Application Software Assurance Program (ASAP)

Santosh S KandalaTechnical AnalystApplication Consulting & Engineering santoshs@Microsoft.com

Anmol MalhotraTechnical AnalystApplication Consulting & Engineering anmolm@Microsoft.com

Ramshanker KrishnanGroup Program ManagerApplication Consulting & Engineering ramshk@Microsoft.com

SydneySydney

Chofu & Chofu & OtemachiOtemachi

Les UlisLes UlisThames Valley Park Thames Valley Park

DublinDublinBeneluxBenelux

MadridMadrid

DubaiDubai

SingaporeSingapore

JohannesburgJohannesburg

Sao PauloSao Paulo

90,000 mailboxes90,000 mailboxes

Microsoft IT Environment

Canyon Park,Canyon Park,RedmondRedmond

Las ColinasLas ColinasCharlotteCharlotte

ChicagoChicagoMilanMilan

StockholmStockholm

MunichMunich

400+ 400+ supported supported Microsoft Microsoft sites sites worldwideworldwide

6-7M e-mail messages per day6-7M e-mail messages per day

300,000+ network devices300,000+ network devices

6,000 data-center servers6,000 data-center servers110 Exchange 110 Exchange servers/36 servers/36 mailbox mailbox serversservers

Silicon ValleySilicon Valley

400 primary LOB 400 primary LOB applicationsapplications

26 million voice calls per 26 million voice calls per monthmonth

55,000 employees55,000 employees

Enterprise Risk ModelHighHigh

LowLow HighHigh

Imp

act

to

Bu

sin

es

sIm

pa

ct t

o B

us

ine

ss

(Def

ined

by

Bu

sin

ess

Ow

ner

)(D

efin

ed b

y B

usi

nes

s O

wn

er)

LowLow

Acceptable Risk

Unacceptable Risk

Probability of ExploitProbability of Exploit(Defined by Corporate Security)(Defined by Corporate Security)

Risk assessment drives to acceptable risk

Mission and Vision

Operating Principles

Risk Based Decision Risk Based Decision ModelModel

Tactical Prioritization

Components of Risk Assessment

Asset Threat

Impact

Vulnerability Mitigation

Probability

++

==

What are you trying toassess?

What are you afraid of

happening?

What is the impact to the

business?

How could the threat occur?

What is currently

reducing the risk?

How likely is the threat giventhe controls?

Current Level of Risk

What is the probability that the threat will overcome controls to successfully exploit the

vulnerability and affect the asset?

Mission and Vision

Operating Principles

Risk Based Decision Risk Based Decision ModelModel

Tactical Prioritization

Motivation For Application Security

• Cost of recovery and lost productivity• Loss of data• Impact on consumer confidence• Legal risks

Purpose of ASAP

• Inventory and assess line-of-business (LOB) applications

• Identify and ensure resolution of security/privacy vulnerabilities found in those applications assessed.

• Enable Application Risk Management:– Strategic– Tactical– Operational– Legal

ASAP is Not Optional

• All line-of-business application teams must go through ASAP

• If they fail to do so, they cannot go into production

• Enforcement of the ASAP process attributes to it’s success

ASAP Program

• ASAP should be thought of as both a set of standards, and as a process

– Maintain and publish standards and guidelines that align with corporate policies

– Educate IT professionals– Create threat models, conduct design reviews and code-

level security and privacy assessments– Assess host-level security

Program Participants

CorporateCorporateSecurity Security

GroupGroup

ASAPASAPTeamTeam

OperationsOperationsIT GroupIT Group

CorporateCorporatePrivacy/LawPrivacy/Law

and Corporateand CorporateAffairs GroupAffairs Group

Business Unit Business Unit IT GroupsIT Groups

Security policySecurity policy Impact assessmentImpact assessment

Threat modelingThreat modeling

Limited and Limited and comprehensive comprehensive assessmentsassessments

Deploy and configure Deploy and configure applicationsapplications

Privacy policyPrivacy policy

Action on assessment Action on assessment findingsfindings

ASAP Process Designed To Be Inline With SDLC

Scope/Plan DesignDevelop/Purchase

Stabalize/UAT

Sustainment

Application Software Assurance Program Process:

Typical Software Development Life Cycle:

Application Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

Application Entry/Risk Assessment

• Objective:– Application Inventory– Determine Application Risk Categorization

• High Risk Security/Privacy Release• Medium Risk Security/Privacy Release• Low Risk Security/Privacy Release

Application Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

Parameters involved in evaluating risk

• Audience – Type of users and volume

• Data Classification – HBI,MBI,LBI and PII

• Reliance / Integration – Dependency on other applications

• Architecture– Internal/external facing etc.

