application software assurance program (asap) santosh s kandala technical analyst application...
TRANSCRIPT
Application Software Assurance Program (ASAP)
Santosh S KandalaTechnical AnalystApplication Consulting & Engineering [email protected]
Anmol MalhotraTechnical AnalystApplication Consulting & Engineering [email protected]
Ramshanker KrishnanGroup Program ManagerApplication Consulting & Engineering [email protected]
SydneySydney
Chofu & Chofu & OtemachiOtemachi
Les UlisLes UlisThames Valley Park Thames Valley Park
DublinDublinBeneluxBenelux
MadridMadrid
DubaiDubai
SingaporeSingapore
JohannesburgJohannesburg
Sao PauloSao Paulo
90,000 mailboxes90,000 mailboxes
Microsoft IT Environment
Canyon Park,Canyon Park,RedmondRedmond
Las ColinasLas ColinasCharlotteCharlotte
ChicagoChicagoMilanMilan
StockholmStockholm
MunichMunich
400+ 400+ supported supported Microsoft Microsoft sites sites worldwideworldwide
6-7M e-mail messages per day6-7M e-mail messages per day
300,000+ network devices300,000+ network devices
6,000 data-center servers6,000 data-center servers110 Exchange 110 Exchange servers/36 servers/36 mailbox mailbox serversservers
Silicon ValleySilicon Valley
400 primary LOB 400 primary LOB applicationsapplications
26 million voice calls per 26 million voice calls per monthmonth
55,000 employees55,000 employees
Enterprise Risk ModelHighHigh
LowLow HighHigh
Imp
act
to
Bu
sin
es
sIm
pa
ct t
o B
us
ine
ss
(Def
ined
by
Bu
sin
ess
Ow
ner
)(D
efin
ed b
y B
usi
nes
s O
wn
er)
LowLow
Acceptable Risk
Unacceptable Risk
Probability of ExploitProbability of Exploit(Defined by Corporate Security)(Defined by Corporate Security)
Risk assessment drives to acceptable risk
Mission and Vision
Operating Principles
Risk Based Decision Risk Based Decision ModelModel
Tactical Prioritization
Components of Risk Assessment
Asset Threat
Impact
Vulnerability Mitigation
Probability
++
==
What are you trying toassess?
What are you afraid of
happening?
What is the impact to the
business?
How could the threat occur?
What is currently
reducing the risk?
How likely is the threat giventhe controls?
Current Level of Risk
What is the probability that the threat will overcome controls to successfully exploit the
vulnerability and affect the asset?
Mission and Vision
Operating Principles
Risk Based Decision Risk Based Decision ModelModel
Tactical Prioritization
Motivation For Application Security
• Cost of recovery and lost productivity• Loss of data• Impact on consumer confidence• Legal risks
Purpose of ASAP
• Inventory and assess line-of-business (LOB) applications
• Identify and ensure resolution of security/privacy vulnerabilities found in those applications assessed.
• Enable Application Risk Management:– Strategic– Tactical– Operational– Legal
ASAP is Not Optional
• All line-of-business application teams must go through ASAP
• If they fail to do so, they cannot go into production
• Enforcement of the ASAP process attributes to it’s success
ASAP Program
• ASAP should be thought of as both a set of standards, and as a process
– Maintain and publish standards and guidelines that align with corporate policies
– Educate IT professionals– Create threat models, conduct design reviews and code-
level security and privacy assessments– Assess host-level security
Program Participants
CorporateCorporateSecurity Security
GroupGroup
ASAPASAPTeamTeam
OperationsOperationsIT GroupIT Group
CorporateCorporatePrivacy/LawPrivacy/Law
and Corporateand CorporateAffairs GroupAffairs Group
Business Unit Business Unit IT GroupsIT Groups
Security policySecurity policy Impact assessmentImpact assessment
Threat modelingThreat modeling
Limited and Limited and comprehensive comprehensive assessmentsassessments
Deploy and configure Deploy and configure applicationsapplications
Privacy policyPrivacy policy
Action on assessment Action on assessment findingsfindings
ASAP Process Designed To Be Inline With SDLC
Scope/Plan DesignDevelop/Purchase
Stabalize/UAT
Sustainment
Application Software Assurance Program Process:
Typical Software Development Life Cycle:
Application Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
Application Entry/Risk Assessment
• Objective:– Application Inventory– Determine Application Risk Categorization
• High Risk Security/Privacy Release• Medium Risk Security/Privacy Release• Low Risk Security/Privacy Release
Application Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
Parameters involved in evaluating risk
• Audience – Type of users and volume
• Data Classification – HBI,MBI,LBI and PII
• Reliance / Integration – Dependency on other applications
• Architecture– Internal/external facing etc.
