Found numerous validated vulnerabilities
HQ ESC established ASACoE to assist
USAF program offices with building
Assurance into their Software Development
Lifecycle (SDLC)
The United States Air Force as a Cigital Client
The ASACoE Approach
Support
Support
Enable
Enable
Train
Train
re
Softwa
nce
Assura
ASACoE Assessment
5 day on-site assessment
Broader strategic approach
Tool driven aimed at low-hanging fruit
Multi-perspective analysis
Large scale effort across several different
applications and technology stacks
The Assessment Process
USAF Program Management Office
(PMO) requests an assessment of their
applications
Training is provided to their developers
(Cigital / Fortify)
A 5 day on-site assessment is
conducted by an ASACoE team
A week of analysis is conducted at
ASACoE HQ
A final report summarizing the findings
is delivered to the PMO along with the
analyzed results
Total time of engagement
3 to 4 days of training prior to
assessment
5 days on-site assessment including
mentoring
5 days of detailed source code analysis
auditing
On-going support with developers as
needed
New scans delivered quarterly
What ASACoE Does Not Do
ARA and Threat Modeling
There has been a plan for DRA but to this date no PMO
has requested one
Manual Code Review
We have done some, but given the short time we have with
the source code, not in depth.
Manual Pen Testing
Only for Oracle Forms and a few other technologies
unsupported by the tools
Pros and Cons of Customer Context
All ASACoE Assessment teams include military enlisted developers
Pros:
Credibility at military installations
Guards DoD best interests
More familiar with government practices
Cons:
Less experienced with software security
Time of availability limited (deployments, additional duties)
High turn-over rate
USAF takes action in July 2009
TCNO (Time Compliance Network Order) 2009-188-003
“Multiple Vendor Web Applications Vulnerable to Cross-site Scripting
Vulnerabilities”
Action: “Correct AF assets with secure encoding.”
Good goal, wrong approach
This is an application layer problem, and should be fixed at that layer
An uphill battle fighting this at the network layer
Can be mitigated using secure coding practices
The Problem Area
ad
r
T
l
a
n
ti io
us
c
Fo
Insider Threat
(Trusted Agent)
Network
Apps
S/W
Data
orized
Unauth access
orized
or Auth
ng
i
s
s
a
Byp
r
e
k
on
c
i
t
c
e
t
Atta
Pro
k
r
o
w
Net
e
d
e
e
N
us
c
o
F
d
Educational Efforts
Provide Program Offices 3-day On-site Training
1-day Crash Course on Threats and Defensive Programming
2-days of Training on Tool Utilization
SAF/A6 and AFSPACE
Created/Recommended Software Security Policy Guidance
Best Practices for Application Accreditations
AF Institute of Technology, Academy, and Cyber Technical Schools
Joint and International Allied Partners
Aided US Navy, Army & Canadian Army Stand Up Similar Centers
Panel Member and Presenter at Conferences
Air Force IT Conference (AFITC): 2008, 2009, and 2010
Joint Mission Planning System (JMPS) Anti-Tamper Symposium
Secure Solutions Conference: 2008, 2009, and 2010
ASACoE Tool Suite
Application Defense
Source Code Analysis (SCA)
Static Analysis Tool
Web Application Firewalls & Database Monitoring
Monitor, prevent and report on intrusion attempts
against Web-based applications
Proactive security; analysis tuned
for minimal false positives
Security Ops Team
Developers
Management
Centralized Scan
Repository
Security Testers
Web Penetration Testing
Dynamic Analysis
(IBM Rational AppScan)
Comprehensive and automated testing
of Web applications for vulnerabilities
Security Leads / Auditors
Database Auditing
Source Code Auditing
(SCA)
Federal best practices policies and USAF
STIG compliance checks
Security auditing and analysis of
source code by industry leading
software security analysts
ASACoE Reports and Support
Triage Assessment Report
Executive Summary
Objectives and Technical Scope
Assessment Approach
Report of Findings
Vulnerability Descriptions
Recommendations for Mitigation
Augment Remediation Efforts When Requested
Quarterly Review of Follow-up Scans by the ASACoE Staff
First Level of Support for Tools and Processes – Customer Service Focus
ASACoE Processes
Checklists keep you accountable
ASACoE Assessment Process
ASACoE Metrics Process
ASACoE Assessment Status and Coverage
Program Management Offices Visited: 152
Applications Assessed: 641
Total Lines of Code Assessed: 105,540,534 *
Ramstein AB
Germany
*as of 29 SEP 2010
ASACoE Results
Significant Risk Mitigation
throughout the SDLC
Cost and Time Savings for
Air Force PMOs
Certification & Accreditation
Processing Time Reduced
Real Time Protection for
Fielded Operational Systems
Industry vs AF vulnerabilities
Top Industry Vulnerabilities
Top AF Vulnerabilities
Injection Flaws
Cross-Site Scripting
Cross-Site Scripting
Information Leakage and Improper
Error Handling
Broken Authentication and Session
Management
Insecure Direct Object Reference
Insecure Direct Object Reference
Injection Flaws
Cross-Site Request Forgery
Insecure Cryptographic Storage
Security Misconfiguration
Cross-Site Request Forgery
Insecure Cryptographic Storage
Broken Authentication and Session
Handling
Failure to Restrict URL Access
Insufficient Transport Layer Protection
Unvalidated Redirects and Forwards
Malicious File Execution
Insecure Communications
Failure to Restrict URL Access
ASACOE Before and After Results
49%
26%
60%
9%
75%
69%
Using IBM Rational AppScan for Web Penetration Testing
IBM Rational AppScan Strengths
Automated Web Penetration Testing allows for wider coverage on assessments
Support for most web based technologies used by the USAF
Wide range of web hosted environments
Many DoD websites are CAC enabled
Some flex based websites with flash in the presentation layer
Ability to export results as XML
Used for reporting metrics and trending on a centralized management server
Ability to resume a paused scan
Scans have needed to be optimized for varied scalable environments
IBM Rational AppScan Wishlist
Ability to scan Java Applets
Currently cannot scan Oracle Forms based applications
Some custom Java applets used to access legacy applications have had to be manually
penetration tested
Integration with Static Analysis tools
Benefits to finding correlated results from static analysis and dynamic analysis
Currently doing this through a manual process
Notification service for interrupted scans
Many scans of large websites run overnight unattended
SMS or email notification of an exception of excessive timeouts
Useful AppScan Extensions used by ASACoE
Scan Optimizer (Beta)
Increases scan performance
Encode/Decode
Useful for manual pen tests
Expression Test
Regular expression tester
Customer Testimonials
“…What you did for us was to allow us to evaluate more than 5 million lines of
code that was proprietary at a cost savings of nearly $500 million…”
- Lead Developer for a major weapons system
“…After the assessment was complete, they didn’t just pack up and say have a
nice day. They kept in touch offering incredible assistance with specific
vulnerability fixes, proper procedure for securing code, and even software to help
test our code once we fixed it…”
- Lead Developer for a $9.2B contracting system
“…They were instrumental in our team changing our coding practices for the
better. Our developers use the ASACoE tools routinely to audit our system and
build in security...”
- Program Manager for a major logistics system
“…The tools and training provided by the ASACoE have made a practical
contribution to our ability to create more secure applications and to monitor the
results of those improvements…Being a small organization with a limited budget,
it would have been impossible to procure the tools and training on our own…”
- Program Manager for a major AF weather agency
4
6
ASACoE
Changing the Way the Air Force
Thinks about Software
Thank you for your time
Questions?
Rustin Sides
rsides@cigital.com