software security - the road less traveled...cissp, ecsa/lpt, mcsd, mcad, comptia network+...

SELECT name, certifications SELECT name, certifications FROM tblSPEAKERFROM tblSPEAKERWHERE topic = ‘WHERE topic = ‘Software Security Software Security ––

The Road Less TraveledThe Road Less Traveled’ ’ The Road Less TraveledThe Road Less Traveled’ ’ AND date = ‘AND date = ‘04/29/200804/29/2008’ ’ AND event = ‘AND event = ‘OWASP OWASP -- AustinAustin’’

Manoranjan (Mano) PaulCISSP, ECSA,LPT, MCSD, MCAD, CompTIA Network+

</UNO me Name, but Who am I?></UNO me Name, but Who am I?>

� Shark Biologist – Bimini Biological Field Station, Bahamas

� Information Security Engineer/Pgm. Manager – Dell Inc.

� Contributing Author

◦ Security PnP for MSDN

◦ Information Security Management Handbook◦ Information Security Management Handbook

◦ Information Security Management Top 10

� ISSA – Industry Representative

� Speaker @ CSI, OWASP, Burton Group Catalyst, TRISC

� Founded SecuRisk Solutions and Express Certifications

</What do I do?></What do I do?>

� SecuRisk Solutions

◦ Mission: Securing YOUR Risk is OUR Solution

◦ Information Security Consulting – A to Z

◦ Product Development

◦ Awareness, Training and Education (A,T&E) Services

� Express Certifications

◦ Mission: Your Key to Professional Certifications

◦ (ISC)2 Official readiness self-assessment for CISSP® and SSCP®

◦ Skills Measuring Assessment Reinforced Training (SMART) Learning Management Solutions

GET AWARE, GET SKILLED, GET CERTIFIED, GET SECURE

</The Road Less Traveled></The Road Less Traveled>Two roads diverged in a yellow wood,And sorry I could not travel bothAnd be one traveler, long I stoodAnd looked down one as far as I couldTo where it bent in the undergrowth;

Then took the other, as just as fair,And having perhaps the better claim,Because it was grassy and wanted wear;Though as for that the passing thereHad worn them really about the same,

� Are the Two Roads Same?◦ equally

� Are the Two Roads Different?◦ one worn (familiar), the And both that morning equally lay

In leaves no step had trodden black.Oh, I kept the first for another day!Yet knowing how way leads on to way,I doubted if I should ever come back.

I shall be telling this with a sighSomewhere ages and ages hence: Two roads diverged in a wood, and I -I took the one less traveled by, And that has made all the difference.

Robert Frost, 1920

◦ one worn (familiar), the other (less traveled)

◦ first for another day

◦ Made ALL the difference

</Familiar Roads in Security></Familiar Roads in Security>

� Network Security� Platform (Host) Security� Viruses, Worms and Malware� Identity Access Management� Mobile Security� Mobile Security� Governance, Regulations and Compliance� Risk Management � Web 1.0wn3d/2.0wn3d Security� Generation H - Hackers � Products, Services and More …

</Stops on the Road Less Traveled></Stops on the Road Less Traveled>

� Wonders of the World

� Literature

� Art / Film

� Science� Science

� Nature

</8</8thth Wonder of the World?>Wonder of the World?>

</Shakespearean Security></Shakespearean Security>

� All the World’s a Stage (As you like It)

� The ides of … (Julius Caesar)

◦ Digital Pearl Harbor

� Method in the Madness (Hamlet)� Method in the Madness (Hamlet)

� 2B || !2B (Hamlet) Secure – That is the Question

</The </The BearBear Bare Necessities>Bare Necessities>

Down Across

1. Synonym: Sensitivity; Antonym: Disclosure 5. Who is making the request?

2. Rights and Privileges of the Requestor 6. Historical Evidence

3. Synonym: Criticality;Antonym: Destruction

4. Synonym: Accuracy; Antonym: Alteration

</The </The BearBear Bare Necessities>Bare Necessities>Down

1. Synonym: Sensitivity; Antonym: Disclosure

2. Rights and Privileges of the Requestor

3. Synonym: Criticality;Antonym: Destruction

4. Synonym: Accuracy; Antonym: Alteration

Across

5. Who is making the request?

6. Historical Evidence

CoNFiDeNTiaLTYCoNFiDeNTiaLTYSynonym: Sensitivity

Antonym: Disclosure

</Loose Lips Sink Ships></Loose Lips Sink Ships>

� a.k.a. To blab = to help the enemy

</Encryption Racer></Encryption Racer>

Source: http://blogs.msdn.com/vbertocci/archive/2005/04/25/411913.aspx

</Confidentiality Controls></Confidentiality Controls>

� Non-Verbose Instrumentation of Code

� Generic Error Handling

� Masking Data

� Encryption of Data� Encryption of Data

</Non</Non--Verbose Instrumentation>Verbose Instrumentation>

� Instrumentation: is writing code documentation/comments inline

� Verbose Instrumentation◦ Good practice for Maintainability, Support and Handover

◦ Bad from a security standpoint, if comments reveal sensitive information � E.g., Connection Strings; Valid data for Testing� E.g., Connection Strings; Valid data for Testing<!--Authenticate Method Takes 2 parameters – username and passwordE.g., bool _bAuthenticateStatus = Authenticate(“admin”,”pwd”);-->

� Use Instrumentation selectively and intelligently; keep it non-verbose

<!--Authenticate Method Takes 2 parameters to determine access to system-->

</Generic Error Handling></Generic Error Handling>

� Don’t give our verbose error messages◦ “The username does not exist” – Bad

◦ “Login Invalid” – Good

� Handle Errors – Don’t display system generated errors as isgenerated errors as is◦ YSOD – Default .Net Error Handling

� Redirect Remote Errors to a custom and generic error location

� <customErrors mode="RemoteOnly" defaultRedirect="~/errorPage.aspx">

</customErrors>

</Masking Data></Masking Data>

� Passwords Fields◦ <asp:TextBox id=“txtPassword”

mode=“Password” runat=“server”>

� Financial Data e.g., Credit Card Numbers� Financial Data e.g., Credit Card Numbers

◦ Visa – XXXX-XXXX-XXXX-1234

◦ American Express - XXXX-XXXXXX-X1234

� Personally Identification Information (PII)

</Encryption of Data></Encryption of Data>

� Encryption

◦ is the process of transforming data in humanly readable form (plaintext) using an algorithm (cipher) to make it unreadable (ciphertext) to anyone except those possessing special knowledge (key). those possessing special knowledge (key).

� Encryption

◦ Plaintext � Ciphertext

� Decryption

◦ Ciphertext � Plaintext

</Web.Config Connection Strings </Web.Config Connection Strings En(De)cryption Example>En(De)cryption Example>

<connectionStrings>

<add name="ContractFinConn”

connectionString=“Server=(local);uid=ContractFinUse r;

pwd=ContractFinPwd; Database=ContractFinance” providerName="System.Data.SqlClient" />

</connectionStrings>

Encryptionaspnet_regiis -pdf "connectionStrings" vDir

<connectionStrings configProtectionProvider=“ConFinRSAProvider"><EncryptedData …>

<CipherData> <CipherValue>Z1uePkgBjr8GR4DH0f9bsW7YeegeCe9MpFlpgCwHrtJukUre6sKmC6a89efv00MWx0iKGhYd+/jQpvSMphy12+zvszEnBMmsR+6WNyb7xG/d6guF84VL+DKb+Z2jq5yFKqHpoLqjFAhAeLtv4JcOEiwFVjtkMh9Klk5GFEzGzuA=</CipherValue>

</CipherData>…

</EncryptedData></connectionStrings>

EncryptionDecryption

aspnet_regiis -pef "connectionStrings" vDir -prov "ConFinRSAProvider"

iNTeGRiTYiNTeGRiTYSynonym: Accuracy

Antonym: Alteration

</Integrity </Integrity –– Security Controls>Security Controls>

� Input Validation

� Fail Securely

� Hashing

</Input Validation></Input Validation>

� Input, the r00t of all Evil; Trust, but verify� Validation Approaches◦ Black-list – list of “bad” input blocked; all else allowed◦ White-list – list of “good” input allowed; all else

blocked

� Validate What?� Validate What?◦ Length, Range, Format, Data Type

� Validate Using◦ Maxlength restrictions & str ‘n’ functions◦ Regular Expression (RegEx) & XSD Schemas◦ Safe libraries ◦ Type Casting

OWASP Testing Guide

</Fail Securely></Fail Securely>

� Design in secure defaults and baseline configuration

� Do not allow automatic re-authentication after failed attempt

� Do not cache credentials and Abandon Session

� Do not cache credentials and Abandon Session◦ <%@ OutputCache CacheProfile="NoCacheProfile"

VaryByParam="none" %>◦ FormsAuthentication.SignOut();

Session.Abandon();

� Alert on application failure if possible or else audit log it

</Hashing></Hashing>

� Hashing - a reproducible method of turning data into a (relatively) small number that may serve as a digital "fingerprint" as a digital "fingerprint" of the data.

� Is One-Way

� Common Hash Functions◦ MD5

◦ SHA-1

aVaiLaBiLiTYaVaiLaBiLiTYSynonym: Criticality

Antonym: Destruction

</Availability </Availability -- Security Controls>Security Controls>

� Classify First : Low, Moderate, Significant, Critical or Your Own

� Source Control & Configuration ManagementManagement

� Contingency and Disaster Recovery

� Load Balancing

� Threshold monitoring service/process monitors

auTHeNTiCaTioNauTHeNTiCaTioNWho is making the Request?

</Authentication </Authentication –– Security Controls>Security Controls>

� Deny Anonymous Access

� Use Complex Authn. Mechanisms◦ Two-Factor or Multi-Factor

◦ Biometrics

� When using “Password” authentication, use complex passwordspasswords◦ > 15 characters; mixed case; alpha-numeric

� Randomize Session IDs

� Timeout Sessions

� Store no authentication information on client

� Clipping levels for incorrect attempts

� Record Valid/Invalid Login Attempts

auTHoRiZaTioNauTHoRiZaTioNRights and Privileges of the Requestor

</Authorization </Authorization –– Security Controls>Security Controls>

� Role Based or Resource Based

� Deny Permissions/Rights by Default◦ Give your Users PITA; Better 2B $afe than $$$orry

� Do not use built-in administrative accounts (system admin, dbo)(system admin, dbo)

� Use accounts with Least Privilege / Need to know rights / no elevated privileges (reader/writer)

� Restrict and Record Impersonation and Backdoor functionality

� Restrict Application Configuration Information

auDiTiNGauDiTiNGHistorical Evidence

</Auditing </Auditing –– Security Controls>Security Controls>

� Record Activity AND Errors

� Record all administrative activities

◦ E.g., Login, Logoff, Password change

� Record critical business functions

◦ E.g., Price change; Order cancellation

� Turn on system/database logging by default

� Record changes for building a historical evidence trail

� Always Append, Never Overwrite

� Treat Audit Logs as Highly Restricted Sensitive information

</Liar, Liar, …></Liar, Liar, …>

� Social Engineering -Art of Deception

� Targets Human Trust

� var stealPwd = prompt(‘Please enter your password’);

� Really no technical control – security awareness, a chance Photo Credit: IsStockphoto

Natural SecurityNatural Security

“ … organisms keep themselves safe in a world that's every bit as unpredictable as our world”

- Raphael Sagarin

- Author of Natural Security

</Security Management></Security Management>

From monolithic applications to smaller disconnected and modular services/apis/apps.

</Bee</Bee--Hiving Software>Hiving Software>

Quality (Secure) software should be

a. Modular (Unit)

b. Highly CohesiveHighly Cohesive

(discreet functions)

c. Loosely Coupled

(no dependencies)

</Regenerative Bugs></Regenerative Bugs>

� The stick insect can regrow an amputated appendage

� (Im)proper/effective config. mgt. controls config. mgt. controls such as versioning can lead to re-generation of fixed production bugs without and updates to dev/test environments.

</Defensive Dams></Defensive Dams>

� Necessary protections should be built in the software layered with defense in depth, starting with the perimeter.

</Head in the Sand></Head in the Sand>

� Ignoring or Not Mitigating known Vulnerabilities in your software is akin to sticking your head to sticking your head in the sand …

� Accept, Transfer or Mitigate Ri$k.

</The Third Eye></The Third Eye>

� The Horse Shoe Crab (Limulus) is said to have a third eye.

� Secure Software should allow for Extra Vigilance !

</Sleep</Sleep--Swimming>Swimming>

� Some aquatic mammals sleep by shutting ONLY one side of their brain at a time.

� Security should always be vigilant (conscious).

</pH </pH –– potentially Hackable>potentially Hackable>

� pH is ◦ the measure of

acidity/alkalinity

� Security pH-ilosophy should be to should be to NEUTRALIZE

a. threats with countermeasures

� Any Imbalance will lead to potentially Hackable software

</To sum of …/></To sum of …/>

2B || !2B Secure Naturally

Incorporating the Bare Necessitiesso that your software is NOT

potentially Hackablepotentially HackableThat is the Question

- Software Security -The Road Less Travelled

Makes ALL the difference

</Cont@ct!/></Cont@ct!/>If You (Liked the presentation ||

Did not like the presentation ||

Need Encore(other) presentation for your company ||

Have Security Program Development Needs ||

Have Security Product Development/Evaluations Needs ||

Have Awareness, Training & Education Needs ||

Have Certification (CISSP ®/SCCP®) Needs)

{

Manoranjan (Mano) PaulCISSP, ECSA/LPT, MCSD, MCAD, CompTIA Network+

mano(dot)paul(at)securisksolutions(dot)commano(dot)paul(at)expresscertifications(dot)com

1-866-369-CERT (2378)

SecuRiskSolutions

Contact me;

}

else

{

Have a great day;

}

finally

{

Thank you;

}