running a software security program with open source tools

© 2015 Denim Group – All Rights Reserved

Running a Software Security Program on Open Source Tools!

Dan Cornell CTO, Denim Group

@danielcornell


2

My Background!•  Dan Cornell, founder and CTO of

Denim Group

•  Software developer by background (Java, .NET, etc)

•  OWASP San Antonio


Denim Group Background!

•  Secure software services and products company •  Builds secure software •  Helps organizations assess and mitigate risk of in-house developed and third party

software •  Provides classroom training and e-Learning so clients can build software securely

•  Software-centric view of application security •  Application security experts are practicing developers •  Development pedigree translates to rapport with development managers •  Business impact: shorter time-to-fix application vulnerabilities

•  Culture of application security innovation and contribution •  Develops open source tools to help clients mature their software security programs

•  Remediation Resource Center, ThreadFix •  OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI •  World class alliance partners accelerate innovation to solve client problems

3


Agenda!•  So You Want To Roll Out a Software Security

Program? •  Software Assurance Maturity Model

(OpenSAMM) •  Components Of Your Software Security

Program •  Governance •  Construction •  Verification •  Deployment

•  Conclusions / Questions

4


So You Want To Roll Out a Software Security Program?!

•  Great!

•  What a software security program ISN’T •  Question: “What are you doing to address software

security concerns?” •  Answer: “We bought scanner XYZ”

•  What a software security program IS •  People, process, tools (naturally) •  Set of activities intended to repeatedly produce

appropriately-secure software

5


Challenges Rolling Out Software Security Programs!

•  Resources •  Raw budget and cost issues •  Level of effort issues

•  Resistance: requires organizational change •  Apparently people hate this

•  Open source tools •  Can help with raw budget issues •  May exacerbate problems with level of effort

•  View the rollout as a multi-stage process •  Not one magical effort •  Use short-term successes and gains to fuel further change

6


Software Assurance Maturity Model (OpenSAMM)!

•  Open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks racing the organization

•  Useful for: •  Evaluating an organization’s existing software security practices •  Building a balanced software security program in well-defined

iterations •  Demonstrating concrete improvements to a security assurance

program •  Defining and measuring security-related activities within an

organization •  Main website:

•  http://www.opensamm.org/

7


Using OpenSAMM You Can…

•  Evaluate an organization’s existing software security practices •  Build a balanced software security assurance program in well-

defined iterations •  Demonstrate concrete improvements to a security assurance

program •  Define and measure security-related activities throughout an

organization

[This slide content © Pravir Chandra]


Drivers for a Maturity Model

•  An organization’s behavior changes slowly over time

•  Changes must be iterative while working toward long-term goals

•  There is no single recipe that works for all organizations

•  A solution must enable risk-based choices tailor to the organization

•  Guidance related to security activities must be prescriptive

•  A solution must provide enough details for non-security-people

•  Overall, must be simple, well-defined, and measurable



Therefore, a Viable Model Must...

•  Define building blocks for an assurance program

•  Delineate all functions within an organization that could be improved over time

•  Define how building blocks should be combined

•  Make creating change in iterations a no-brainer

•  Define details for each building block clearly

•  Clarify the security-relevant parts in a widely applicable way (for any org doing software dev)



Understanding the Model



SAMM Business Functions

• Start with the core activities tied to any organization performing software development

• Named generically, but should resonate with any developer or manager



SAMM Security Practices

•  From each of the Business Functions, 3 Security Practices are defined

•  The Security Practices cover all areas relevant to software security assurance

•  Each one is a ‘silo’ for improvement



Discussion: Tools!•  Commercial tools in use? •  Free / open source tools in use?

•  What tool implementations have been successful? •  What tool implementations have been less

successful?

•  Why?

•  What is your interest in using open source tools for software security?

14


Why Use Free / Open Source Tools?!

•  They’re FREE! •  No per-user license fees

•  Can be customized •  Don’t like the way a feature works – improve

it!

15


As a Project Maintainer…!


Potential Disadvantages of Free Tools!

•  Often less mature than commercial analogs •  Application and software security are new

when compared to other disciplines •  Open source tools lag in a number of areas

•  Task-focused rather than program-focused •  Geared toward testing a single application

rather than a portfolio of applications

17


Discussion: Organizational Concerns!

•  Does your organization allow the use of open source tools?

•  What restrictions are placed on the use of free / open source tools? •  Only certain licenses allowed •  Each tool / library must have a sponsor

18


Open Source Tool Usage – Best Practices!