Application Risk Determines Service Level

• High Risk Security Release – Compulsory threat model/design review plus white

box code review and host level scan

• Medium Risk Security Release – White box code review and host level scan

• Low Risk Security Release – Host level scan

Threat Model

• Principle: Can’t build a secure system until you’ve identified all the threats against it.

– Provide capability where teams can • Define – Information relevant to application security• Model – Threats, Attacks, Vulnerabilities and Mitigations• Measure – Impact, Probability, Cost, Benefit

– Threat Categories• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation

of Privilege– Threat rating

• Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability

Application Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

Threat Modeling Tool – ACE Torpedo

Application Principles

• Confidentiality• Integrity• Authentication• Authorization• Availability• Non-repudiation

Design Review

• Objective:– Review and detect security vulnerabilities early in the

development lifecycle.– Review application design to verify compliance with

security standards and best practices.– Usually results in design changes.– Verify application meets application principles

Application Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

Pre-Production Assessment

• Objective:– Low Risk Applications

• Host Level Scan – Windows

– IIS

– SQL

Application Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

Pre-Production Assessment

• Objective:– High/Medium Risk Applications

• Host Level Scan – Windows

– IIS

– SQL

• White Box Code Review

Application Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

White Box Code Review

• Process– Application team provides source code – Analysts review application code uncovering

security vulnerabilities – Vulnerabilities logged in bug database– Application team required to address all Sev 1

bugs prior to going into production

Some common attack patterns white box review may reveal

• Cross-Site Script Vulnerabilities

• SQL Injection

• Buffer Overflow

• Poor Authorization Controls

• Secrets Stored In Clear Text

XSS Attack

• Attacker normally exploits this by identifying the vulnerable page that outputs the invalidated input back to the browser. The following snippet of code shows the input that is accepted a vulnerable page that exploits this vulnerabilityCode Snippet :

http://www.yourapplicationname.com/home.aspx?name=<script>alert(‘Your page is hacked’)</script>

Code Snippet of home.aspx.cs :

Response.Write(“Welcome” + Request.QueryString(“name”);

When this link is clicked, it will show an alert message because of the script tag embedded in the url. The legitimate url is suppose to carry the original user name which can be exploited as above.

SQL Injection

• Following snippet of code shows how this vulnerability can be exploited.

SqlDataAdapter myCommand = new SqlDataAdapter(“select * from tablename where fieldname = ‘” + userinput + “’”, myConnection);

The above code gets executed based on the user input. This code can be exploited if the input is entered/passed as value’; Any valid SQL command.

Sample Bug Template Issue :

User controlled Input is displayed back to User without Validation and Encoding leading to Cross Site Scripting Vulnerability

File: home.aspx.csCode Snippet (Line No 102):

Response.Write(“Welcome” + Request.QueryString(“name”);

For a discussion of this vulnerability type & remediation steps, please see the following link:http://internalwebsite/Lists/vulnerability_type.aspx

-------------------------------------------------------------------------------------------------For information on the Escalations & Exceptions process, please see the following link:http://internalwebsite/aaa/default.aspx ================================================================

Post-Production AssessmentApplication Entry/Risk

Assessment

Threat Model

Design Review

Pre-Production

Assessment

Post-Production

Assessment

• Objective:– High/Medium/Low Risk Applications

• Host Level Scan – Windows

– IIS

– SQL

Lessons Learned• If you wait until an application is already in production to

make it secure, you are too late• Good security practices take into account both the host

and the application client• Create clearly written and easily accessible security &

privacy guidelines• Create checklists that include step-by-step instructions• Develop a thoroughly-considered policy exception

tracking process• Education is crucial to the success of a security/privacy

program• Security is an ongoing, always changing, concern

Useful Links

• IT Showcase:

http://www.microsoft.com/itshowcase

• ASAP : http://www.microsoft.com/technet/itsolutions/msit/security/applsa.mspx

• Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

Thank You