Application Risk Determines Service Level
• High Risk Security Release – Compulsory threat model/design review plus white
box code review and host level scan
• Medium Risk Security Release – White box code review and host level scan
• Low Risk Security Release – Host level scan
Threat Model
• Principle: Can’t build a secure system until you’ve identified all the threats against it.
– Provide capability where teams can • Define – Information relevant to application security• Model – Threats, Attacks, Vulnerabilities and Mitigations• Measure – Impact, Probability, Cost, Benefit
– Threat Categories• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation
of Privilege– Threat rating
• Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability
Application Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
Application Principles
• Confidentiality• Integrity• Authentication• Authorization• Availability• Non-repudiation
Design Review
• Objective:– Review and detect security vulnerabilities early in the
development lifecycle.– Review application design to verify compliance with
security standards and best practices.– Usually results in design changes.– Verify application meets application principles
Application Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
Pre-Production Assessment
• Objective:– Low Risk Applications
• Host Level Scan – Windows
– IIS
– SQL
Application Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
Pre-Production Assessment
• Objective:– High/Medium Risk Applications
• Host Level Scan – Windows
– IIS
– SQL
• White Box Code Review
Application Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
White Box Code Review
• Process– Application team provides source code – Analysts review application code uncovering
security vulnerabilities – Vulnerabilities logged in bug database– Application team required to address all Sev 1
bugs prior to going into production
Some common attack patterns white box review may reveal
• Cross-Site Script Vulnerabilities
• SQL Injection
• Buffer Overflow
• Poor Authorization Controls
• Secrets Stored In Clear Text
XSS Attack
• Attacker normally exploits this by identifying the vulnerable page that outputs the invalidated input back to the browser. The following snippet of code shows the input that is accepted a vulnerable page that exploits this vulnerabilityCode Snippet :
http://www.yourapplicationname.com/home.aspx?name=<script>alert(‘Your page is hacked’)</script>
Code Snippet of home.aspx.cs :
Response.Write(“Welcome” + Request.QueryString(“name”);
When this link is clicked, it will show an alert message because of the script tag embedded in the url. The legitimate url is suppose to carry the original user name which can be exploited as above.
SQL Injection
• Following snippet of code shows how this vulnerability can be exploited.
SqlDataAdapter myCommand = new SqlDataAdapter(“select * from tablename where fieldname = ‘” + userinput + “’”, myConnection);
The above code gets executed based on the user input. This code can be exploited if the input is entered/passed as value’; Any valid SQL command.
Sample Bug Template Issue :
User controlled Input is displayed back to User without Validation and Encoding leading to Cross Site Scripting Vulnerability
File: home.aspx.csCode Snippet (Line No 102):
Response.Write(“Welcome” + Request.QueryString(“name”);
For a discussion of this vulnerability type & remediation steps, please see the following link:http://internalwebsite/Lists/vulnerability_type.aspx
-------------------------------------------------------------------------------------------------For information on the Escalations & Exceptions process, please see the following link:http://internalwebsite/aaa/default.aspx ================================================================
Post-Production AssessmentApplication Entry/Risk
Assessment
Threat Model
Design Review
Pre-Production
Assessment
Post-Production
Assessment
• Objective:– High/Medium/Low Risk Applications
• Host Level Scan – Windows
– IIS
– SQL
Lessons Learned• If you wait until an application is already in production to
make it secure, you are too late• Good security practices take into account both the host
and the application client• Create clearly written and easily accessible security &
privacy guidelines• Create checklists that include step-by-step instructions• Develop a thoroughly-considered policy exception
tracking process• Education is crucial to the success of a security/privacy
program• Security is an ongoing, always changing, concern
Useful Links
• IT Showcase:
http://www.microsoft.com/itshowcase
• ASAP : http://www.microsoft.com/technet/itsolutions/msit/security/applsa.mspx
• Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp