software safety and security through standards
TRANSCRIPT
Copyright©2016Parasoft 1
15.09.2016
SoftwareSafetyandSecurityThroughStandards
ArthurHicken- Parasoft
Copyright©2016Parasoft 22
YourPresenter
Arthur Hicken is Chief Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 20 years.
He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems and maintains the IoT Hall-of-Shame http://bit.ly/iotshame
Follow him @codecurmudgeonBlog: http://codecurmudgeon.comWeb: http://parasoft.com
Copyright©2016Parasoft 33
Agenda
Softwareiseverywhere
SoftwareCANhurtyou
Softwareshouldbeengineering
Goodsoftwarecostslessthanbadsoftware
Standardsdriveimprovement
Copyright©2016Parasoft 44
ThingsareEverywhere
Industrial Automation Smart Health
Smart Home Smart City
Copyright©2016Parasoft 1010
SoftwareFailures=Headlines2015
-$2.55 Bn-4.06%
The day of the announcement companies lost an average
of shareholder value
Softwarefailuresmakeheadlinenews—erodingcustomerconfidence,shareholdervalueandbrandequity
Copyright©2016Parasoft 1313
HOWQUALITYAFFECTSSOFTWARECOSTS
Requirements Design Coding Testing Maintenance
COST
TIME
Pathological
Healthy
Poor quality is cheaper untilthe end of the coding phase.After that, high quality ischeaper.
Technical debt
Software Quality 2011: A Survey of the State of the Art in Software – Capers Jones
Copyright©2016Parasoft 14ParasoftProprietaryandConfidential 14
Whyfindbugsearly?
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
Early code audit
Copyright©2016Parasoft 15ParasoftProprietaryandConfidential 15
Whyfindbugsearly?
Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006
PentestLate code audit
Copyright©2016Parasoft 1616
SoftwareSafetyinaNutshell
§ Softwaredevelopmentisalmostneverengineering§ Lackofrepeatability§ Lackofwell-exercisedbestpractices§ Lackofrelianceonbuildingstandards§ Developertrainingunknownandinconsistent
Copyright©2016Parasoft 1717
PurposeofCodingStandards
§ “Provenprogrammingpracticesleadingtosafe,reliable,testable,andmaintainablecode”
§ “AddresspotentiallyunsafeClanguagefeatures,andprovideprogrammingrulestoavoidthosepitfalls”
§ “Byproviding“safer”alternativesto“unsafe”facilities,knownproblems…areavoided.Inessence,programsarewrittenina“safer”subsetofasuperset.”
Copyright©2016Parasoft 1818
StandardStandards
MISRA
ISO26262
DO178 B/C
SANS/CERT
OWASPTop10
JSF
DISASTIG
CWE
Copyright©2016Parasoft 1919
SEIResearch
PredictingSoftwareAssuranceUsingQualityandReliabilityMeasures• Securityandreliabilitygohand-in-hand• Youcanpredictsecuritybasedondefects• Staticanalysisisintegraltoimprovement• Many(ormost!)criticaldefectsarecodingmistakes
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589
Copyright©2016Parasoft 2020
SoftwareSecurityDefined
§ Softwaresecurityistheideaofengineeringsoftwaresothatitcontinuestofunctioncorrectlyundermaliciousattack.
§ Althoughthenotionofprotectingsoftwareisanimportantone,it’sjustplaineasiertoprotectsomethingthatisdefect-freethansomethingriddledwithvulnerabilities.
(GaryMcGraw,Cigital)
https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
Copyright©2016Parasoft 2121
WhyMISRAforthingsthataren’tcars?
§ CodingStandards§ Well-defined§ Updated§ Flexible
§ DeviationStrategy§ Auditable§ Whynot?
Copyright©2016Parasoft 2323
INADEQUATE DEFECT REMOVAL IS MAINCAUSE OF POOR SOFTWARE QUALITY
• Individual programmers are only 35% efficient infinding bugs in their own software
• The sum of all normal test steps is often less than75% effective (1 of 4 bugs remains)
• Design Reviews and Code Inspections however areoften 65% effective; can top 85%
• Static analysis are often 65% effective; can top 85%.
