290 likes | 464 Vues
Cigital Software Security and Software Quality Services 21 July 2011. www.cigital.com info@cigital.com 703-404-9293. What We Do …. Cigital helps clients design, develop, deliver, and sustain secure software that continues to work under malicious attack. A Little Bit About Us ….
E N D
CigitalSoftware Security and Software Quality Services21 July 2011 www.cigital.com info@cigital.com 703-404-9293
What We Do … Cigital helps clients design, develop, deliver, and sustain secure software that continues to work under malicious attack.
A Little Bit About Us … • Founded in 1992– Cigital “wrote the book” on software security and software quality programs • Recognized experts in software security and software quality • Widely published in books, white papers, and articles • Industry thought leaders • Invented the first commercial Static Analysis Tool (Licensed to Fortify) • Extensive Industry Standards, Best Practices, and Regulatory Compliance Experience
Cigital Affiliations … • Cigital is a participating member and holds leadership positions in key industry organizations • ISC2: Technical Advisory Board for Certified Secure Software Lifecycle Professional (CSSLP) • Cloud Security Alliance: One of the founders • OWASP Northern Virginia: Chapter Leader • IEEE: Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine
Apps S/W Unauthorized or Authorized access The Security Problem … Insider Threat (Trusted Agent) Traditional Focus Network Data Needed Focus
Even More Software Security Headlines … Any organization that is unwilling to believe it may have already been penetrated and that is not actively looking for signs of intrusion beyond what its network black boxes are telling it is living in a fantasy world.
Why You Should Care … • How likely is a successful software application attack? • Stunningly prevalent • Easy to exploit without special tools or knowledge • Little chance of being detected • Hundreds of thousands of developers, tiny fraction with security • Consequences? • Corruption or disclosure of database contents • Root access to web and application servers • Loss of authentication and access control for users • Defacement • Secondary attacks from your site • Application Security is becoming an increasingly important part of Cyber Security
But my system has been certified!!! Critical Vulnerability: extremely high likelihood and impact on application confidentiality, integrity, and or availability. High Vulnerability: high potential for significant impact on application confidentiality, integrity, and or availability. Vulnerability: software bug or design flaw that may be exploited by threat agents and represents a risk to assets and owners. • Cigital has performed hundreds of software assessments for systems that have received ATO. • For applications receiving ATO/IATO: on average in the Federal Government ... • 1 vulnerability per 8 source lines of code • 1 high vulnerability per 31 source lines of code • 1 critical vulnerability per 69 source lines of code
Another Reason To Care … • The new Application Security and Development STIG (Version 3, Release 2, dated 29 October 2010) has an increased software assurance focus to include, but not limited to: • software threat assessments • static/dynamic/binary analysis • other manual secure code reviews • secure coding standards • application software assurance training for managers, designers, developers, and testers ... • and more …
and the Federal Government is Piling On … • HR6523, the 2011 National Defense Appropriations Act, Section 932 Strategy on Computer Software Assurance includes language in section (C) (3) requires “(3) Mechanisms for protection against compromise of information systems through the supply chain or cyber attack by acquiring and improving automated tools for— (A) assuring the security of software and software applications during software development; (B) detecting vulnerabilities during testing of software; and (C) detecting intrusions during real-time monitoring of software applications.”
Tools are part of the solution … • There is a tendency for over-reliance on tools • Software security is more art than science • Tools perform very differently depending on who operates them • Accurately configuring tools dramatically reduces false positives • There is no one size fits all tool • There are no tools for analyzing the security of software architectures • Cigital is capable of detailing how to fix discovered vulnerabilities
… but Tools aren’t the answer • Code scanning tools don’t address all software languages • Design flaws account for 50% of security problems. • Automated tools can’t help you • You can’t find design defects by staring at code—a higher-level understanding is required • Tools can’t address • Security requirements • Governance and compliance • Secure coding standards • Knowledge and training
It’s Time To Fix the Software • Which bugs in this pile should I fix? • But what about flaws? Software security and application security today focus on finding bugs The time has come to stop looking for new bugs to add to the list … and start actually fixing things!
Our Value-Add … Building Security In Software Security Touchpoints Application security is a people, process, and technology problem throughout the entire software development life cycle … because the most effective approaches to application security include improvements in all of these areas.
