Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Similar documents
SDR Guide to Complete the SDR

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

A (sample) computerized system for publishing the daily currency exchange rates

C1: Define Security Requirements

Security Best Practices. For DNN Websites

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

90% of data breaches are caused by software vulnerabilities.

CSWAE Certified Secure Web Application Engineer

InterCall Virtual Environments and Webcasting

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Certified Secure Web Application Engineer

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Secure Application Development. OWASP September 28, The OWASP Foundation

Are You Avoiding These Top 10 File Transfer Risks?

10 FOCUS AREAS FOR BREACH PREVENTION

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

RiskSense Attack Surface Validation for Web Applications

Mitigating Security Breaches in Retail Applications WHITE PAPER

Bank Infrastructure - Video - 1

QuickBooks Online Security White Paper July 2017

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

IT SECURITY FOR NONPROFITS

LBI Public Information. Please consider the impact to the environment before printing this.

epldt Web Builder Security March 2017

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

SECURITY TESTING. Towards a safer web world

Duration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced)

Security Enhancements in Informatica 9.6.x

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Jeff Wilbur VP Marketing Iconix

Security Fundamentals for your Privileged Account Security Deployment

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

SECURE CODING ESSENTIALS

Full file at

Cybersecurity The Evolving Landscape

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Cyber security tips and self-assessment for business

AGILE AND CONTINUOUS THREAT MODELS

ISO/IEC Common Criteria. Threat Categories

SECURITY & PRIVACY DOCUMENTATION

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Design your network to aid forensics investigation

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

How NOT To Get Hacked

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

WHITEPAPER. Security overview. podio.com

Intel Unite Solution 3.0 and Protected Guest Access. Security Development Summary

WORKSHARE SECURITY OVERVIEW

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

18-642: Security Mitigation & Validation

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

The Common Controls Framework BY ADOBE

The Context of Cryptography. Ramki Thurimella

SECURITY AND DATA REDUNDANCY. A White Paper

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

C and C++ Secure Coding 4-day course. Syllabus

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Combating Common Web App Authentication Threats

Web Application Whitepaper

Solutions Business Manager Web Application Security Assessment

cs642 /introduction computer security adam everspaugh

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Symbolic Links 4. Deploy A Firewall 5

Cloud Security Standards Supplier Survey. Version 1

The Business Case for Security in the SDLC

Training 24x7 DBA Support Staffing. Administering a SQL Database Infrastructure (40 Hours) Exam

Hackproof Your Cloud Responding to 2016 Threats

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Your Turn to Hack the OWASP Top 10!

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Vulnerabilities in online banking applications

Security Audit What Why

How were the Credit Card Numbers Published on the Web? February 19, 2004

KuppingerCole Whitepaper. by Dave Kearns February 2013

Effective Strategies for Managing Cybersecurity Risks

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Administering a SQL Database Infrastructure

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Application Security Design Principles. What do you need to know?

Title: Planning AWS Platform Security Assessment?

Transcription:

Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013

BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security Product Management Security Research Group Security Response Team Security Certifications

Presentation Overview Secure Development Lifecycles Thinking like an attacker Threat Modelling (Thinking like a defender)

Secure Development Lifecycle Adjust to your development model None implicitly create secure software (or quality software)

Why Bother? Requirements Architecture & Design Implementation QA Sustainment Cheapest Cheaper Cheap Enough Quite Expensive Very Expensive Cost to resolve issues increases in the later stages of the product development lifecycle

Why Bother? Similar to software quality: Pay me now, or pay me later Increasing connectivity creates more trust boundaries Opportunity for data theft Security is a quality metric Security enables software reliability

Ask Yourself What assets does this software need to protect? Credit card numbers User data Accounts Access to paid services Privileged access to device Control of host

Then Ask How might an attacker access these assets? Eavesdropping Unexpected inputs Other applications Device theft

Is it appropriate for the task? Does the security you implement do the job?

When to care? Well, we think always. ;-) Performing a risk analysis Do you process user information? Do you connect to the internet or other networks? Do your customers express an interest in security? What coding language do you use?