•  Maintain a relationship with the project lead / development community •  How responsive are they? •  Good to have a relationship for escalating issues

•  Consider commercial support •  If available •  When it makes sense

•  Give back •  Installation instructions for your platform(s) •  Other documentation opportunities •  Code updates – if possible / desirable

19


ThreadFix - Overview!•  ThreadFix is a software vulnerability

aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

•  Freely available under the Mozilla Public License (MPL)

•  Hosted at GItHub: https://github.com/denimgroup/threadfix

20


OpenSAMM: Governance!•  Strategy and Metrics •  Policy and Compliance •  Education and Guidance

21


Governance: Strategy and Metrics!

•  Overall strategic direction of the assurance program

•  How are processes instrumented? •  How are measurements taken?

22


ThreadFix: Reporting!•  Can be done at multiple levels:

•  Enterprise-wide •  Team •  Individual application

•  Reports for: •  Vulnerability count trending •  Progress – vulnerability resolution and timelines •  Scanner effectiveness •  Frequency of scanning across the portfolio

•  Will revisit ThreadFix reporting later in the course for examples

23


Governance: Policy and Compliance!

•  What compliance regimes are your organizations and applications subject to? •  PCI •  HIPAA •  SOX

•  What policies will you put in place to meet these obligations?

24


SimpleRisk!•  Governance Risk and Compliance (GRC) •  http://www.simplerisk.org/ •  Created by Josh Sokol

25


Governance: Education and Guidance!

•  Software security requires the input of a variety of stakeholders

•  Software security is a relatively new area of study •  Many of the involved parties (i.e. software

developers) have never been exposed

•  You cannot hold people responsible if they have not been properly trained

26


Governance: Education and Guidance!

•  Variety of potential consumers •  Executives / Management •  Developers •  Quality Assurance (QA) •  Security Testers

•  Need for information at several levels •  Introduction / overview •  Topic-specific •  Technology-specific

•  Several ways to deliver guidance and training •  Self-serve portal •  Instructor-led training •  E-Learning

27


OWASP Development Guide!•  Provides guidance to developers on how to build secure

applications •  Attempts to cover broad topics with some technology-specific

examples

•  Several translations: English, Spanish, Japanese

•  Originally released in 2001, revised in 2005 •  Somewhat dated

•  Currently undergoing a significant rewrite

•  Main site: https://www.owasp.org/index.php/OWASP_Guide_Project

28


OWASP Cheat Sheets!•  Provide targeted, consumable guidance on specific topics or

technologies •  Authentication •  Transport layer protection •  Input validation •  Session management •  And so on…

•  Tend to be “fresher” than the related sections in the Development Guide •  Also easier to provide to developers for use

•  Main site: https://www.owasp.org/index.php/Cheat_Sheets

29


OWASP Secure Coding Practices Quick Reference Guide!

•  Technology agnostic set of general software security coding practices

•  Consumable •  ~17 pages long •  Checklist format

•  Main site: https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

30


OWASP WebGoat - Overview!•  Deliberately insecure JEE web application •  Presented as a series of lessons

•  SQL injection •  Cross-site Scripting (XSS) •  Cross-site Request Forgery (CSRF) •  Hidden form manipulation •  And so on…

•  Main site: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

31


OpenSAMM: Construction!•  Threat Assessment •  Security Requirements •  Secure Architecture

32


Construction: Threat Assessment!

•  Identify and characterize potential attacks •  These will determine investment level and

required countermeasures

•  WHO do you need to be worried about? •  Nation-states •  Chaotic actors •  Organized crime •  And so on…

33


Construction: Security Requirements!

•  Up-front determination of required security properties of the system

•  Drive future activities

34


Construction: Secure Architecture!

•  Use the design process to: •  Build in security controls •  Avoid injecting security issues

•  Threat modeling •  Architectural risk analysis

35


ESAPI - Overview!•  Enterprise Security API (ESAPI) •  Open source web application security control library

•  Several languages available: JavaEE, .NET, PHP, Classic ASP, etc •  WIDE variation in maturity and support •  Stick to Java unless you are very brave (and even then)

•  Main site: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

36


Microsoft Web Protection Library - Overview!

•  Set of .NET assemblies which help protect web applications

•  AntiXSS encoding library •  Encoding functions for HTML, HTML attributes, XML, etc

•  HTML sanitization routines (for “safely” accepting rich content) •  Security Runtime Engine (SRE)

•  Provides runtime protection against SQL injection and Cross-Site Scripting (XSS)

•  Sites: •  http://wpl.codeplex.com/ •  https://www.microsoft.com/en-us/download/details.aspx?

id=28589

37


OpenSAMM: Verification!•  Design Review •  Code Review •  Security Testing

38


Verification: Design Review!•  Incorporate security into review of

architecture/design materials

•  Were the previous assurance activities successful?

39


Microsoft Threat Analysis and Modeling Tool - Overview!

•  Create threat models for your applications •  Identify potential issues •  Plan for mitigations

•  Requires Visio 2007 or 2010

•  Main site: http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx

40


Mapping Threats to Data Flow Asset Types

Threat Type External Interactor

Process Data Flow Data Store

S – Spoofing Yes Yes

T – Tampering Yes Yes Yes

R – Repudia>on Yes Yes Yes

I – Informa>on Disclosure Yes Yes Yes

D – Denial of Service Yes Yes Yes

E – Eleva>on of Privilege Yes

41


Verification: Code Review!•  Review software artifacts “at-rest” •  Can be both automated and manual

•  Reach and frequency •  How much of your software is subject to

review? •  How thorough is the analysis? •  How often is it performed?

42


Static Analysis •  Source Code Scanning •  Manual Code Reviews •  Advantages

•  Identifies flaws during integration, when it is easier to address issues

•  Developers can identify flaws in their own code before checking it in

•  Many projects already have a code review process in-place •  Disadvantages

•  Freeware tools often do not address security well (specifically dataflow analysis)

•  Licensed tools are a significant investment •  Manual review can be unstructured and time-consuming without

licensed tools •  Not ideal for discovering logical vulnerabilities

43


Static Analysis Tools •  Commercial Tools

•  Fortify (now HP) •  Ounce (now IBM Rational) •  Checkmarx •  Veracode (SaaS)

•  Freeware Tools •  RATS/Flawfinder - C/C++, Python, PHP •  Findbugs – Java •  PMD - Java •  FxCop - .NET •  Brakeman – Ruby on Rails

44


FindBugs - Overview!•  Freely-available binary static analysis tool

for Java •  Main site: http://findbugs.sourceforge.net/

45


FxCop - Overview!•  Free static analysis tool from Microsoft •  Integrated into Visual Studio •  Similar capabilities to FindBugs (but

for .NET)

•  Blog: http://blogs.msdn.com/b/codeanalysis/

46


CAT.NET - Overview!•  Free static analysis tool from Microsoft •  Does dataflow analysis (rare among the free tools) •  Version 1:

http://www.microsoft.com/en-us/download/details.aspx?id=19968 •  Version 2:

http://blogs.msdn.com/b/securitytools/archive/2010/02/04/cat-net-2-0-beta.aspx

•  Dinis Cruz has done some interesting work with CAT.NET and O2 •  https://www.owasp.org/index.php/OWASP_O2_Platform/Microsoft/

CAT.NET •  Plans for future development are not clear

47


Brakeman - Overview!•  Security scanner for Ruby on Rails

applications •  Static analysis

•  Finds things like SQL injection and XSS •  Also checks for certain CVE-type

vulnerabilities

•  Main site: http://brakemanscanner.org/

48


Agnitio - Overview!•  Tool for supporting manual code reviews •  Set of checklists to verify security controls •  Some grep-like search capabilities

•  Main site: http://sourceforge.net/projects/agnitiotool/

49


DependencyCheck – Overview!•  Checks for out-of-date JAR libraries with known CWE

issues •  Looks beyond JAR hashes

•  We used it to find a vulnerable library used by ThreadFix •  Apache POI library •  http://web.nvd.nist.gov/view/vuln/search-results?cpe=cpe

%3A%2Fa%3Aapache%3Apoi%3A3.7&page_num=0&cid=1

•  Main site: https://github.com/jeremylong/DependencyCheck

50


Verification: Security Testing!•  Runtime testing for security vulnerabilities

•  Web applications: automated scanners, web proxies

•  Other applications: fuzzing, protocol analysis

51


Dynamic Analysis •  Integrate abuse cases into unit and automated testing •  Use application scanning tools •  Perform a dedicated penetration test by security staff or a 3rd

party

•  Advantages •  Generally more time-efficient than manual code review •  Good for discovering logical vulnerabilities

•  Disadvantages •  Requires fully functional features to test •  Security staff may not have application security training or

experience •  Scanning tools may have difficulty with unusual applications

52


Dynamic Analysis Tools •  Automated Tools

•  IBM Rational AppScan •  HP WebInspect •  Acunetix Vulnerability Scanner •  Netsparker

•  Manual Testing •  Zed Attack Proxy •  Burp •  Google RatProxy •  Browser plugins •  Testing Scripts –Watir •  Load and Performance testing tools – JMeter, Grinder

53


Arachni - Overview!•  Open source automated web application scanner •  Written in Ruby •  Can be deployed in a “grid” format for faster scanning

•  Uses several different types of analysis to identify vulnerabilities •  Fuzzing •  Taint analysis •  Time analysis

•  Main site: http://arachni-scanner.com/

54


w3af - Overview!•  Open source automated web application

scanner •  Written in Python

•  Main site: http://w3af.sourceforge.net/

55


OWASP ZAProxy - Overview!•  Open source web proxy and web application

scanner •  Supports both manual and automated

assessment •  Fork of Paros Proxy •  Exposes RESTful API

•  Main site: http://code.google.com/p/zaproxy/

56


Skipfish - Overview!•  Fast web application scanner written in C •  Maintained by Google •  Does a lot of file/directory guessing by

default

•  Main site: •  https://code.google.com/p/skipfish/

57


OpenSAMM: Deployment!•  Vulnerability Management •  Environment Hardening •  Operational Enablement

58


Deployment: Vulnerability Management!

•  Processing for managing vulnerabilities in both internal and external software

•  Goal is consistency •  Use data from vulnerability handling to

improve processes •  Decrease number and severity of future

vulnerabilities •  Decrease time-to-fix

59


Turning Vulnerabilities Into Software Defects!

•  Security teams talk about “vulnerabilities” •  Software developers talk about “defects”

•  Developers Don’t Speak PDF •  http://blog.denimgroup.com/denim_group/2012/11/hey-security-teams-developers-dont-speak-pdf.html

•  Why should developers manage 90% of their workload in defect trackers •  And the magic, special “security” part of their workload … some

other way?

•  ThreadFix lets you slice, dice and bundle vulnerabilities into software defects •  And track their remediation status over time to schedule re-

scans

60


ThreadFix: Defect Tracker Integration!

•  Turn vulnerabilities that security staff care about into software bugs that developers know how to handle

•  Bundle multiple vulnerabilities into a single defect

•  How to organize? •  By severity •  By type •  By location in the application •  Some combination

•  When the defect status changes you can schedule re-scans

61


Deployment: Environment Hardening!

•  Attackers do not care about applications – attacking infrastructure might be just as effective and valuable for them

•  Controls for operating environments: •  Reduce vulnerabilities in the infrastructure •  Enable logging and tracking

62


Microsoft Baseline Security Analyzer (MBSA) - Overview!

•  Runs standard checks on Windows Workstations and Servers •  Internet Explorer •  IIS •  SQL Server

•  Checks registry and file settings

•  2.2 Downloads: http://www.microsoft.com/en-us/download/details.aspx?id=7558

63


Deployment: Operational Enablement!

•  How do you install, configure and run your applications? •  Also updates and upgrades

•  Runtime checks and logging for intrusion detection and incident response •  John Dickson has done some work in this area •  http://www.slideshare.net/denimgroup/top-

strategies-to-capture-security-intelligence-for-applications

64


Continuous Integration and Security Testing!

•  Reduce the time between introducing security defects and knowing about them

•  Free tools mean that any project can be instrumented •  No licensing fees

•  ThreadFix has a REST-based API and command-line client for scripting

65


mod_security - Overview!•  Open source web application firewall engine •  Also has a Core RuleSet (CRS)

•  Traditionally has been Apache-only •  Runs as an apache module (mod_security) •  Recently announced both IIS and Nginx support

•  Main site: http://www.modsecurity.org/

66


Recap!•  A software security program is more than a tool or set of tools

•  But tools help provide automation and facilitate scale

•  OpenSAMM is a maturity model that can be used as a framework for building and advancing software security programs

•  Open source tools exist to support many key activities in a software security program

•  Build and maintain relationships with the open source projects you use

67


68

Conclusions / Questions!Dan Cornell [email protected] TwiKer: @danielcornell www.denimgroup.com www.denimgroup.com/threadfix code.google.com/p/threadfix (210) 572-‐4400

running a software security program with open source tools

Technology

software security concerns

party software

secure software services

rights reserved challenges

rights reserved agenda

open source tools

open framework

raw budget issues