Cigital Services … Integration of quality assurance and testing best practices into both your projects and enterprise … Software Quality Services Software Security Services • Quality Review Services • Organizational Quality Strategy & Roadmap (TPI) • Application Risk Assessment • Independent Verification and Validation (IV&V) • Metrics & Measurement • Portfolio Risk Management • Software Quality Training • Full Life-cycle Testing • Test Automation • Load and Performance Testing • Security Testing • Independent QA Execution • Test Strategy and Planning • Agile Development Testing • Integration and System Testing • Software Security Assurance • Security requirements • Secure code review • Architectural risk analysis • Application penetration testing • Security testing • Software Security Training • Complete curriculum • Instructor-led • eLearning • Enterprise Software Security • ESS Framework • ESS Roadmap • Governance and Compliance • Security Assurance • Secure SDLC • Knowledge and Training
Other Useful Resources … • Build Security In software assurance strategic initiative of the National Cyber Security Division (NCSD) of the Department of Homeland Security https://buildsecurityin.us-cert.gov/bsi/home.html • Common Attack Pattern Enumeration and Classification (CAPEC) http://capec.mitre.org/community/index.html • Common Weakness Enumeration (CWE) http://cwe.mitre.org • Common Vulnerabilities and Exposures (CVE) http://cve.mitre.org • Silver Bullet Security Podcast http://www.cigital.com/silverbullet/ • Gary McGraw on informIT http://www.informit.com/authors/bio.aspx?a=b283e5a4-703c-47df-afbf-a9cfa311d46b • Building Security In Maturity Model http://bsimm.com/ • Software Security: Building Security In [THE book on software security] http://www.swsec.com/
Contact … Blair Vorgang Managing Principal Cigital Federal, Inc. (703) 404-9293 x1278 bvorgang@cigital.com Corporate Headquarters: 21351 Ridgetop Circle Suite 400 Dulles, Virginia 20166 www.cigital.com You can’t bolt security features onto code and expect it to become hack-proof. Security must be built in throughout the application development lifecycle….
The Security Problem … • The U.S. Department of Homeland Security (DHS) reports the majority of software vulnerabilities are related to applications. If left untreated, these vulnerabilities may lead to arbitrary code execution, buffer overflow, escalation of privileges, and Denial of Service attacks • DHS reports that 96% of the reported software vulnerabilities are related to applications while 4% are related to the operating system – August 2010 Operating System Vulnerabilities Application Vulnerabilities How much $$ are you spending on 4% of the problem??
The Security Problem … Traditional Defense in Depth Where’s the Rest of the Depth?? An almost exclusive focus on perimeter and network security has become increasingly inadequate The ‘Defense In Depth’ paradigm must consider the root cause of security problems … application and data
35X 30X 25X 20X 15X 10X 5X The Security Problem … Software Vulnerabilities Increasing Causing Expensive Downstream Fixes # of reported vulnerabilities(1) Cost to fix bug by development stage(2) Exponential increase in reported vulnerabilities ~35x more expensive to fix a bug post release than in design Despite spending $12B on Enterprise IT security in 2003, exploitation of software vulnerabilities costs the US economy over $10B, and we continue to see increases in the number of reported vulnerabilities, the number of incidents, and the cost per incident. -Information Week 2004 • CERT Coordination Center at Carnegie Mellon University(Note: does not include unreported vulnerabilities which would be a much higher number) • NIST Report: “Economic Impact of Inadequate Infrastructure for Software Testing”
Case Study … Air Force … Why ASACoE? • Over 33,000 Air Force officer records compromised • Sampled Air Force applications using automated tools • Significant risks exist in Air Force applications
Case Study … Air Force Approach Application Software Assurance Center of Excellence Support Software Assurance Enable Train • Broader strategic approach addressing deployed systems • Tool driven aimed at low-hanging fruit • Multi-perspective analysis • Large scale effort across multiple applications and technologies
Case Study … Results Keep in mind that while ASACoE assessments are not deep and architectural risk isn't addressed ... the security posture of assessed Air Force applications show improvement. 26% 9% 49% 60% 75% 69%
Cigital SecureAssist™ • SecureAssist is an educational tool that provides context sensitive application security guidance directly to the developer’s work environment • SecureAssist Delivers: • Near real-time identification of code vulnerabilities as code is being written in the IDE (no ‘build’ necessary) • Near real-time secure coding training and remediation techniques • Near real-time & continuously available secure coding policies & rules (customizable)