Industry Example Microsoft Internet Information Services (IIS) Widely criticized in 2001 for poor security Microsoft implemented a Security Development Lifecycle Part of SDL is post-release patching (e.g. patching Tuesday) One of the costliest components. By 2006, 50% reduction in vulnerabilities

Secure Development Lifecycle Development process goals Create great software quickly Repeatable Reduce chance that designer, developer, or tester introduces a defect (or fails to find an existing one) Let developers write new and cool stuff! Limit re-work, patching, and so on

Areas of Focus Education Requirements Architecture and Design Code Response

Thinking like an attacker Avoiding thinking in relation to security No one will ever do that No one will ever find that Why would someone want to do that Stored data is safe Always think in relation to security How could this feature or function be misused? Do I trust the source of this data? Is this asset a secret? Does this asset need to be integral?

Thinking like an attacker Does my application use external data or services? How does my application transfer data? How does my application process data? How does my application store data? What can interact with my application? How does my application handle failure?

Secure Design Attack surface Defense in depth Minimize privilege

What are possible security threats?

Thinking like an attacker Memory Corruption Race Conditions XML External Entity Injection Weak Randomness Time of Check Time of Use Logic Flaws Cross Site Scripting Insecure File Permissions Use After Free Weak Encryption No Encryption Insecure IPC Mechanisms SQL Injection Information Leakage Cross Site Request Forgery Insecure Session Handling Denial of Service Lack of Data Integrity Checks

Missing Authentication Requires authentication Also requires authentication

Authentication Component Threat Mitigation Protection Detection Response Recovery Login function Brute Force Account locking Rate limiting Strong passwords CAPTCHA system Unsuccessful login count Log Alert users Aggregate attacks and alert administrator Password resets

Missing Authorization Checks Welcome: Admin User User functions Update details Send message Forum post Admin Functions Edit other users Change passwords Change system settings

Authorization Component Threat Mitigation Protection Detection Response Recovery Admin functions Unauthorised Access Strong authorization checks Audit Penetration Testing Lock out Fix vulnerability Backups

Logic Example if (now > account_expiry && account_lockout == true) {\\reject login}

Real VNC Example <Client> Hello I d like to authenticate. <Server> I m configured to support Password or Key or NTAuth. <Client> I choose No Password. <Server> Access granted. <Client>!!!!!

Logic Component Threat Mitigation Protection Detection Response Recovery Logic failure Unexpected application state Code Review Negative test cases Very difficult due to unexpected nature Lock out Fix vulnerability Backups State checking routine

Data at Rest This is the information that gets dumped on Pastebin Password databases, confidential information High reputational impact

Data at Rest Component Threat Mitigation Protection Detection Response Recovery Database Unauthorized Database access Encryption Hashing OS protections Audit logs IDS Customer notification? Compliance issues? Database recovery DB protections

Data in Transit These attacks are very simple Wireshark and TCPDump Needs some technical knowledge Firesheep Anyone can hack with this Slightly more sophisticated attacks SSLStrip Snoopy (distributed tracking and sniffing tool)

Data in Transit Component Threat Mitigation Protection Detection Response Recovery Device to Server Communication Eavesdropper SSL VPN Very hard to detect Might notice certificate errors Revoke certificates Improve implementati on Issue new certificates

Summary Earlier you consider security in your SDL, the cheaper it is Fines Contractual obligations Regulatory fines Publicity Branding impact Testing and delivering post-release fixes Managing response once a vulnerability is exposed

More Information BlackBerry developer site http://developer.blackberry.com Security APIs, Development guides, pitfalls Microsoft Security Development Lifecycle repository http://www.microsoft.com/security/sdl/default.aspx Well developed SDL process Vulnerabilities secure@rim.com

Don t Forget Download the Mobile Conference Guide from BlackBerry World. Search for BlackBerry Jam Europe! Complete your session surveys in your conference portal or on your BlackBerry 10 device using the Mobile Conference Guide. Join us at the BlackBerry Jam Europe Appreciation event tonight in the Europa Foyer on the RAI s ground floor.

THANK YOU Barrie Dempster and Jason Foy JAM306 February 6, 2013

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback