Parasoft Copyright © 2015 1

28.05.2015

Busting Software Bugs to Boost Application Security

Arthur “Code Curmudgeon” Hicken

May 2015

Parasoft Copyright © 2015 22

Open and hide your control panel

Join audio:• Choose “Mic & Speakers” to use

VoIP• Choose “Telephone” and dial

using the information provided

Submit questions and comments via the Questions panel

Note: Today’s presentation is being recorded and will be provided within 48 hours.

Your Participation

GoToWebinar Housekeeping

Parasoft Copyright © 2015 33

Your Presenter

Arthur Hicken has been involved in automating various practices at Parasoft for over 20 years. He has worked on projects including database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems.

Arthur has worked with IT departments in companies such as Cisco, Vanguard, and Motorola to help improve their software development practices.

Parasoft Copyright © 2015 44

Agenda

How security processes are like quality processes

How software bugs are security vulnerabilities How static analysis can prevent defects and

improve security

Parasoft Copyright © 2015 55

Internet of Things Vulnerabilities

Parasoft Copyright © 2015 66

One weak spot is all it takes

Exploitable Software Weaknesses (CWEs) are sources for future Zero-Day Attacks

Parasoft Copyright © 2015 77

Poll 1

Is software security the same as application security? Yes No That’s a silly question

Parasoft Copyright © 2015 88

Software Security Defined

Software security is the idea of engineering software so that it continues to function correctly under malicious attack.

Software security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects and users about how to build secure things.

(Gary McGraw, Cigital)

https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security

Parasoft Copyright © 2015 99

Application Security Defined

Put succinctly, application security is based primarily on finding and fixing known security problems after they’ve been exploited in fielded systems. Software security… identifies and expunges problems in the software itself.

Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.

(Gary McGraw, Cigital)

Parasoft Copyright © 2015 1010

SEI Research

Predicting Software Assurance Using Quality and Reliability Measures Security and Reliability are go hand-in-hand You can predict security based on defects Static Analysis is integral to improvement Most critical defects are coding mistakes

http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589

Parasoft Copyright © 2015 1111

Security problems

½ are design flaws Missing authorization Improper encryption Improper password handling Allowing data to be tainted …

½ are code defects Buffer overflow Data leakage …

Parasoft Copyright © 2015 1212

Security Belongs to Quality

If you have a quality problem, you have a security problem.

Modern systems are complex and defects don’t always manifest when systems are used the same as they are tested

Number of possible conditions my be infinite Security and reliability have to be designed

and engineered in. You can’t test them in.

Parasoft Copyright © 2015 1313

Poll 2

Our security group: Is part of DevOps Is part of QA Stands on it’s own Our what now?

Copyright XKCD http://xkcd.com/538/

Parasoft Copyright © 2015 1414

Quality Processes

Policy Management & Enforcement

Peer Code Review

Unit Testing / Continuous Regression

Runtime Error Detection

Hybrid Analysis

Static Code Analysis

Prevention over reaction

Reporting / Analytics

Parasoft Copyright © 2015 1515

Software Security Best Practices

Software Security, Gary McGraw, Copyright 2003 © CigitalReprinted from the March/April 2004 issue of IEEE Security & Privacy.

Parasoft Copyright © 2015 1616

Important Steps

Train developers in secure development so that they can prevent – or at least find and fix – security problems

Design and build your system with a deliberate focus on quality and security

Collect/measure defect data (quality AND security) and use it to assess and improve your development practices

Parasoft Copyright © 2015 1717

Poll 3

Do bugs in open-source code represent security vulnerabilities? Yes I’m not sure No I never thought about it

Copyright XKCD http://imgs.xkcd.com/comics/golden_hammer.png

Parasoft Copyright © 2015 1818

Bugs are vulnerabilities

Heartbleed example

Parasoft Copyright © 2015 1919

HEARTBLEED BUSTED

MISRA C 2004 20.3 • “The validity of values passed to library functions shall be checked”

CWE-20 • “Improper input validation”

CWE-114 • “Process control”

CWE-125 • “Out-of-bounds read”

CWE-130 • “Improper handling of length parameter inconsistency”

Parasoft Copyright © 2015 2020

One “simple” quality problem

Buffer Security Issues in CWE CWE 119 Improper Restriction of Operations

within the Bounds of a Memory Buffer CWE 120 Buffer Copy w/o Checking Size of Input CWE 121 Stack-based Buffer Overflow CWE 122 Heap-based Buffer Overflow CWE 125 Out-of-bounds Read CWE 131 Incorrect Calculation of Buffer Size CWE 680 Integer Overflow to Buffer Overflow

Parasoft Copyright © 2015 2121

Buffer Impact

CWE Technical Impacts: Read memory; Modify memory; DoS:

crash / exit / restart; resource consumption (CPU); resource consumption (memory)

Execute unauthorized code or commands

Parasoft Copyright © 2015 2222

Are there more

Run the same coding standard on the rest of the file

Parasoft Copyright © 2015 2323

Risk management – OWASP style

• Likelihood of an Application Having that VulnerabilityPrevalence

• Likelihood of an Attacker Discovering that VulnerabilityDetectability

• Likelihood of An Attacker Successfully Exploiting that VulnerabilityExploitability

• Typical Technical Impact if that Vulnerability is Successfully ExploitedImpact

Parasoft Copyright © 2015 2424

Key Points

Static code analysis eases the burden on QA allowing for development work to continue in parallel with manual testing efforts.

