matteo meucci software security - napoli 10112016
TRANSCRIPT
Software Security in a interconnected world
Matteo Meucci, CEO @ Minded Security – 10th November 2016
Università degli Studi di Napoli ‘’L’Orientale’’
<AGENDA>
1. Introduction to Software Security
1.1 Who uses software?
1.2 What are the risks for the end users?
1.3 What are the risks for the Companies?
2. How can a Company manage Software Security?
2.2 The OWASP standards
2.2 Software Security Processes
</AGENDA>
Informatics Engineer (since 2001)
Research
• OWASP contributor (since 2002)
• OWASP-Italy Chair (since 2005)
• OWASP Testing Guide Lead (since 2006)
Work
• 15+ years on Information Security focusing on
Software Security
• CEO @ Minded Security – The Software
Security Company (since 2007)
3
Who am I?
1. INTRODUCTION TO SOFTWARE SECURITY
1.1 SCENARIO: WHO USES SOFTWARE?
EVERYONE IS CONNECTED!
EVERYONE USES SOFTWARE!
Users
Cyber criminals
Companies
Governments
1.2 FROM THE END USER POINT OF VIEW: WHAT ARE THE RISKS?
HOW CAN I UNDERSTAND IF AN APP IS SAFE OR NOT?
It’s secure! It’s on the
store! Sure! Everyone uses it!
IS THIS APP “SECURE”?
HOW CAN I UNDERSTAND IF AN APPLICATION IS “SECURE”?
It’s secure! Looks at the
lock, down on the right!
It’s secure! It’s Google!
Sure! The news said
that is unbreakable!
IS YOUR GOOGLE MAIL “SECURE”?
Gmail vulnerability: 2 days ago
USER risks
• Software not updated: critical risk
• Shared Software: high risk
• Implicit trust: high risk
Operative system not updated
• http://www.eweek.com/security/google-patches-39-android-vulnerabilities-in-april-update.html
Software not updated
250 M of users are still using XP with no updated software for example Internet ExplorerAn e-mail or a Web site can compromise a pc with XP in a few seconds!!!
Shared software
Implicit Trust (e.g.: WiFi Pineapple)
• How many of you connect automatically to open wifi?
• How many of you think that it is dangerous to do that?
• Let’s show you the result of a test done at the last Festival of Journalism in Perugia
Wifi Sniffing at IJF 2016
Man-in-the-middle IJF 2016 results
Risk: disclosure of sensitive information
From an end user point of view
• There is not perception of the usage of a secure software or not
• Most of the users download everything (risk malware), interact with everything (risk possible exploit of vulnerabilities), trust everything (risk possible disclosure of information)
1.3 FROM A COMPANY POINT OF VIEW
Actors
User: who uses the software
Ministry of Informatics: who buys the software
Development teams (internal/external): who develops the software
Press conference for the launch of the service
Now you can take advantage of a new service on the portal of the Ministry of Informatics
Fantastic!! Compliments!!
The day after…
Users access to the portal…
John Black – 12/12/1970 – [email protected] White - 10/09/1982 – [email protected] Red– 09/02/1960 – [email protected]
Users access to the portal…
Oh oh...I find a problem...
Some days after…
The reactions…
Ohh..how it was possible? Fault of the developers!
but it is impossible !? We followed all your instructions
If you do not ask for security, no one will develop secure software
• The Vulnerabilities in the software development process are expected.
• The control of the security bugs and flaws in the software should be considered as part of the process of software development.
SOFTWARE SECURITY PRINCIPLES
2. HOW CAN A COMPANY MANAGE "SECURE SOFTWARE”?
2.1 THE OWASP STANDARDS
• The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit also registered in Europe as a worldwide charitable organization focused on improving the security of software.
• Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.
• Everyone is welcomed to participate in OWASP and all of our materials are available under free and open software licenses.
OWASP
BUILD SECURE SOFTWARE
1: Parameterize Queries 2: Encode Data 3: Validate All Inputs 4: Implement Appropriate Access Controls 5: Establish Identity and Authentication Controls 6: Protect Data and Privacy 7: Implement Logging, Error Handling and Intrusion Detection 8: Leverage Security Features of Frameworks and Security Libraries 9: Include Security-Specific Requirements 10: Design and Architect Security InProject leaders:[email protected]@[email protected]
TOP10 PROACTIVE CONTROLS (BUILDERS)
Hack your code!
www.owasp.org/index.php/Code_Review_Guide
CODE REVIEW GUIDE (BREAKERS)
• Most comprehensive open source secure code review guide on the web
• Years of development effort
• Version 2 alfa 2016
• Numerous contributors
• Project Leader and Editor
www.owasp.org/index.php/Testing_Guide
• Most comprehensive open source secure testing guide on the web
• Years of development effort
• Version 4.0 produced in 2014
• Hundred of contributors
• Project Leader and Editor
• Matteo Meucci, Andrew Muller
[email protected], [email protected]
TESTING GUIDE (BREAKERS)
THE OWASP GUIDES: COMMUNITY DRIVEN FOR ALL THE
ENTERPRISES
Fight with the same weapons (knowledge)
2.2 HOW TO USE THE OWASP
STANDARDS IN YOUR
PROCESSES
Roles and responsibilities
Define Design Develop Deploy Maintain
Risk Assessment
Secure Design
Design Review
Software Acceptance
Web Intrusion Monitoring
Secure Requirements
Threat Modeling
Secure Development
Secure Installation
Change Management
Secure Architecture
SCR and WAPT
Hardening
Fixing
Business AnalystSecurity Manager
Business AnalystAppSec Specialist
Business AnalystSoftware Architect, AppSec Specialist
Security ManagerApplication Owner
Software ArchitectSecurity Manager
Security Manager
Developer
AppSec Specialist
Developer
Security ManagerApp Owner
Sistemista
Sistemista
AppSec SpecialistSec Manager
App OwnerDevelper
Software Security Maturity
Define Design Develop Deploy Maintain
Risk Assessment
Secure Design
Design Review
Application Penetration Testing
Web Intrusion Monitoring
Secure Requirements
Threat Modeling
Secure Development
Software Acceptance
Change Management
Secure Architecture
Secure Code Review
Secure Installation
Fixing Hardening
Source: Minded Security – Results of 12 SAMM assessments from 2012 to 2015
20%
60%
30%
10%
30%
30%
60%
40%
30%
90%
30%
50%
60%
40%
40%
OWASP resources into your SDLC
If you do not ask for security, no one will develop secure software
Use the OWASP Software Contract Annex to regulate your
outsourcer contracts
If you do not know the application threats, you will develop unsecure software
Use the OWASP Top 10 for General Awareness
Use the CISO Guide for Management’s Awareness
Vulnerabilities in the software development process are expected
Use the OWASP Building Guide and ESAPI to write more secure software
Use the OWASP Secure Code Review Guide to review the code
Use the OWASP Testing Guide to review to test your application
OWASP resources into your SDLC
The fixing process is the most important step of the process of software security
Retest your application after a bug fixing or a new release to be
sure that the right implementations are in place
How can I manage the Software Security Governance?
Use the OWASP SAMM to assess your maturity and to build
an Application Security Program to manage the SDLC
CONCLUSIONS
• Awareness on SwSec! From developers to analyst, application owner,
management.
• Hire Information Security managers: Application Security manager and
Privacy Security managers
• Software Security Program: without a program and assigned
responsibilities it is difficult to manage Software Security.
NEXT STEPS: WHAT IS MISSING TODAY?