• Reviews and Inspections can lower costs andschedules by as much as 30%
Copyright©2016Parasoft 2424
EXAMPLESOFTYPICALCODEDEFECTS
SOURCES:SANSINSTITUTEANDMITRE(www.SANS.org andwww.CWE-MITRE.org)
§ ErrorsinSQLqueries
§ Failuretovalidateinputs
§ Failuretovalidateoutputs
§ Raceconditions
§ Leaksfromerrormessages
§ Unconstrainedmemorybuffers
§ Lossofstatedata
§ Incorrectbranches;hazardouspaths
§ Carelessinitializationandshutdown
§ Errorsincalculationsandalgorithms
§ Hardcodingofvariableitems § Reusingcodewithoutvalidationorcontextchecking
§ Changingcodewithoutchangingcommentsthatexplaincode
Copyright©2016Parasoft 2626
Preventativestandardsexamples
Object-Oriented•Avoid"public"/"protected"/package-privateinstancefields•Donotoverrideaninstance"private"method•Donothideinheritedfields•…
BestPractices•Avoidreturning"handles"tointernaldatafromconstmemberfunctions.•Declareatleastoneconstructortopreventthecompilerfromdoingso.•Declarereferenceparametersasconstreferenceswheneverpossible•…
UnusedCode•Avoidunusedlocalvariables•Avoidunused"private"fields•…
ClassMetrics•FollowthelimitforCyclomaticComplexity(default<30)•Followthelimitfornumberof“<type>"fields(private,etc.)•Followthelimitonclasshierarchydepth•…
…
Copyright©2016Parasoft 2727
§ Analysisofcomputerprogramthatisperformedwithoutexecutingsoftware
§ Keyimpact:preventorreduceriskoferroneouscoding§ Advantages:
§ comprehensiveandunbiased§ resultsareavailablewaybeforeapplicationruns
§ Typicallyincludes:§ Compilerwarnings§ Codingstandards/policies§ Flowanalysis/pathsimulation§ Metrics(e.g.complexity)
Staticanalysis
Copyright©2016Parasoft 2828
Whatis:Pattern-BasedSA
§ What:§ Identifyspecificpatternsinthecode
§ Why:§ Findbugs§ Ensureinclusionofrequireditems
§ Security§ Branding
§ PreventProblems§ ImproveDevelopers
Copyright©2016Parasoft 2929
Pattern-BasedStaticAnalysis
§ Quickscantolistpossibleproblems§ Fixingviolationspreventscertainclassesoferrors§ Eachsourcefileisanalyzedseparately§ Staticanalysiscategoriesinclude:
§ LogicalErrors§ APIMisuse§ TypographicalErrors§ Security§ ThreadsandSynchronization§ PerformanceandOptimization
Copyright©2016Parasoft 3030
Whatis:DataFlowAnalysis
§ What:§ Simulateexecutiontofindpatterns
§ Why:§ Findrealbugs
Copyright©2016Parasoft 3131
DataFlowAnalysis
§ Simulatehypotheticalexecutionpaths§ Detectpossibleerrorsalongthosepaths§ Dataflowanalysiserrorcategoriesinclude:
§ Exceptions§ Optimization§ ResourceLeaks§ APImisuse§ Security
Copyright©2016Parasoft 3232
Staticanalysis– whatitcando
§ Identifydefectivecode- runtimebugs§ Flagdefect-pronecode(possiblebugsand“gotchas”)
§ Suggestdefensiveprogrammingpractices§ Monitorapplication-specificguidelines(e.g.portability)
§ Enablepolicyenforcement(security)§ Flagunmaintainable/poorlyreadable/“dialect”code
§ Traindeveloperstocodebetter
Copyright©2016Parasoft 3333
StaticAnalysisPrevention
§ Relationshipofautomatedanalysis§ Preventativestaticanalysis§ Flowanalysis§ Runtimeerrordetection
§ Uninitializedmemoryexample§ RuntimewillfinditIFthetestsuiteisthorough§ Flowanalysismayfinditdependingoncomplexity§ Patterntoprevent:Initializevariablesupondeclaration
§ MuchofMISRAisdesignedtoprevent ratherthandetect
Copyright©2016Parasoft 3434
Howtochooserules
§ Basedonwhyyou’reusingstaticanalysis§ Studyexpectedissues§ Analyzebug-trackingsystem§ Don’tjustturnonrulesbecauseit’sagoodidea
§ Pickfewenoughtousesustainably
Copyright©2016Parasoft 3535
BeingSuccessful
§ Chooserulescarefully§ Implementprogressively
§ Fewertomorerules§ Extenddatebackward
§ Suppressionstomanagenoise
QU
ALI
TY
Code Review and Regression Testing
Copyright©2016Parasoft 3636
Conclusion
Standardsandstaticanalysisappliedproperlypreventerrors
Costofsolidpreventionmethodologyislessthanthecostofdealingwithbadsoftware
Costofgoodsoftwareislessthanbadsoftware
Costofquality,safe,securesoftwareislessthanthecostofarecall
Copyright©2016Parasoft 3737
SecurityResources
CWE– CommonWeaknessEnumeration• http://cwe.mitre.org
CERT- SecureCodingGuidelines• https://www.securecoding.cert.org
BuildSecurityIn– Collaborativesecurityeffort• https://buildsecurityin.us-cert.gov
Parasoft• http://www.parasoft.com
Copyright©2016Parasoft 3838
§ Email:[email protected]§ Web:
§ http://www.parasoft.com/§ http://codecurmudgeon.com
§ Facebook:§ https://facebook.com/parasoftcorporation§ https://facebook.com/codecurmudgeon
§ Twitter:@Parasoft@CodeCurmudgeon§ LinkedIn:http://www.linkedin.com/company/parasoft§ Google+Community:StaticAnalysisforFunandProfit