TSP Secure. Date: December 14, 2016 William Nichols Carnegie Mellon University

Similar documents
TSP and Security. PSP/TSP Community of Practice Breakout Group. December 14-15, 2016

CS 155: Real-World Security

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7

Recap: Protection. Prevent unintended/unauthorized accesses. Class hierarchy: root can to everything a normal user can do + alpha

Effective Threat Modeling using TAM

Engineering Your Software For Attack

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CIS 5373 Systems Security

Software defects and security

CS 155: Real-World Security

Verification & Validation of Open Source

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

MQ Jumping... Or, move to the front of the queue, pass go and collect 200

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Heartbleed Bug. Anthony Postiglione. Department of Electrical & Computer Engineering Missouri University of Science and Technology

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Quality Assurance in Software Development

Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Advanced Security Tester Course Outline

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

IS 2620: Developing Secure Systems. Building Security In Lecture 2

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) A presentation by Lawrence Feinstein, CISSP

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Web Applications (Part 2) The Hackers New Target

Static Analysis Techniques

IS 2620: Developing Secure Systems. Lecture 2 Sept 8, 2017

Protection. Disclaimer: some slides are adopted from book authors slides with permission 1

Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits

CERT C++ COMPLIANCE ENFORCEMENT

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

TSP Secure. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA September 2009

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

The Software Assurance State-of-the-Art Resource (SOAR)

Integrating Tools Into the SDLC

Development*Process*for*Secure* So2ware

SECURITY TESTING. Towards a safer web world

Certification Requirements for High Assurance Systems

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Inference of Memory Bounds

Secure Development Lifecycle

TRAINING CURRICULUM 2017 Q2

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Product Security Program

Application Security & Verification Requirements

Programming Language Vulnerabilities within the ISO/IEC Standardization Community

HP 2012 Cyber Security Risk Report Overview

SSL Server Rating Guide

Security Solutions. Overview. Business Needs

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Chapter 5: Vulnerability Analysis

How AlienVault ICS SIEM Supports Compliance with CFATS

Predicting Vulnerable Software Components

MEDICAL DEVICE SECURITY. A Focus on Patient Safety February, 2018

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

Achieving Java Application Security With Parasoft Jtest

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Appendix 12 Risk Assessment Plan

Engineering for System Assurance Legacy, Life Cycle, Leadership

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

SDLC Maturity Models

Building Secure Systems

The University of Queensland

SECURITY TESTING PROCESS IN SDLC

Cyber Security Advisory

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Larry Maccherone Carnegie Mellon CyLab

My other computer is YOURS!

Exposing The Misuse of The Foundation of Online Security

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Five steps to securing personal data online Gary Shipsey Managing Director

The Android security jungle: pitfalls, threats and survival tips. Scott

Practical Guide to Securing the SDLC

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Information Systems Security Requirements for Federal GIS Initiatives

Engineering Robust Server Software

Code Reviews. James Walden Northern Kentucky University

Topics. Ensuring Security on Mobile Devices

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Effective Strategies for Managing Cybersecurity Risks

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Discovery. Discovery

Is Your Web Application Really Secure? Ken Graf, Watchfire

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Common Criteria. Xerox Advanced Multifunction Systems

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

Hardening Attack Vectors to cars by Fuzzing


Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Release Notes for Snare Enterprise Agent for MSSQL Release Notes for Snare Enterprise Agent for MSSQL v1.2/1.3

Cybersecurity in Acquisition

Engineering Improvement in Software Assurance: A Landscape Framework

Secure Development Processes

CERT Secure Coding Initiative. Define security requirements. Model Threats 11/30/2010

Transcription:

TSP Secure Date: December 14, 2016 William Nichols

President's Information Technology Advisory Committee (PITAC), 2005 Commonly used software engineering practices permit dangerous errors, such as improper handling of buffer overflows, which enable hundreds of attack programs to compromise millions of computers every year. This happens mainly because commercial software engineering today lacks the scientific underpinnings and rigorous controls needed to produce high-quality, secure products at acceptable cost. 2

U.S. Department of Homeland Security 2006 The most critical difference between secure software and insecure software lies in the nature of the processes and practices used to specify, design, and develop the software... correcting potential vulnerabilities as early as possible in the software development lifecycle, mainly through the adoption of security-enhanced process and practices, is far more costeffective than the currently pervasive approach of developing and releasing frequent patches to operational software. 3

