Integrating Security in Application Development

1
Integrating Security in Application Development

• 5 December 2009
• Jon C. Arce jonarce_at_microsoft.com

2
Agenda

• What is the SDLC?
• In the beginning
• Waterfall to Agile Methodologies
• Scrum
• Roles (Security)
• Security Development Lifecycle
• Microsoft SDL
• Phases to incorporate
• How are the software giants doing?
• Threat Models
• What is STRIDE?
• What is DREAD?
• Microsoft Application Threat Modeling
• How to justify?
• Statement
• Economic Impact

3
Agenda

• What is the SDLC?
• In the beginning
• Waterfall to Agile Methodologies
• Scrum
• Roles (Security)
• Security Development Lifecycle
• Microsoft SDL
• Phases to incorporate
• How are the software giants doing?
• Threat Models
• What is STRIDE?
• What is DREAD?
• Microsoft Application Threat Modeling
• How to justify?
• Statement
• Economic Impact

4
Definition of SDLC

• A software development process is a structure
  imposed on the development of a software product.
  Synonyms include software life cycle and software
  process.
• There are several models for such processes,
  each describing approaches to a variety of tasks
  or activities that take place during the process.

Security should be one of those activities / tasks
5
In the beginning Waterfall Model
Requirements
Where was security?
Design
Implementation
Verification
Each phase pours over into the next phase.
6
Security and the System Development Lifecycle

•  There are three important aspects of computer
  security in relation to the systems development
  lifecycle 
• Security must be considered from the first phase
  of the systems lifecycle.
• Development of computer security is an iterative
  process. The identification of vulnerabilities
  and the selection and implementation of
  safeguards continue as the system progresses
  through the phases of the lifecycle, including
  after the system has been released into
  production.
• 3. All computer security considerations should be
  documented in the standard systems development
  lifecycle documents.

7
Present times Agile - Scrum
Security
8
Rolesfrom Generalist to Specialist

• Junior
• UI / Web Interface
• Integration Developer
• EAI / SOA
• Database Developer
• DB schema / Reports
• Business Intelligence
• Tester
• Product Quality
• Performance
• Security Analyst
• Model Consultant

• Project Manager
• Business Project Owner
• Development Manager
• Business Analyst
• Architect
• Solution Architect
• Infrastructure Architect
• Database Architect
• Integration Architect
• Developer
• Senior
• Business Objects Entities

9
Security Analyst by phase
Model Consultant
Developer UI
Performance Testing
Developer Business Logic
Developer Database
Infraestructure Architect
Developer Integration
Security Analyst
Security Analyst
Security Analyst

• Critical Skills for Every Role
• Understanding Business
• Broad Understanding (like Infrastructure)
• Multiple Perspectives
• People Skills / Lifelong Learning

10
Agenda

• What is the SDLC?
• In the beginning
• Waterfall to Agile Methodologies
• Scrum
• Roles (Security)
• Security Development Lifecycle
• Microsoft SDL
• Phases to incorporate
• How are the software giants doing?
• Threat Models
• What is STRIDE?
• What is DREAD?
• Microsoft Application Threat Modeling
• How to justify?
• Statement
• Economic Impact

11
S-SDL

• Secure Software Development covers those
  activities which lead to the development of
  better quality software from a security
  perspective.
• This software would be expected to have fewer
  exploitable software flaws and fewer security
  design vulnerabilities.

12
SD3 C
Secure by Design

• Secure architecture
• Improved process
• Reduce vulnerabilities in the code

Secure by Default

• Reduce attack surface area
• Unused features off by default
• Only require minimum privilege

Secure in Deployment

• Protect, detect, defend, recover, manage
• Process How tos, architecture guides
• People Training

• Clear security commitment
• Full member of the security community
• Microsoft Security Response Center

Communications
13
SDL Phases

• Requirements Phase
• Design Phase
• Implementation Phase
• Verification Phase
• Release Phase
• Support and Servicing Phase

