busted! how to find security bugs fast!
TRANSCRIPT
Parasoft Copyright © 2015 1
28.05.2015
Busting Software Bugs to Boost Application Security
Arthur “Code Curmudgeon” Hicken
May 2015
Parasoft Copyright © 2015 22
Open and hide your control panel
Join audio:• Choose “Mic & Speakers” to use
VoIP• Choose “Telephone” and dial
using the information provided
Submit questions and comments via the Questions panel
Note: Today’s presentation is being recorded and will be provided within 48 hours.
Your Participation
GoToWebinar Housekeeping
Parasoft Copyright © 2015 33
Your Presenter
Arthur Hicken has been involved in automating various practices at Parasoft for over 20 years. He has worked on projects including database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems.
Arthur has worked with IT departments in companies such as Cisco, Vanguard, and Motorola to help improve their software development practices.
Parasoft Copyright © 2015 44
Agenda
How security processes are like quality processes
How software bugs are security vulnerabilities How static analysis can prevent defects and
improve security
Parasoft Copyright © 2015 55
Internet of Things Vulnerabilities
Parasoft Copyright © 2015 66
One weak spot is all it takes
Exploitable Software Weaknesses (CWEs) are sources for future Zero-Day Attacks
Parasoft Copyright © 2015 77
Poll 1
Is software security the same as application security? Yes No That’s a silly question
Parasoft Copyright © 2015 88
Software Security Defined
Software security is the idea of engineering software so that it continues to function correctly under malicious attack.
Software security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects and users about how to build secure things.
(Gary McGraw, Cigital)
https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
Parasoft Copyright © 2015 99
Application Security Defined
Put succinctly, application security is based primarily on finding and fixing known security problems after they’ve been exploited in fielded systems. Software security… identifies and expunges problems in the software itself.
Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities.
(Gary McGraw, Cigital)
Parasoft Copyright © 2015 1010
SEI Research
Predicting Software Assurance Using Quality and Reliability Measures Security and Reliability are go hand-in-hand You can predict security based on defects Static Analysis is integral to improvement Most critical defects are coding mistakes
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589
Parasoft Copyright © 2015 1111
Security problems
½ are design flaws Missing authorization Improper encryption Improper password handling Allowing data to be tainted …
½ are code defects Buffer overflow Data leakage …
Parasoft Copyright © 2015 1212
Security Belongs to Quality
If you have a quality problem, you have a security problem.
Modern systems are complex and defects don’t always manifest when systems are used the same as they are tested
Number of possible conditions my be infinite Security and reliability have to be designed
and engineered in. You can’t test them in.
Parasoft Copyright © 2015 1313
Poll 2
Our security group: Is part of DevOps Is part of QA Stands on it’s own Our what now?
Copyright XKCD http://xkcd.com/538/
Parasoft Copyright © 2015 1414
Quality Processes
Policy Management & Enforcement
Peer Code Review
Unit Testing / Continuous Regression
Runtime Error Detection
Hybrid Analysis
Static Code Analysis
Prevention over reaction
Reporting / Analytics
Parasoft Copyright © 2015 1515
Software Security Best Practices
Software Security, Gary McGraw, Copyright 2003 © CigitalReprinted from the March/April 2004 issue of IEEE Security & Privacy.
Parasoft Copyright © 2015 1616
Important Steps
Train developers in secure development so that they can prevent – or at least find and fix – security problems
Design and build your system with a deliberate focus on quality and security
Collect/measure defect data (quality AND security) and use it to assess and improve your development practices
Parasoft Copyright © 2015 1717
Poll 3
Do bugs in open-source code represent security vulnerabilities? Yes I’m not sure No I never thought about it
Copyright XKCD http://imgs.xkcd.com/comics/golden_hammer.png
Parasoft Copyright © 2015 1818
Bugs are vulnerabilities
Heartbleed example
Parasoft Copyright © 2015 1919
HEARTBLEED BUSTED
MISRA C 2004 20.3 • “The validity of values passed to library functions shall be checked”
CWE-20 • “Improper input validation”
CWE-114 • “Process control”
CWE-125 • “Out-of-bounds read”
CWE-130 • “Improper handling of length parameter inconsistency”
Parasoft Copyright © 2015 2020
One “simple” quality problem
Buffer Security Issues in CWE CWE 119 Improper Restriction of Operations
within the Bounds of a Memory Buffer CWE 120 Buffer Copy w/o Checking Size of Input CWE 121 Stack-based Buffer Overflow CWE 122 Heap-based Buffer Overflow CWE 125 Out-of-bounds Read CWE 131 Incorrect Calculation of Buffer Size CWE 680 Integer Overflow to Buffer Overflow
Parasoft Copyright © 2015 2121
Buffer Impact
CWE Technical Impacts: Read memory; Modify memory; DoS:
crash / exit / restart; resource consumption (CPU); resource consumption (memory)
Execute unauthorized code or commands
Parasoft Copyright © 2015 2222
Are there more
Run the same coding standard on the rest of the file
Parasoft Copyright © 2015 2323
Risk management – OWASP style
• Likelihood of an Application Having that VulnerabilityPrevalence
• Likelihood of an Attacker Discovering that VulnerabilityDetectability
• Likelihood of An Attacker Successfully Exploiting that VulnerabilityExploitability
• Typical Technical Impact if that Vulnerability is Successfully ExploitedImpact
Parasoft Copyright © 2015 2424
Key Points
Static code analysis eases the burden on QA allowing for development work to continue in parallel with manual testing efforts.
Root cause analysis of defects can influence the development policy in order to prevent making the same mistake again.
Parasoft Copyright © 2015 2525
Prevention
Parasoft Copyright © 2015 2626
Flavor of the month
The only way to find the Heartbleed bug with today’s leading tools is to write custom rules or overrides, which means that you have to anticipate that this code is bad in the first place. You’d be better off spending your time reviewing or testing the code more carefully instead.
Jim Bird – Building Real Software Blog
Parasoft Copyright © 2015 2727
Purpose of Coding Standards
“Proven programming practices leading to safe, reliable, testable, and maintainable code”
“Address potentially unsafe C language features, and provide programming rules to avoid those pitfalls”
“By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”
Parasoft Copyright © 2015 2828
Standard Standards
Misra
ISO 26262
FDA
HIPPA
Section 508
OWASP Top 10
JSF
DISA STIG
CWE
Parasoft Copyright © 2015 2929
Simple Prevention Process – an example
Detect the error• Load testing shows leaking connections to the database
Find the cause• Open connections aren’t being closed, causing resource leaks
Locate the point in production that caused the error• Developer has forgotten to close db connections upon client termination
Implement preventative process• Use a coding standard to ensure each open connection is closed before
exit
Monitor the process• Use static analysis to enforce the standard
Add regression test• Add a test to see the problem was fixed and doesn’t return
Parasoft Copyright © 2015 3030
Preventative standards examples
Object-Oriented•Avoid "public"/"protected"/package-private instance fields•Do not override an instance "private" method•Do not hide inherited fields•…
Best Practices•Avoid returning "handles" to internal data from const member functions. •Declare at least one constructor to prevent the compiler from doing so.•Declare reference parameters as const references whenever possible •…
Unused Code•Avoid unused local variables•Avoid unused "private" fields•…
Class Metrics•Follow the limit for Cyclomatic Complexity (default<30)•Follow the limit for number of “<type>" fields (private,etc.)•Follow the limit on class hierarchy depth•…
…
Parasoft Copyright © 2015 3131
Pattern-Based Static Analysis
What:• Identify specific patterns in the code
Why:• Find dangerous practices• Prevents defects• Ensure inclusion of required items
• Security• Authentication• Encryption
Parasoft Copyright © 2015 3232
Data Flow Analysis
What:• Simulate execution to find patterns• Analyze paths• Analyze data usage
Why:• Find real bugs• Find security vulnerabilities
Parasoft Copyright © 2015 3333
Penetration Testing
Verify that security policy is working Tests from the outside in Variety of scenarios such as
Parameter fuzzing SQL and Xpath injection Cross Site Scripting XML Bombs …
Parasoft Copyright © 2015 3434
IAST Defined
IAST – Interactive Application Security Testing SAST – Static Application Security Testing DAST – Dynamic Application Security Testing IAST combines SAST and DAST techniques IAST Improves accuracy IAST determines which code is related to a
vulnerability found in testing
Parasoft Copyright © 2015 3535
Hybrid Security Analysis - IAST
Penetration testing to automatically generate and run penetration attack scenarios
Runtime error detection to monitor the back-end during test execution to determine whether security is actually compromised
Correlates each runtime error with the functional test being run—allowing you to trace each reported error to the specific use case
Parasoft Copyright © 2015 3636
Conclusion
Standards and static analysis applied properly prevent errors
Integrated results provides control, measurement, and traceability
Cost of solid prevention methodology is less than the cost of dealing with bad software
Parasoft Copyright © 2015 3737
Coming up
June 2-4• Device Developer
Conference
June 10-12
• QCon Conference
June 10-11
• Better Software Conference West
http://www.parasoft.com/media/events
Parasoft Copyright © 2015 3838
Security Resources
CWE – Common Weakness Enumeration • http://cwe.mitre.org
OWASP - Open Web Application Security Project • http://www.owasp.org
PCI – Payment Card Industry Security Standards • https://www.pcisecuritystandards.org
Hack.me – Community based security learning project• https://hack.me
Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov
Parasoft Copyright © 2015 3939
Web http://www.parasoft.com/jsp/resources
Blog http://alm.parasoft.com
Social Facebook: https://www.facebook.com/parasoftcorporation
Twitter: @Parasoft @MustRead4Dev @CodeCurmudgeon
LinkedIn: http://www.linkedin.com/company/parasoft
Google+ Community: Static Analysis for Fun and Profit