Secure and

Resilient Software

Development

Mark S. Merkow

Lakshmikanth Raghavan

CRC PressTaylor&Francis CroupBoca Raton London NewYork

CRC Press is an imprint of the

Taylor St Francis Group, an Informs business

AN AUERBACH BOOK

Contents

Preface xvii

How This Book Is Organized xviii

About the Authors xxi

Acknowledgments xxiii

Chapter 1 How Does Software Fail Thee? Let Us Count the Ways 1

1.1 Vulnerabilities Abound 2

1.1.1 Security Flaws Are Omnipresent 3

1.1.2 Cars Have Their Share of ComputerProblems Too 5

1.2 Tracing the Roots of Defective Software 7

1.3 What Are the True Costs of Insecure Software to

Global Enterprises? 8

1.4 Addressing Security Questions Addresses Resilience 10

1.5 References 11

Chapter 2 Characteristics of Secure and Resilient Software 13

2.1 Functional Versus Nonfunctional Requirements 13

2.2 Testing Nonfunctional Requirements 15

2.3 Families of Nonfunctional Requirements 17

2.4 Availability 18

2.5 Capacity 19

2.6 Efficiency 20

2.7 Interoperability 20

2.8 Manageability 21

2.9 Cohesion 21

2.10 Coupling 22

2.11 Maintainability 22

2.12 Performance 232.13 Portability 232.14 Privacy 242.15 Recoverability 252.16 Reliability 26

2.17 Scalability 27

2.18 Security 27

2.19 ServiceabiIity/SupportabiIity 29

2.20 Characteristics of Good Requirements 302.21 Eliciting Nonfunctional Requirements 32

2.22 Documenting Nonfunctional Requirements 33

2.23 References 34

Chapter 3 Security and Resilience in the Software DevelopmentLife Cycle 37

3.1 Resilience and Security Begin from Within 37

3.2 Requirements Gathering and Analysis 393.3 Systems Design and Detailed Design 40

3.3.1 Functional Decomposition 41

3.3.2 Categorizing Threats 41

3.3.3 Ranking Threats 42

3.3.4 Mitigation Planning 42

3.4 Design Reviews 42

3.5 Development (Coding) Phase 43

3.5.1 Static Analysis 43

3.5.2 Peer Review 44

3.5.3 UnitTesting 44

3.6 Testing 44

3.7 Deployment 45

3.8 Security Training 47

3.9 References 48

Chapter 4 Proven Best Practices for Resilient Applications 49

4.1 Critical Concepts 49

4.2 The Security Perimeter 51

4.3 Attack Surface 52

4.3.1 Mapping the Attack Surface 53

4.3.2 Side Channel Attacks 54

4.4 Application Security and Resilience Principles 54

4.5 Practice 1: Apply Defense in Depth 55

4.6 Practice 2: Use a Positive Security Model 56

4.7 Practice 3: Fail Securely 58

4.8 Practice 4: Run with Least Privilege 59

4.9 Practice 5: Avoid Security by Obscurity 59

4.10 Practice 6: Keep Security Simple 60

4.11 Practice 7: Detect Intrusions 60

4.11.1 Log All Security-Relevant Information 61

4.11.2 Ensure That the Logs Are Monitored

Regularly 61

4.11.3 Respond to Intrusions 61

4.12 Practice 8: Don't Trust Infrastructure 61

4.13 Practice 9: Don't Trust Services 62

4.14 Practice 10: Establish Secure Defaults 62

4.15 Mapping Best Practices to Nonfunctional

Requirements 62

4.16 References 64

Chapter 5 Designing Applications for Security and Resilience 65

5.1 Design Phase Recommendations 65

5.1.1 Misuse Case Modeling 66

5.1.2 Security Design and Architecture Review 68

5.1.3 Threat and Risk Modeling 68

5.1.4 Risk Analysis and Modeling 70

5.1.5 Security Requirements and Test Case

Generation 70

5.2 Design to Meet Nonfunctional Requirements 71

5.3 Design Patterns 73

5.4 Architecting for the Web 74

5.5 Architecture and Design Review Checklist 76

5.6 References 84

Chapter 6 Programming Best Practices 87

6.1 The Evolution of Software Attacks 88

6.2 TheOWASPTop 10 89

6.2.1 A1: Injection 90

6.2.2 A2: Cross-Site Scripting 90

6.2.3 A3: Broken Authentication and Session

Management 90

6.2.4 A4: Insecure Direct Object References 91

6.2.5 A5: Cross-Site Request Forgery 91

6.2.6 A6: Security Misconfiguration 91

6.2.7 A7: Failure to Restrict URL Access 92

6.2.8 A8: Invalidated Redirects and Forwards 92

6.2.9 A9: Insecure Cryptographic Storage 92

6.2.10 A10: Insufficient Transport LayerProtection 93

6.3 OWASP Enterprise Security API (ESAPI) 93

6.3.1 InputValidation and Handling 95

6.3.2 Client-Side Versus Server-Side Validation 98

6.3.3 Input Sanitization 99

6.3.4 Canonicalization 100

6.3.5 Examples of Attacks due to ImproperInput Handling 101

6.3.6 Approaches to Validating Input Data 102

6.3.7 Handling Bad Input 106

6.3.8 ESAPI Interfaces 106

6.4 Cross-Site Scripting 106

6.4.1 Same Origin Policy 107

6.4.2 Attacks Through XSS 108

6.4.3 Prevention of Cross-Site Scripting 112

6.4.4 ESAPI Interfaces 113

6.5 Injection Attacks 113

6.5.1 SQL Injection 113

6.5.2 Stored Procedures 114

6.5.3 Identifying SQL Injection and

Exploitation 115

6.5.4 Defending Against SQL Injection 116

6.5.5 Creating SQL Queries 117

6.5.6 Additional Controls to Prevent SQL

Injection Attacks 117

6.5.7 ESAPI Interfaces 117

6.6 Authentication and Session Management 118

6.6.1 Attacking Log-in Functionality 119

6.6.2 Attacking Password Resets 119

6.6.3 Attacking Sensitive Transactions 120

6.7 Cross-Site Request Forgery 120

6.7.1 CSRF Mitigation 121

6.8 Session Management 121

6.8.1 Attacking Log-out Functionality 121

6.8.2 Defenses Against Log-out Attacks 122

6.8.3 Defenses Against Cookie Attacks 122

6.8.4 Session Identifiers 123

6.8.5 ESAPI Interfaces 124

6.9 Access Control 124

6.9.1 Avoiding Security Through Obscurity 124

6.9.2 Access Control Issues 124

6.9.3 Testing for Broken Access Control 125

6.9.4 Defenses Against Access Control

Attacks 125

6.9.5 Administrator Interfaces 126

6.9.6 Protecting Administrator Interfaces 126

6.9.7 ESAPI Interfaces 126

6.10 Cryptography 127

6.10.1 Hashing and Password Security 127

6.10.2 Attacking the Hash 128

6.10.3 Precomputed Attacks 128

6.10.4 Message Authentication Code (MAC) 129

6.10.5 Home-Crown Algorithms 129

6.10.6 Randomness and Pseudo-Randomness 130

6.10.7 ESAPI Interfaces 130

6.11 Error Handling 131

6.11.1 User Error Messages 131

6.11.2 Log-in Error Messages—A Case Study 131

6.11.3 Error Message Differentiation 132

6.11.4 Developer Error Messages 132

6.11.5 Information to Be Kept Private 133

6.11.6 Structured Exception Handling 133

6.11.7 ESAPI Interfaces 134

6.12 Ajax and Flash 134

6.12.1 AJAX Application Traffic 135

6.12.2 AJAX Client Requests 135

6.12.3 Server Responses 136

6.12.4 Typical Attacks Against AJAX

Applications 137

6.12.5 Security Recommendations for AJAX

Applications 137

6.12.6 Adobe Flash—Sandbox Security Model 138

6.12.7 Cross-Domain Policy 138

6.12.8 Restrict SWF Files Embedded in HTML 139

6.12.9 Attacking Flash Applications 140

6.12.10 Securing Flash Applications 140

6.14 Additional Best Practices for Software Resilience 141

6.14.1 Externalize Variables 141

6.14.2 EncryptedProperties—MethodSummary 141

6.14.3 Initialize Variables Properly 142

6.14.4 Do Not Ignore Values Returned byFunctions 142

6.14.5 Avoid Integer Overflows 143

6.15 Top 10 Secure Coding Practices 144

6.16 Fifty Questions to Improve Software Security 146

6.17 References 151

Chapter 7 Special Considerations for Embedded Systems, Cloud

Computing, and Mobile Computing Devices 153

7.1 Embedded Systems 154

7.1.1 Bad Assumptions About Embedded SystemsProgramming 155

7.1.2 New Mantras 156

7.1.3 The Framework 156

7.2 Distributed Applications/Cloud Computing 156

7.2.1 Representational State Transfer (REST) 160

7.2.2 REST Stateless Authentication 161

7.2.3 Attacking Distributed APIs 161

7.2.4 Securing Distributed APIs 162

7.3 Mobile Applications 162

7.3.1 BlackBerry 162

7.3.2 Windows Mobile 163

7.3.3 iPhone 164

7.3.4 Mobile Application Security 164

7.4 References 165

Chapter 8 Security Testing of Custom Software Applications 167

8.1 Fixing Early Versus Fixing After Release 167

8.2 Testing Phases 168