14
Embedding Security Into Software And Culture
At Microsoft, we believe that delivering secure
software requires
15
Processes
Figure 1. Baseline process and SDL Improvements
16
Deliverables by phases for S-SDL

• The S-SDL has six primary components
• Phase 1 Security guidelines, rules, and
  regulations
• Phase 2 Security requirements attack use cases
• Phase 3 Architectural and design reviews /
  threat modeling
• Phase 4 Secure coding guidelines
• Phase 5 Black/gray/white box testing
• Phase 6 Determining exploitability

17
Deliverables byDevelopment Timeline
Threatanalysis
Secure questionsduring interviews
Learn Refine
External review
Concept
Designs Complete
Test plansComplete
Code Complete
Ship
Post Ship
Team member training
Review old defects Check-ins checked Secure
coding guidelines Use tools
Data mutation Least Priv Tests
SecurityReview
18

• http//www.microsoft.com/sdl

19
Microsoft S-SDL
20
Microsoft S-SDL
21
Microsoft S-SDL
22
Microsoft S-SDL
23
Microsoft S-SDL
24
Microsoft S-SDL
25
Phases added for SDL

• Once it's been determined that a vulnerability
  has a high level of exploitability, the
  respective mitigation strategies need to be
  evaluated and implemented.
• Secure deployment of the application - means that
  the software is installed with secure defaults.
  File permissions secure settings of the
  application's configuration are used.
• After the software has been deployed securely,
  its security needs to be maintained throughout
  its existence. An all-encompassing software patch
  management process needs to be in place. Emerging
  threats need to be evaluated, and vulnerabilities
  need to be prioritized and managed.

26
Software Giants on SDL

• Major software makers fail security transparency
  test ( )
• In March, we threw down the gauntlet and
  challenged leading software companies and
  organizations to show us what they are doing to
  write secure software. Not one of the 23
  companies and organizations that we listed
  responded, and in a follow-up in April, only four
  provided us with answers.
• Adobe, Amazon.com, the Apache Software
  Foundation, Apple, CollabNet, the Eclipse
  Foundation, the Free Software Foundation, IBM,
  Intel, the Linux Foundation, Oracle, Red Hat,
  Software AG, Sun Microsystems, Sybase, VMware and
  Yahoo did not respond to our inquiry.
• Nokia and Salesforce.com acknowledged the request
  but were unable to provide comment by deadline.
• Google, Hewlett-Packard, Novell, TIBCO have
  published to the web
• Are those companies practicing security by
  obscurity?

April 24, 2009
27
Social Security Adm. Policy

• It is SSA's policy to integrate security into the
  systems development lifecycle reasons 
• It is more effective - easier to achieve when
  security issues are considered as a part of a
  routine development process
• It is less expensive - To retrofit security is
  generally more expensive than to integrate it
  into an application.
• It is less obtrusive - When security safeguards
  are integral to a system, they are usually easier
  to use and less visible to the user.

28
Members EMC, Juniper Networks, Microsoft, SAP,
Symantec, Nokia
29
Total Vulnerabilities Disclosed One Year After
Release
Before SDL
After SDL
45 reduction in Vulnerabilities
30
Microsoft SDL And Internet Explorer (IE)
Source Browser Vulnerability Analysis,
Microsoft Security Blog 27-NOV-2007
31
Agenda

• What is the SDLC?
• In the beginning
• Waterfall to Agile Methodologies
• Scrum
• Roles (Security)
• Security Development Lifecycle
• Microsoft SDL
• Phases to incorporate
• How are the software giants doing?
• Threat Models
• What is STRIDE?
• What is DREAD?
• Microsoft Application Threat Modeling
• How to justify?
• Statement
• Economic Impact

32
Threat Models

• Asset - is a resource of value. (customer data)
• Threat - is an undesired event. A potential
  occurrence, often best described as an effect
  that might damage or compromise an asset.
• Vulnerability - is a weakness in some aspect or
  feature of a system that makes an exploit
  possible. Vulnerabilities can exist at the
  network, host, or application levels and include
  operational practices.
• Attack (or exploit) - is an action taken that
  utilizes one or more vulnerabilities to realize a
  threat.
• Countermeasure - address vulnerabilities to
  reduce the probability of attacks or the impacts
  of threats.

33
Threat Models

• You cannot build secure applications unless you
  understand threats
• We use SSL! - Since the network is secure
  attacks are moving to the application itself
• Find different bugs than code review and testing
• Approx 50 of issues come from threat models
• Threat Modeling Web Applications

34
Threat Modeling Process

• Create model of app (DFD, UML etc)
• Categorize threats to each attack target node
  with STRIDE
• Spoofing, Tampering, Repudiation, Information
  Disclosure, Denial of Service, Elevation of
  Privilege
• Build threat tree (use tools)
• Rank threats with DREAD
• Damage potential, Reproducibility,
  Exploitability, Affected Users, Discoverability

35
Countermeasures
36
Countermeasures
37
DREAD classification in Microsoft

• Critical A vulnerability whose exploitation
  could allow the propagation of an Internet worm
  without user action.
• Important A vulnerability whose exploitation
  could result in compromise of the
  confidentiality, integrity, or availability of
  users data, or of the integrity or availability
  of processing resources.
• Moderate Exploitability is mitigated to a
  significant degree by factors such as default
  configuration, auditing, or difficulty of
  exploitation.
• Low A vulnerability whose exploitation is
  extremely difficult, or whose impact is minimal.

38
Threat Modeling tool

• Application Demo / PPT Demo

39
Agenda

• What is the SDLC?
• In the beginning
• Waterfall to Agile Methodologies
• Scrum
• Roles (Security)
• Security Development Lifecycle
• Microsoft SDL
• Phases to incorporate
• How are the software giants doing?
• Threat Models
• What is STRIDE?
• What is DREAD?
• Microsoft Application Threat Modeling
• How to justify?
• Statement
• Economic Impact

40
A Short Quiz
Joe is a drug dealer
Steve is a cyber criminal
Who makes more money?
41
The Evolution Of Cybercrime
19861995
19952003
2004
2006

• LANs
• First PC virus
• Motivation damage

• Internet Era
• Big Worms
• Motivation damage

• OS, DB attacks
• Spyware, Spam
• Motivation Financial

• Targeted attacks
• Social engineering
• Financial Political

Source U.S. Government Accountability Office
(GAO), FBI
? Cost of U.S. cybercrime More than 100B
42
Attacks Are Moving To Application Layer
2004
2005
2006
2004
2005
2006
Operating Systems
Applications
Source Microsoft Security Intelligence Report
2007

• 90 are exploitable remotely
• 60 are in web applications

Sources IBM X-Force, Symantec 2007 Security
Reports
43
The Long Tail Of Security Vulnerabilities
Sources IBM X-Force 2007 Security Report
44
ISO 9126Quality Attributes
Portability - Will I be able to use on another
machine? Reusability - Will I be able to reuse
some of the software? Interoperability - Will I
be able to interface it with another machine?
Maintainability - Can I fix it? Flexibility - Can
I change it? Testability - Can I test it?
Product Transition
Product Revision
Product Operations
Correctness - Does it do what I want? Reliability
- Does it do it accurately all the
time? Efficiency - Will it run on my machine as
well as it can? Integrity - Is it
secure? Usability - Can I run it?
45
Cost to fix errors

• Phase In Which Found Cost Ratio
• Requirements 1
• Design 3-6
• Coding 10
• Development Testing 15-40
• Acceptance Testing 30-70
• Operation 40-1000

46
Resources

• The following papers and standards cover
  information security and secure coding and offer
  insight, principles, and processes that you can
  integrate immediately to improve software
  security
• NIST Special Publication 800-64Security
  Considerations in the Information System 
• NIST Special Publication 800-27Engineering
  Principles for Information Technology Security 
• NIST Special Publication 800-55Security Metrics
  Guide for Information Technology Systems
• ISO/IEC 122071995Information technologySoftware
  life cycle processes
• ISO/IEC 177992005Information technologySecurity
  techniquesCode of practice for information
  security management