Heartbleed Introduced January 2012 removed April 2014 OpenSSL Open Secure Socket Layer Unchecked buffer exposed data including passwords Heartbleed created a significant challenge for current software assurance tools, and we are not aware of any such tools that were able to discover the Heartbleed vulnerability at the time of announcement [Kupsch 2014] At the time, the error was not yet detectable by static analysis tools. 4

goto fail enabled man in the middle attack Another SSL defect, present from September 2012 to February 2014 A duplicated line of code allowed skipping the final step of the SSL/TLS handshake algorithm if ((err = SSLHashSHA1.update(&hashCtx, &serverrandom))!= 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedparams))!= 0) goto fail; goto fail; /* MISTAKE! THIS LINE SHOULD NOT BE HERE */ if ((err = SSLHashSHA1.final(&hashCtx, &hashout))!= 0) goto fail; err = sslrawverify(...); 5

OpenSSL Vul History 35 30 Reported OpenSSL CVE Entries 25 20 15 10 5 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Count of CVE Items Reported 2016 Injected CVEs Mean +1 Std. Dev. -1 Std. Dev. 6

What to do? DoD mandate to secure software from attack. (section 933 of NDAA and DoD 5000.2) DoD Instruction 8500.01 applies Risk Management Framework to the full acquisition life cycle and 8510.01 replaces DIACAP with RMF This has been implemented by requiring the use of software security assurance (SwA) tools on all covered systems. Why is this hard? 7

Security tools and techniques (examples) Secure Development Practices Binary/bytecode simple extractor Host application interface scanner Warning flags Focused manual spot check Source code quality analyzer Manual code review Web application vulnerabilty scanner Web services scanner Source code weakness analyzer Inspections Database scanner Quality analyzer Generated code inspection Fuzz tester Bytecode weakness analyzer Configuration checker Permission manifest Binary weakness analyzer analyzer Negative testing Test coverage analyzer Inter-application flow analyzer Host-based vulnerability scanner Hardening tools/scripts Take some of these and apply them 8

Somewhere in the Software Assurance System Lifecycle 9

Objectives Provide actionable guidance on how to improve software security assurance throughout the development lifecycle using empirically grounded evidence. Improves means that the software security assurance must be Effective Affordable Timely 10

Composing Software Assurance However, there is inadequate ground truth information to help [DoD] make decisions, for example the true cost, schedule impact, and effectives of integrating these tools into an SDLC. Problem: DoD faces an unfunded Congressional mandate to secure software from attack. This has been implemented by requiring the use of software security assurance (SwA) tools on all covered systems. Without empirically validated ground truth about cost and effectiveness. 11

Solution Apply experience and toolkit from quality assurance to security assurance Develop a model that predicts the effectiveness and cost of selected SwA tools. Use the model and data to help DoD integrate SwA tools into SDLC processes Tool kit includes 1. A metric framework 2. Quality planning 3. Design 4. Inspections 5. Process composition for additional techniques 12

Conjecture that Quality α Security Quality Assurance: The planned and systematic activities implemented in a quality system so that quality requirements for a product or service will be fulfilled. Security Assurance: The planned and systematic activities implemented in a security system so that security requirements for a product or service will be fulfilled. Quality Control: The observation techniques and activities used to fulfill requirements for quality Security Control: The observation techniques and activities used to fulfill requirements for security We have a lot experience modeling the left column 13

Evidence that Quality is a Security issue, and Vice Versa Rigorous reduction of defects enhances security. We found high quality software was generally safe and secure Defective software is NOT secure 1-5% of defects should be considered to be potential security risks. (Woody et al, 2014) How many more? Estimate from defect density. 14

Defect Injection-Filter Model Injections=Rate*Time Requirements Injects defects Defect injection phase Removal yield % Design Injects defects Removals=Defects*Yield Defect removal activity % Removal yield % Process yield Development Injects defects Removal yield % calibrate directly with real data. % % Similar to C. Jones Tank and filter. Simplifies assumptions found in Boehm/Chulani COQUALMO. 15

