Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Transcription

1 Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013

2 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security Product Management Security Research Group Security Response Team Security Certifications

3 Presentation Overview Secure Development Lifecycles Thinking like an attacker Threat Modelling (Thinking like a defender)

4 Secure Development Lifecycle Adjust to your development model None implicitly create secure software (or quality software)

5 Why Bother? Requirements Architecture & Design Implementation QA Sustainment Cheapest Cheaper Cheap Enough Quite Expensive Very Expensive Cost to resolve issues increases in the later stages of the product development lifecycle

6 Why Bother? Similar to software quality: Pay me now, or pay me later Increasing connectivity creates more trust boundaries Opportunity for data theft Security is a quality metric Security enables software reliability

7 Ask Yourself What assets does this software need to protect? Credit card numbers User data Accounts Access to paid services Privileged access to device Control of host

8 Then Ask How might an attacker access these assets? Eavesdropping Unexpected inputs Other applications Device theft

9 Is it appropriate for the task? Does the security you implement do the job?

10 When to care? Well, we think always. ;-) Performing a risk analysis Do you process user information? Do you connect to the internet or other networks? Do your customers express an interest in security? What coding language do you use?

11 Industry Example Microsoft Internet Information Services (IIS) Widely criticized in 2001 for poor security Microsoft implemented a Security Development Lifecycle Part of SDL is post-release patching (e.g. patching Tuesday) One of the costliest components. By 2006, 50% reduction in vulnerabilities

12 Secure Development Lifecycle Development process goals Create great software quickly Repeatable Reduce chance that designer, developer, or tester introduces a defect (or fails to find an existing one) Let developers write new and cool stuff! Limit re-work, patching, and so on

13 Areas of Focus Education Requirements Architecture and Design Code Response

14 Thinking like an attacker Avoiding thinking in relation to security No one will ever do that No one will ever find that Why would someone want to do that Stored data is safe Always think in relation to security How could this feature or function be misused? Do I trust the source of this data? Is this asset a secret? Does this asset need to be integral?

15 Thinking like an attacker Does my application use external data or services? How does my application transfer data? How does my application process data? How does my application store data? What can interact with my application? How does my application handle failure?

16 Secure Design Attack surface Defense in depth Minimize privilege

17 What are possible security threats?

18 Thinking like an attacker Memory Corruption Race Conditions XML External Entity Injection Weak Randomness Time of Check Time of Use Logic Flaws Cross Site Scripting Insecure File Permissions Use After Free Weak Encryption No Encryption Insecure IPC Mechanisms SQL Injection Information Leakage Cross Site Request Forgery Insecure Session Handling Denial of Service Lack of Data Integrity Checks

19 Missing Authentication Requires authentication Also requires authentication

20 Authentication Component Threat Mitigation Protection Detection Response Recovery Login function Brute Force Account locking Rate limiting Strong passwords CAPTCHA system Unsuccessful login count Log Alert users Aggregate attacks and alert administrator Password resets

21 Missing Authorization Checks Welcome: Admin User User functions Update details Send message Forum post Admin Functions Edit other users Change passwords Change system settings

22 Authorization Component Threat Mitigation Protection Detection Response Recovery Admin functions Unauthorised Access Strong authorization checks Audit Penetration Testing Lock out Fix vulnerability Backups

23 Logic Example if (now > account_expiry && account_lockout == true) {\\reject login}

24 Real VNC Example <Client> Hello I d like to authenticate. <Server> I m configured to support Password or Key or NTAuth. <Client> I choose No Password. <Server> Access granted. <Client>!!!!!

25 Logic Component Threat Mitigation Protection Detection Response Recovery Logic failure Unexpected application state Code Review Negative test cases Very difficult due to unexpected nature Lock out Fix vulnerability Backups State checking routine

26 Data at Rest This is the information that gets dumped on Pastebin Password databases, confidential information High reputational impact

27 Data at Rest Component Threat Mitigation Protection Detection Response Recovery Database Unauthorized Database access Encryption Hashing OS protections Audit logs IDS Customer notification? Compliance issues? Database recovery DB protections

28 Data in Transit These attacks are very simple Wireshark and TCPDump Needs some technical knowledge Firesheep Anyone can hack with this Slightly more sophisticated attacks SSLStrip Snoopy (distributed tracking and sniffing tool)

29 Data in Transit Component Threat Mitigation Protection Detection Response Recovery Device to Server Communication Eavesdropper SSL VPN Very hard to detect Might notice certificate errors Revoke certificates Improve implementati on Issue new certificates

30 Summary Earlier you consider security in your SDL, the cheaper it is Fines Contractual obligations Regulatory fines Publicity Branding impact Testing and delivering post-release fixes Managing response once a vulnerability is exposed

31 More Information BlackBerry developer site Security APIs, Development guides, pitfalls Microsoft Security Development Lifecycle repository Well developed SDL process Vulnerabilities

32 Don t Forget Download the Mobile Conference Guide from BlackBerry World. Search for BlackBerry Jam Europe! Complete your session surveys in your conference portal or on your BlackBerry 10 device using the Mobile Conference Guide. Join us at the BlackBerry Jam Europe Appreciation event tonight in the Europa Foyer on the RAI s ground floor.

33 THANK YOU Barrie Dempster and Jason Foy JAM306 February 6, 2013