Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013
BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security Product Management Security Research Group Security Response Team Security Certifications
Presentation Overview Secure Development Lifecycles Thinking like an attacker Threat Modelling (Thinking like a defender)
Secure Development Lifecycle Adjust to your development model None implicitly create secure software (or quality software)
Why Bother? Requirements Architecture & Design Implementation QA Sustainment Cheapest Cheaper Cheap Enough Quite Expensive Very Expensive Cost to resolve issues increases in the later stages of the product development lifecycle
Why Bother? Similar to software quality: Pay me now, or pay me later Increasing connectivity creates more trust boundaries Opportunity for data theft Security is a quality metric Security enables software reliability
Ask Yourself What assets does this software need to protect? Credit card numbers User data Accounts Access to paid services Privileged access to device Control of host
Then Ask How might an attacker access these assets? Eavesdropping Unexpected inputs Other applications Device theft
Is it appropriate for the task? Does the security you implement do the job?
When to care? Well, we think always. ;-) Performing a risk analysis Do you process user information? Do you connect to the internet or other networks? Do your customers express an interest in security? What coding language do you use?
Industry Example Microsoft Internet Information Services (IIS) Widely criticized in 2001 for poor security Microsoft implemented a Security Development Lifecycle Part of SDL is post-release patching (e.g. patching Tuesday) One of the costliest components. By 2006, 50% reduction in vulnerabilities
Secure Development Lifecycle Development process goals Create great software quickly Repeatable Reduce chance that designer, developer, or tester introduces a defect (or fails to find an existing one) Let developers write new and cool stuff! Limit re-work, patching, and so on
Areas of Focus Education Requirements Architecture and Design Code Response
Thinking like an attacker Avoiding thinking in relation to security No one will ever do that No one will ever find that Why would someone want to do that Stored data is safe Always think in relation to security How could this feature or function be misused? Do I trust the source of this data? Is this asset a secret? Does this asset need to be integral?
Thinking like an attacker Does my application use external data or services? How does my application transfer data? How does my application process data? How does my application store data? What can interact with my application? How does my application handle failure?
Secure Design Attack surface Defense in depth Minimize privilege
What are possible security threats?
Thinking like an attacker Memory Corruption Race Conditions XML External Entity Injection Weak Randomness Time of Check Time of Use Logic Flaws Cross Site Scripting Insecure File Permissions Use After Free Weak Encryption No Encryption Insecure IPC Mechanisms SQL Injection Information Leakage Cross Site Request Forgery Insecure Session Handling Denial of Service Lack of Data Integrity Checks
Missing Authentication Requires authentication Also requires authentication
Authentication Component Threat Mitigation Protection Detection Response Recovery Login function Brute Force Account locking Rate limiting Strong passwords CAPTCHA system Unsuccessful login count Log Alert users Aggregate attacks and alert administrator Password resets
Missing Authorization Checks Welcome: Admin User User functions Update details Send message Forum post Admin Functions Edit other users Change passwords Change system settings
Authorization Component Threat Mitigation Protection Detection Response Recovery Admin functions Unauthorised Access Strong authorization checks Audit Penetration Testing Lock out Fix vulnerability Backups
Logic Example if (now > account_expiry && account_lockout == true) {\\reject login}
Real VNC Example <Client> Hello I d like to authenticate. <Server> I m configured to support Password or Key or NTAuth. <Client> I choose No Password. <Server> Access granted. <Client>!!!!!
Logic Component Threat Mitigation Protection Detection Response Recovery Logic failure Unexpected application state Code Review Negative test cases Very difficult due to unexpected nature Lock out Fix vulnerability Backups State checking routine
Data at Rest This is the information that gets dumped on Pastebin Password databases, confidential information High reputational impact
Data at Rest Component Threat Mitigation Protection Detection Response Recovery Database Unauthorized Database access Encryption Hashing OS protections Audit logs IDS Customer notification? Compliance issues? Database recovery DB protections
Data in Transit These attacks are very simple Wireshark and TCPDump Needs some technical knowledge Firesheep Anyone can hack with this Slightly more sophisticated attacks SSLStrip Snoopy (distributed tracking and sniffing tool)
Data in Transit Component Threat Mitigation Protection Detection Response Recovery Device to Server Communication Eavesdropper SSL VPN Very hard to detect Might notice certificate errors Revoke certificates Improve implementati on Issue new certificates
Summary Earlier you consider security in your SDL, the cheaper it is Fines Contractual obligations Regulatory fines Publicity Branding impact Testing and delivering post-release fixes Managing response once a vulnerability is exposed
More Information BlackBerry developer site http://developer.blackberry.com Security APIs, Development guides, pitfalls Microsoft Security Development Lifecycle repository http://www.microsoft.com/security/sdl/default.aspx Well developed SDL process Vulnerabilities secure@rim.com
Don t Forget Download the Mobile Conference Guide from BlackBerry World. Search for BlackBerry Jam Europe! Complete your session surveys in your conference portal or on your BlackBerry 10 device using the Mobile Conference Guide. Join us at the BlackBerry Jam Europe Appreciation event tonight in the Europa Foyer on the RAI s ground floor.
THANK YOU Barrie Dempster and Jason Foy JAM306 February 6, 2013