8.3 Unit Testing 169

8.4 Manual Source Code Review 169

8.5 The Code Review Process 1 70

8.6 Automated Source Code Analysis 172

8.6.1 Automated Reviews Compared with

Manual Reviews 173

8.6.2 Commercial and Free Source Code

Analyzers 174

8.6.3 Fortify 360 176

8.7 Acquiring Commercial or Open-SourceAnalysis Tools 180

8.8 Deployment Strategy 181

8.8.1 IDE Integration for Developers 181

8.8.2 Build Integration for Governance 182

8.9 Regulatory Compliance 183

8.10 Benefits of Using Source Code Analyzers 183

8.11 Penetration (Pen)Testing 184

8.11.1 Penetration Testing Tools 185

8.11.2 Automated Black Box Scanning 185

8.11.3 Deployment Strategy 186

8.11.4 Cray Box Testing 187

8.11.5 Limitations and Constraints of Pen

Testing Tools 188

8.12 References 189

Chapter 9 Testing Commercial off-the-Shelf Systems 191

9.1 The Problems with Shrink-Wrapped Software 191

9.2 The Common Criteria for Information TechnologySecurity Evaluation 192

9.2.1 Harmonizing Evaluation Criteria 194

9.2.2 Development 196

9.2.3 Evaluation 197

9.2.4 Operation 197

9.2.5 Key Concepts of the Common Criteria 197

9.2.6 The Security Framework 198

9.2.7 The Common Criteria Approach 199

9.2.8 The Security Environment 200

9.2.9 The Common Criteria Portal 208

9.2.10 Criticisms of the CC 208

9.3 The Commercial Community Responds 210

9.3.1 The BITS/FSTC Security AssuranceInitiative 210

9.4 ICSALabs 211

9.4.1 Evaluation Methodology 212

9.4.2 Certification Criteria 212

9.4.3 ICSA Labs Testing and Certification

Process 212

9.5 Veracode's VerAfied Software Assurance 214

9.5.1 Ratings Methodology 214

9.5.2 Assessing Software for the VerAfied

Mark 214

9.6 References 216

Chapter 10 Implementing Security and Resilience Using CLASP 217

10.1 Comprehensive, Lightweight Application SecurityProcess (CLASP) 218

10.2 CLASP Concepts 218

10,3 Overview of the CLASP Process 219

10.4 CLASP Key Best Practices 221

10.4.1 Best Practice 1: Institute Awareness

Programs 221

10.4.2 Best Practice 2: Perform ApplicationAssessments 223

10.4.3 Best Practice 3: Capture SecurityRequirements 224

10.4.4 Best Practice 4: Implement Secure

Development Practices 225

10.4.5 Best Practice 5: Build VulnerabilityRemediation Procedures 226

10.4.6 Best Practice 6: Define and Monitor

Metrics 226

10.4.7 Best Practice 7: Publish OperationalSecurity Guidelines 227

10.5 CLASP Security Activities to Augment Software

Development Processes 227

10.6 Applying CLASP Security Activities to Roles 228

10.7 Re-engineering Your SDLC for CLASP 232

10.7.1 Business Objectives 232

10.7.2 Process Milestones 232

10.7.3 Process Evaluation Criteria 232

10.7.4 Forming the Process Re-engineeringTeam 233

10.8 Sample CLASP Implementation Roadmaps 234

10.8.1 Green-Field Roadmap 235

10.8.2 Legacy Roadmap 235

10.9 References 236

Chapter 11 Metrics and Models for Security and Resilience

Maturity 237

11.1 Maturity Models for Security and Resilience 237

11.2 Software Assurance Maturity Model—OpenSAMM 238

11.2.1 Core Practice Areas 240

11.2.2 Levels of Maturity 241

11.2.3 Assurance 243

11.3 The Building Security In Maturity Model (BSIMM) 247

11.3.1 BSIMM Software Security Framework 248

11.4 BSIMM Activities 250

11.4.1 Governance: Strategy and Metrics 250

11.4.2 Governance: Compliance and Policy 254

11.4.3 Governance: Training 258

11.4.4 Intelligence: Attack Models 261

11.4.5 Intelligence: Security Features and

Design 265

11.4.6 Intelligence: Standards and

Requirements 267

11.4.7 SSDLTouchpoints: Architecture

Analysis 271

11.4.8 SSDLTouchpoints: Code Review 274

11.4.9 SSDLTouchpoints: Security Testing 277

11.4.10 Deployment: Penetration Testing 280

11.4.11 Deployment: Software Environment 282

11.4.12 Deployment: Configuration Managementand Vulnerability Management 284

11.5 Measuring Results with BSIMM 286

11.6 Helpful Resources For Implementing BSIMM 287

11.7 Applying BSIMM to the Financial Services Domain 288

11.7.1 Working Group Methodology 288

11.8 References 289

Chapter 12 Taking It to the Streets 291

12.1 Getting Educated 291

12.1.1 DEVELOPER 530: Defending WebApplications 292

12.1.2 DEVELOPER 530: Essential Secure

Coding in Java/JEE 293

12.1.3 DEVELOPER 541: Secure Coding in

Java/JEE: Developing Defensible

Applications 293

12.1.4 DEVELOPER 542: Web AppPenetration Testing and Ethical Hacking 293

12.1.5 DEVELOPER 544: Secure Coding in

.NET: Developing Defensible

Applications 294

12.1.6 DEVELOPER 545: Secure Coding in

PHP: Developing Defensible

Applications 294

12.1.7 DEVELOPER 534: Secure Code

Review for Java Web Apps 295

12.1.8 DEVELOPER 543: Secure Coding in

C/C++: Developing Defensible

Applications 295

12.1.9 Aspect Security Inc. 296

12.1.10 CERT Software EngineeringInstitute (SEI) 298

12.1.11 SEI Secure Coding in C and C++

Course 299

12.2 Getting Certified 300

12.2.1 Certified Secure Software LifecycleProfessional (CSSLP) 301

12.2.2 Why Obtain the CSSLP? 302

12.2.3 Benefits of Certification to the

Professional 302

12.2.4 Benefits of Certification to the

Enterprise 302

12.3 Getting Involved 303

12.3.1 Web Application Security Consortium 303

12.4 Reaching Out for Research 308

12.4.1 DHS Research Program Areas 308

12.4.2 The U.S. Treasury and the FSSCC 310

12.5 Last Call 314

12.6 Conclusion 315

12.7 References 316

Glossary 319

Appendix A 2010 CWE/SANS Top 25 Most Dangerous

Programming Errors 335

A.1 Brief Listing of the Top 25 336

A.1.1 Insecure Interaction Between

Components 336

A.1.2 Risky Resource Management 336

A.1.3 Porous Defenses 337

A.2 Detailed CWE Descriptions 338

A.2.1 CWE-79: Failure to Preserve Web

Page Structure ("Cross-Site Scripting") 338

A.2.2 CWE-89: Improper Sanitization of

Special Elements Used in an SQLCommand ("SQL Injection") 338

A.2.3 CWE-120: Buffer Copy Without

Checking Size of Input ("ClassicBuffer Overflow") 339

A.2.4 CWE-352: Cross-Site RequestForgery (CSRF) 339

A.2.5 CWE-285: Improper Access

Control (Authorization) 339

A.2.6 CWE-807: Reliance on Un-trusted

Inputs in a Security Decision 340

A.2.7 CWE-22: Improper Limitation of a

Pathname to a Restricted Directory("Path Traversal") 340

A.2.8 CWE-434: Unrestricted Upload of

File with Dangerous Type 340

A.2.9 CWE-78: Improper Sanitization of

Special Elements Used in an OS

Command ("OS Command Injection") 341

A.2.10 CWE-311: Missing Encryption of

Sensitive Data 341

A.2.11 CWE-798: Use of Hard-Coded

Credentials 341

A.2.12 CWE-805: Buffer Access with Incorrect

Length Value 342

A.2.13 CWE-98: Improper Control of

Filename for Include/RequireStatement in PHP Program ("PHPFile Inclusion") 342

A.2.14 CWE-129: Improper Validation of

Array Index 342

A.2.15 CWE-754: Improper Check for

Unusual or Exceptional Conditions 342

A.2.16 CWE-209: Information ExposureThrough an Error Message 343

A.2.17 CWE-190: Integer Overflow or

Wraparound 343

A.2.18 CWE-131: Incorrect Calculation of

Buffer Size 343

A.2.19 CWE-306: Missing Authentication for

Critical Function 344

A.2.20 CWE-494: Download of Code Without

Integrity Check 344

A.2.21 CWE-732: Incorrect Permission

Assignment for Critical Resource 344

A.2.22 CWE-770: Allocation of Resources

Without Limits or Throttling 344

A.2.23 CWE-601: URL Redirection to Site

("Open Redirect") 345

A.2.24 CWE-327: Use of a Broken or RiskyCryptographic Algorithm 345

A.2.25 CWE-362: Race Condition 345

Appendix B Enterprise Security API 347

B.1 Interface Encoder 348

B.2 Interface User 349

B.3 Interface Authenticator 350

B.4 Interface AccessController 351

B.5 Interface AccessReferenceMap 352

B.6 Interface Encryptor 355

B.7 Interface HTTPUtiIities 355

B.8 Interface Logger 357

Index 361