Add security specific activities to the defect model Injections=Rate*Time Requirements Injects defects Secure Development Practices Defect injection phase Removal yield Process yield % Design Injects defects Removal yield % Development Injects defects Removal yield Inspections % Removals=Defects*Yield Defect removal activity Test coverage analyzer, Source code weakness analyzer Binary weakness analyzer Fuzz tester Similar to C. Jones Tank and filter. Simplifies assumptions found in Boehm/Chulani COQUALMO. % calibrate directly with real data. % % 16

Quality Process Measures The TSP uses quality measures for planning and tracking. 1. Defect injection rates [Def/hr/ and removal yields [% removed] 2. Defect density (defects found and present at various stages and size) 3. Review/inspection rates [LOC/hr] 17

Metrics Defect Density (throughout lifetime) Vulnerability Density (found at each stage) Phase Injection Rate [defects/hr] (derived) Phase Effort Distribution (effort-hr) Phase Removal Yield [% removed] (effectiveness) Defect Find and Fix time [hr/defect] (what was found) Defect Type (categorize what was wrong) Defect Injection/Removal Phases Zero Defect Test time [hr] (cost if no defects present) Product Size [LOC] [FP] (for normalization and comparisons) Development Rate (construction phase) [LOC/hr] Review/Inspection Rate [LOC/hr] (cost of human appraisal) 18

Parameters Phase Injection Rate [defects/hr] Phase Effort Distribution [%] total time Size [LOC] Production Rate (construction phase) [LOC/hr] Phase Removal Yield [% removed] Zero Defect Test time [hr] Phase Find and Fix time [hr/defect] Review/Inspection Rate [LOC/hr] 19

Defect Find and Fix Effort 10000 1405 Time in Minutes 1000 100 10 5 22 2 25 32 1 Design Review Design Inspect. Code Review Code Inspect. Unit Test System Test Defect-removal Phase Source: Xerox 20

Make the Theoretical Concrete Do you achieve your goals? How much functionality do you want to deliver? What are the non-functional targets? (performance, security ) What is your desired schedule? How many defects do you expect the user to find? Build the model. Use real data. Visualize the result. 21

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 0 0.0 Design Inspection 200 50.0% 0.0% 0 0.0 Code Review 200 50.0% 0.0% 0 0.0 Code Inspection 200 50.0% 0.0% 0 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] Compare your performance to a baseline. 22

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 1 0.0 Design Inspection 200 50.0% 0.0% 0 0.0 Code Review 200 50.0% 0.0% 0 0.0 Code Inspection 200 50.0% 0.0% 0 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] Perform a personal design review. 23

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 1 0.0 Design Inspection 200 50.0% 0.0% 0 0.0 Code Review 200 50.0% 0.0% 1 0.0 Code Inspection 200 50.0% 0.0% 0 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] Include a peer design review. 24

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 1 0.0 Design Inspection 200 50.0% 0.0% 1 0.0 Code Review 200 50.0% 0.0% 1 0.0 Code Inspection 200 50.0% 0.0% 0 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] Have a peer inspect the code. 25

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 1 0.0 Design Inspection 200 50.0% 0.0% 1 0.0 Code Review 200 50.0% 0.0% 1 0.0 Code Inspection 200 50.0% 0.0% 1 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] At some point we cross the quality is free point. 26

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 1 0.0 Design Inspection 200 50.0% 0.0% 1 0.0 Code Review 200 50.0% 0.0% 1 0.0 Code Inspection 200 50.0% 0.0% 2 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] Here s where you reach the quality is free point! 27

Control Panel Rate Yield Yield # Insp Effort [LOC/hr ] (per insp) (total) [hr] Design Review 200 50.0% 0.0% 1 0.0 Design Inspection 200 50.0% 0.0% 1 0.0 Code Review 200 70.0% 0.0% 1 0.0 Code Inspection 200 70.0% 0.0% 2 0.0 Total Development and Test Time Baseline Revised 0.0 50.0 100.0 150.0 200.0 250.0 300.0 Dev UT IT ST Defect Density [Def/KLOC] 90.00 80.00 70.00 60.00 50.00 40.00 30.00 20.00 10.00 0.00 Baseline [Def/Kloc] Revised [Def/Kloc] Defect Density Phase Profile Density Goal [Def/KLOC] The quality is free point depends on your personal parameters. 28

Questions If we know that these techniques work, why don t more people use them? Who do you know that has issues with developing secure software How can you help others adopt 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback