how the cloud shifts the burden of security to development
DESCRIPTION
The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Developers are extremely well-poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome. [Presented at Cloud Expo - November 2014]TRANSCRIPT
![Page 1: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/1.jpg)
Paraso& Copyright © 2014 1
11/4/14
Cloud Shi*s the Burden of Security to Development
Paraso& -‐ Arthur Hicken Evangelist / Security Specialist
![Page 2: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/2.jpg)
Paraso& Copyright © 2014 2 2
Agenda
The problem: The porous nature of clouds
Types of security tesGng
Divide and conquer with service virtualizaGon
ProacGve prevenGon
![Page 3: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/3.jpg)
Paraso& Copyright © 2014 3 3
Security Problems are Growing
§ ANacks are on the rise § It’s beNer to fix it BEFORE than a&er
![Page 4: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/4.jpg)
Paraso& Copyright © 2014 4
The castle has been breached
§ Enterprise network protected by firewall
§ ApplicaGon is the only way in
§ Must keep applicaGon open for business
§ User (potenGal hackers) must have access to the applicaGon
![Page 5: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/5.jpg)
Paraso& Copyright © 2014 5 5
![Page 6: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/6.jpg)
Paraso& Copyright © 2014 6
General IT System Security
§ Network firewall § AuthenGcaGon and access control systems § Network Intrusion DetecGon System (NIDS) § Network Intrusion PrevenGon System (NIPS) § AnG-‐virus § AnG-‐spyware § Secure Sockets Layer (SSL) § “Defense in depth”
![Page 7: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/7.jpg)
Paraso& Copyright © 2014 7 7
Security is vital
§ Suddenly there are openings everywhere § Can’t rely on “it was checked elsewhere in the applicaGon”
§ Input validaGon covers wide swath of potenGal problems
§ OWASP Top 10 § CWE Top 25
![Page 8: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/8.jpg)
Paraso& Copyright © 2014 8 8
One weak spot is all it takes
![Page 9: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/9.jpg)
Paraso& Copyright © 2014 9 9
PenetraGon TesGng for Security
• Verify that security policy is being met • Outside-‐in tesGng CapabiliGes
• Validates against known aNack scenarios Benefits
• Not a complete system • Late stage technology • ReacGve
Drawbacks
![Page 10: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/10.jpg)
Paraso& Copyright © 2014 10 10
ConGnuous Regression TesGng
• Runs all exisGng test on a conGnuous basis • Alerts team of failures CapabiliGes
• Ensures that the applicaGon remains secure • Ensures stability during change Benefits
• Must keep test cases in sync Drawbacks
![Page 11: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/11.jpg)
Paraso& Copyright © 2014 11 11
StaGc Analysis for Security
• Find real security bugs • Low cost method CapabiliGes
• Detects problems early • Trains developers by idenGfying problemaGc code
Benefits
• Requires proper configuraGon • Flow-‐analysis alone cannot prevent Drawbacks
![Page 12: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/12.jpg)
Paraso& Copyright © 2014 12 12
Peer Code Review
• Facilitates high-‐level analysis of security and design CapabiliGes
• IdenGfies complex vulnerabiliGes • Keeps team in sync Benefits
• Peer code review is mostly talked about and easily delayed Drawbacks
![Page 13: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/13.jpg)
Paraso& Copyright © 2014 13 13
Unit TesGng
• Starts tesGng validaGon methods and verifying security funcGonality before the system is complete
CapabiliGes
• Reduces the Gme required for validaGon • Can expose potenGal vulnerabiliGes earlier than pre-‐producGon
Benefits
• Test cases must be kept in sync with evolving applicaGon Drawbacks
![Page 14: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/14.jpg)
Paraso& Copyright © 2014 14 14
ApplicaGon Tracing for Unit Tests
Record internal method calls inside
the running applicaGon as the problem occurs
Replicate the problem in a JUnit
test
Alter the JUnit test to assert the
correct behavior
Possible soluGons can be tested quickly without redeploying the web applicaGon
![Page 15: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/15.jpg)
Paraso& Copyright © 2014 15 15
RunGme Error DetecGon
Check anG-‐paNerns at runGme
ViolaGons in context of real-‐world data values
RunGme error categories include: • Threads and SynchronizaGon • Performance and OpGmizaGon • ApplicaGon Crashes • FuncGonal Errors • Security
![Page 16: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/16.jpg)
Paraso& Copyright © 2014 16 16
Divide & Conquer
Separate criGcal
components
Move tesGng earlier
Isolate aNack surfaces
Run funcGonal tests vs. security scenarios
![Page 17: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/17.jpg)
Paraso& Copyright © 2014 17 17
Virtualize to Divide and Conquer
Capture
Initiated from the system under test, the user has the ability to capture detail from a live monitor that analyzes system traffic, from analyzing transaction logs or by modeling virtual behavior within the Parasoft Virtualized interface.
Provision
After the virtualized artifact has been captured, users can now instruct the details of the virtualized asset behavior. This includes: performance, data sources and conditional response criteria. The virtualized asset is then provisioned for simplified uniform access across teams and business partners.
Test
The virtualized asset can now be called for unit, functional and performance tests. The virtualized asset can be leveraged by any test suite – including Parasoft Test.
Leveraging application behavior virtualization the team can reduce the complexity and the costs of managing multiple environments while providing
ubiquitous access for development, test and training
![Page 18: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/18.jpg)
Paraso& Copyright © 2014 18 18
Database
Service
Mainframe
ERP
Application
Web
Service VirtualizaGon Example
Application Under Test
1 Define
4 Provision
Testing Application Cloud Resource
Partner
Partner
Bus
Bus
Bus
Dependent Architecture
2 Capture
3 Instruct
5 Consume
![Page 19: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/19.jpg)
Paraso& Copyright © 2014 19 19
Service VirtualizaGon Examples
Mobile ApplicaGon development and extension
Agile/Parallel development limited by system dependencies
Capacity Constrained staged environments
Limited access to mainframes, ERPs, or 3rd party systems
Test data management for complex transacGons
Service Virtualization delivers a simulated dev / test environment allowing an organization to test anytime or anywhere
![Page 20: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/20.jpg)
Paraso& Copyright © 2014 20 20
Security prevenGon criteria
• Naming/Formalng • Quality ImplementaGon Best-‐PracGces (Java, C++, HTML, XML, WSI, etc.) • DocumentaGon
Coding Standards
• Language Security (“cloning”, private member classes, etc.) • PenetraGon VulnerabiliGes (SQL injecGons, cross-‐site scripGng, XML bombs, etc.) • SecGon 508
Policies
• Code Coverage (>80%) • Performance (<100ms) • Memory Issues (leaks, overwrites, etc.)
RunGme Analysis
• Load CapabiliGes (how many users?) • ConnecGon CapabiliGes (how many db connecGons?) System RunGme
Others ..
![Page 21: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/21.jpg)
Paraso& Copyright © 2014 21 21
Web applicaGon prevenGon example
Detect the error • Load tesGng shows leaking connecGons to the database
Find the cause • Open connecGons aren’t being closed, causing resource leaks
Locate the point in producGon that caused the error • Developer has forgoNen to close db connecGons upon client terminaGon
Implement preventaGve process • Use a coding standard to ensure each open connecGon is closed before exit
Monitor the process • Use staGc analysis to enforce the standard
Add regression test • Add a test to see the problem was fixed and doesn’t return
![Page 22: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/22.jpg)
Paraso& Copyright © 2014 22 22
MisconcepGons…
§ Security can be tested into the applicaGon at the end of the cycle § Checks only common known exploits § Requires coverage of all paths and possible inputs § End of cycle penetraGon tesGng may overlook:
§ Backdoor access § A difficult to reach secGon of code in the error handling rouGne that performs an unsafe database query
§ The lack of an effecGve audit trail for monitoring security funcGons
§ End of cycle staGc analysis does not consider nuances of actual operaGon, reports false posiGves
![Page 23: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/23.jpg)
Paraso& Copyright © 2014 23 23
Security Policy Development
Make security-‐relevant decisions so individuals don’t have to
Centralize and reuse security mechanisms
Coordinate security efforts
![Page 24: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/24.jpg)
Paraso& Copyright © 2014 24 24
Securing An ApplicaGon
§ Determine risks/threats § Develop countermeasures
§ Security policy development
§ Implement security policy process at code level § Eliminate security vulnerabiliGes in code
§ StaGc analysis
§ Test applicaGon from outside § PenetraGon tesGng
§ Fix code to address problems found § Prevent recurring problems
§ Regression tesGng
![Page 25: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/25.jpg)
Paraso& Copyright © 2014 25 25
Current Standards
OWASP
CWE/SANS
Cigital
HIPAA
SAMATE
Oracle CERT
Microso& Secure Coding
![Page 26: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/26.jpg)
Paraso& Copyright © 2014 26 26
Security Resources
CWE – Common Weakness EnumeraGon • hNp://cwe.mitre.org
OWASP -‐ Open Web ApplicaGon Security Project • hNp://www.owasp.org
PCI – Payment Card Industry Security Standards • hNps://www.pcisecuritystandards.org
Hack.me – Community based security learning project • hNps://hack.me
SAMATE -‐ So&ware Assurance Metrics And Tool EvaluaGon • hNp://samate.nist.gov
Build Security In – CollaboraGve security effort • hNps://buildsecurityin.us-‐cert.gov
![Page 27: How the Cloud Shifts the Burden of Security to Development](https://reader033.vdocument.in/reader033/viewer/2022060202/559ccda91a28ab9e1f8b4735/html5/thumbnails/27.jpg)
Paraso& Copyright © 2014 27 27
§ Web § hNp://www.paraso&.com/jsp/resources
§ Blog § hNp://alm.paraso&.com
§ Social § Facebook: hNps://www.facebook.com/paraso&corporaGon
§ TwiNer: @Paraso& @MustRead4Dev @CodeCurmudgeon
§ LinkedIn: hNp://www.linkedin.com/company/paraso&
§ Google+ Community: StaGc Analysis for Fun and Profit