![Page 1: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/1.jpg)
Software Security Initiative
James Walden
Northern Kentucky University
![Page 2: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/2.jpg)
CSC 666: Secure Software Engineering
Topics
1. Security Operations
2. Web Application Firewalls
3. Build Security In Maturity Model
![Page 3: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/3.jpg)
CSC 666: Secure Software Engineering
Software Security Practices
1. Code Reviews
2. Risk Analysis
3. Penetration Testing
SecurityOperations
Requirements Design Coding Testing Maintenance
RiskAnalysis
AbuseCases
Code Reviews +Static Analysis
PenetrationTesting
SecurityTesting
4. Security Testing
5. Abuse Cases
6. Security Operations
![Page 4: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/4.jpg)
CSC 666: Secure Software Engineering
Security Operations
User security notes• Software should be secure by default.• Enabling certain features/configs may have
risks.• User needs to be informed of security risks.
Incident response• What happens when a vulnerability is
reported?• How do you communicate with users?• How do you send updates to users?
![Page 5: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/5.jpg)
CSC 666: Secure Software Engineering
Code Deployment
Manage deployment process Change management process. Scrub debug/test code from software. Use automated tools for deployment.
Maintain three sets of servers Development Staging Production
![Page 6: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/6.jpg)
CSC 666: Secure Software Engineering
Web Application Firewalls
Analyze + filter HTTP traffic Intrusion Detection Intrusion Prevent
Open Source WAFs AQTronix WebKnight Breach ModSecurity
Commercial WAFs Armorlogic Profense Breach WebDefend Citrix Application Firewall Fortify Defender
![Page 7: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/7.jpg)
CSC 666: Secure Software Engineering
Modes of Operation
Bridge: transparent bridging firewall. Router: install at single point of entry. Reverse Proxy: traffic redirected to flow
through WAF by DNS or routing. Embedded: server plugin; no need to
configure network but only works with some web servers.
![Page 8: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/8.jpg)
CSC 666: Secure Software Engineering
Modes of Operation
Bridge orRouter
Embedded
ReverseProxy
![Page 9: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/9.jpg)
CSC 666: Secure Software Engineering
SSL
Terminates SSL: Reconfigure network to move SSL operations to WAF itself. WAF to server communication can be plaintext or SSL encrypted.
Passively decrypts SSL: WAF decrypts SSL traffic using copy of server’s SSL private key. Data travels untouched to web server.
Occurs after SSL: Embedded WAFs can be posititioned to analyze traffic after server decrypts SSL data.
![Page 10: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/10.jpg)
CSC 666: Secure Software Engineering
Traffic Blocking
Connection Intermediation: Traffic intercepted by WAF. Attacks blocked by not forwarding packets to destination.
Connection Reset: Traffic inspected by WAF, which blocks attacks by resetting TCP connections.
3rd Party Blocking: Traffic inspected by WAF, which notifies other devices to block.
![Page 11: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/11.jpg)
CSC 666: Secure Software Engineering
Traffic Blocking
WAFs can block IP addresses TCP connections HTTP requests Application sessions Application users Too many new requests/sessions
WAFs can rewrite parts of HTTP request Request headers Response headers Cookies URLs HTTP message bodies
![Page 12: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/12.jpg)
CSC 666: Secure Software Engineering
Canonicalization
WAFs convert data to standard form URL-decoding Paths (., .., \) Mixed case Whitespace condensation HTML entity decoding Escaped cahracter decoding Unicode standardization
![Page 13: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/13.jpg)
CSC 666: Secure Software Engineering
Signatures and Rules
Signatures Text strings Regular expressions
Rules Signatures + Operators (length, field) Logical expressions Control flow Session management
![Page 14: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/14.jpg)
CSC 666: Secure Software Engineering
BSI Maturity Model
Guide for building and improving a SSI.
Based on survey of top software security programs: Adobe Depository Trust and Clearing Corporation EMC Google Microsoft QUALCOMM Wells Fargo
Software Security Initiative Statistics 2-10 years old (average 4) 12-100 people (average 41) Approximate 100:1 developer:security person ratio.
![Page 15: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/15.jpg)
CSC 666: Secure Software Engineering
Using the Maturity Model
Executive leadership Accountability and empowerment. Difficultieis: Grassroots and network security.
Identify organization security goals. Identify which practices fit best with
organizational culture.
Use all 12 practices. Better to put some level 1 activities in each
practice in place than go to level 3 in one. Not necessary to do all practices in level 1
before moving to level 2.
![Page 16: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/16.jpg)
CSC 666: Secure Software Engineering
Software Security Framework
Governance: Practices that help manage and measure a software security program.
Intelligence: Practices producing collection sof corporate knowledge used in swsec.
SSDL Touchpoints: Practices associated with analysis and assurance of particular software development artifacts & processes.
Deployment: Practices interfacing with network security and software configuration abd maintenance organizations.
![Page 17: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/17.jpg)
CSC 666: Secure Software Engineering
Software Security Framework
![Page 18: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/18.jpg)
CSC 666: Secure Software Engineering
Practices and Business Goals
![Page 19: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/19.jpg)
CSC 666: Secure Software Engineering
Strategy and Metrics
![Page 20: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/20.jpg)
CSC 666: Secure Software Engineering
Compliance and Policy
![Page 21: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/21.jpg)
CSC 666: Secure Software Engineering
Training
![Page 22: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/22.jpg)
CSC 666: Secure Software Engineering
Attack Models
![Page 23: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/23.jpg)
CSC 666: Secure Software Engineering
Security Features and Design
![Page 24: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/24.jpg)
CSC 666: Secure Software Engineering
Standards and Requirements
![Page 25: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/25.jpg)
CSC 666: Secure Software Engineering
Architecture Analysis
![Page 26: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/26.jpg)
CSC 666: Secure Software Engineering
Code Review
![Page 27: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/27.jpg)
CSC 666: Secure Software Engineering
Security Testing
![Page 28: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/28.jpg)
CSC 666: Secure Software Engineering
Penetration Testing
![Page 29: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/29.jpg)
CSC 666: Secure Software Engineering
Software Environment
![Page 30: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/30.jpg)
CSC 666: Secure Software Engineering
Configuration Management
![Page 31: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/31.jpg)
CSC 666: Secure Software Engineering
Ten Core Activities Everyone Does
![Page 32: Software Security Initiative James Walden Northern Kentucky University](https://reader033.vdocument.in/reader033/viewer/2022042718/56649ec05503460f94bcb208/html5/thumbnails/32.jpg)
CSC 666: Secure Software Engineering
References1. Brian Chess, Gary McGraw, Sammy Migues, Building Security In—Maturity Model,
http://www.bsi-mm.com/2. CLASP, OWASP CLASP Project,
http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, 2008.3. Noopur Davis et. al., Processes for Producing Secure Software. IEEE Security &
Privacy, May 2004.4. Karen Goertzel, Theodore Winograd, et al. for Department of Homeland Security
and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008.
5. Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006.
6. Gary McGraw, Software Security, Addison-Wesley, 2006.7. Ivan Ristic, Apache Security, O’Reilly, 2005.8. Ofer Shezaf, ModSecurity “The Core Rule Set”: Generation detection of
application layer attacksModSecurity "The Core Rule Set": Generic detection of application layer attacks, 6th OWASP AppSec Conference, 2007.
9. Web Application Security Consortium, “WAFEC, or how to choose WAF technology,” http://www.webappsec.org/projects/wafec/, 2006.