Root cause analysis of defects can influence the development policy in order to prevent making the same mistake again.

Parasoft Copyright © 2015 2525

Prevention

Parasoft Copyright © 2015 2626

Flavor of the month

The only way to find the Heartbleed bug with today’s leading tools is to write custom rules or overrides, which means that you have to anticipate that this code is bad in the first place. You’d be better off spending your time reviewing or testing the code more carefully instead.

Jim Bird – Building Real Software Blog

Parasoft Copyright © 2015 2727

Purpose of Coding Standards

“Proven programming practices leading to safe, reliable, testable, and maintainable code”

“Address potentially unsafe C language features, and provide programming rules to avoid those pitfalls”

“By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”

Parasoft Copyright © 2015 2828

Standard Standards

Misra

ISO 26262

FDA

HIPPA

Section 508

OWASP Top 10

JSF

DISA STIG

CWE

Parasoft Copyright © 2015 2929

Simple Prevention Process – an example

Detect the error• Load testing shows leaking connections to the database

Find the cause• Open connections aren’t being closed, causing resource leaks

Locate the point in production that caused the error• Developer has forgotten to close db connections upon client termination

Implement preventative process• Use a coding standard to ensure each open connection is closed before

exit

Monitor the process• Use static analysis to enforce the standard

Add regression test• Add a test to see the problem was fixed and doesn’t return

Parasoft Copyright © 2015 3030

Preventative standards examples

Object-Oriented•Avoid "public"/"protected"/package-private instance fields•Do not override an instance "private" method•Do not hide inherited fields•…

Best Practices•Avoid returning "handles" to internal data from const member functions. •Declare at least one constructor to prevent the compiler from doing so.•Declare reference parameters as const references whenever possible •…

Unused Code•Avoid unused local variables•Avoid unused "private" fields•…

Class Metrics•Follow the limit for Cyclomatic Complexity (default<30)•Follow the limit for number of “<type>" fields (private,etc.)•Follow the limit on class hierarchy depth•…

…

Parasoft Copyright © 2015 3131

Pattern-Based Static Analysis

What:• Identify specific patterns in the code

Why:• Find dangerous practices• Prevents defects• Ensure inclusion of required items

• Security• Authentication• Encryption

Parasoft Copyright © 2015 3232

Data Flow Analysis

What:• Simulate execution to find patterns• Analyze paths• Analyze data usage

Why:• Find real bugs• Find security vulnerabilities

Parasoft Copyright © 2015 3333

Penetration Testing

Verify that security policy is working Tests from the outside in Variety of scenarios such as

Parameter fuzzing SQL and Xpath injection Cross Site Scripting XML Bombs …

Parasoft Copyright © 2015 3434

IAST Defined

IAST – Interactive Application Security Testing SAST – Static Application Security Testing DAST – Dynamic Application Security Testing IAST combines SAST and DAST techniques IAST Improves accuracy IAST determines which code is related to a

vulnerability found in testing

Parasoft Copyright © 2015 3535

Hybrid Security Analysis - IAST

Penetration testing to automatically generate and run penetration attack scenarios

Runtime error detection to monitor the back-end during test execution to determine whether security is actually compromised

Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case

Parasoft Copyright © 2015 3636

Conclusion

Standards and static analysis applied properly prevent errors

Integrated results provides control, measurement, and traceability

Cost of solid prevention methodology is less than the cost of dealing with bad software

Parasoft Copyright © 2015 3737

Coming up

June 2-4• Device Developer

Conference

June 10-12

• QCon Conference

June 10-11

• Better Software Conference West

http://www.parasoft.com/media/events

Parasoft Copyright © 2015 3838

Security Resources

CWE – Common Weakness Enumeration • http://cwe.mitre.org

OWASP - Open Web Application Security Project • http://www.owasp.org

PCI – Payment Card Industry Security Standards • https://www.pcisecuritystandards.org

Hack.me – Community based security learning project• https://hack.me

Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov

Parasoft Copyright © 2015 3939

Web http://www.parasoft.com/jsp/resources

Blog http://alm.parasoft.com

Social Facebook: https://www.facebook.com/parasoftcorporation

Twitter: @Parasoft @MustRead4Dev @CodeCurmudgeon

LinkedIn: http://www.linkedin.com/company/parasoft

Google+ Community: Static Analysis for Fun and Profit