Software Confidence. Achieved.
Cigital
Software Security and
Software Quality Services
21 July 2011
www.cigital.com
info@cigital.com
703
-
404
-
9293
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
What We Do …
Cigital helps clients design, develop, deliver, and
sustain secure software that continues to work under
malicious attack.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
A Little Bit About Us …
Founded in 1992
–
Cigital “wrote the book” on software security and
software quality programs
Recognized experts in software security and software quality
Widely published in books, white papers, and articles
Industry thought leaders
Invented the first commercial Static Analysis Tool (Licensed to Fortify)
Extensive Industry Standards, Best Practices, and Regulatory Compliance
Experience
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
4
Cigital
Affiliations …
Cigital is a participating member and holds leadership positions
in key industry
organizations
ISC
2
: Technical Advisory Board for Certified Secure Software Lifecycle
Professional (CSSLP)
Cloud Security Alliance: One of the founders
OWASP Northern Virginia: Chapter Leader
IEEE: Computer Society Board of Governors member and produces the
monthly
Silver Bullet Security Podcast
for IEEE Security & Privacy
magazine
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Our Clients Include …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
The Security Problem …
Data
Apps
S/W
Network
Insider Threat
(Trusted Agent)
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Major Software Security Headlines …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Even More Software Security Headlines …
Any organization that
is unwilling to believe
it may have already
been penetrated and
that is not actively
looking for signs of
intrusion beyond
what its network
black boxes are
telling it is living in a
fantasy world.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Why You Should Care …
How likely is a successful software application attack?
Stunningly prevalent
Easy to exploit without special tools or knowledge
Little chance of being detected
Hundreds of thousands of developers, tiny fraction with
security
Consequences?
Corruption or disclosure of database contents
Root access to web and application servers
Loss of authentication and access control for users
Defacement
Secondary attacks from your site
Application Security is becoming an increasingly
important part of Cyber Security
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
But my system has been certified!!!
Cigital
has performed hundreds of software
assessments for systems that have received ATO.
For applications receiving ATO/IATO: on average
in the Federal Government ...
1 vulnerability per 8 source lines of code
1 high vulnerability per 31 source lines of code
1 critical vulnerability per 69 source lines of code
Critical Vulnerability
: extremely high likelihood and impact on application confidentiality,
integrity, and or availability.
High Vulnerability
: high potential for significant impact on application confidentiality,
integrity, and or availability.
Vulnerability
: software bug or design flaw that may be exploited by threat agents and
represents a risk to assets and owners.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Another Reason To Care …
The new
Application Security and Development STIG
(Version 3, Release 2, dated 29 October 2010) has an
increased software assurance focus to include, but not
limited to:
software threat assessments
static/dynamic/binary analysis
other manual secure code reviews
secure coding standards
application software assurance training for
managers, designers, developers, and
testers ...
and more …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
and the Federal Government is
Piling On
…
HR6523, the 2011 National Defense Appropriations
Act, Section 932
Strategy on Computer Software
Assurance
includes language in section (C) (3) requires
“(3) Mechanisms for protection against compromise of information
systems through the supply chain or cyber attack by acquiring
and improving automated tools for
—
(A) assuring the security of software and software
applications during software development;
(B) detecting vulnerabilities during testing of software; and
(C) detecting intrusions during real
-
time monitoring of
software applications.”
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Tools are part of the solution …
There is a tendency for over
-
reliance on tools
Software security is more art than science
Tools perform very differently depending on who
operates them
Accurately configuring tools dramatically reduces false
positives
There is no one size fits all tool
There are no tools for analyzing the security of
software architectures
Cigital
is capable of detailing how to fix discovered
vulnerabilities
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
… but Tools aren’t the answer
Code scanning tools don’t address all software
languages
Design flaws account for 50% of security problems.
Automated tools can’t help you
You can’t find design defects by staring at code
—
a
higher
-
level understanding is required
Tools can’t address
Security requirements
Governance and compliance
Secure coding standards
Knowledge and training
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
It’s Time To Fix the Software
Software security and
application security today
focus on finding bugs
The time has come to
stop looking for new bugs
to add to the list … and
start actually fixing things!
•
Which bugs in this pile should I
fix
?
•
But what
about flaws?
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Software Security Touchpoints
Our Value
-
Add …
Building Security In
Application security is a people, process, and technology
problem
throughout the entire software development life cycle
… because the
most effective approaches to application security include improvements
in all of these areas.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Cigital
Services …
Integration of quality assurance and testing best practices into both your
projects and
enterprise …
Quality Review Services
Organizational Quality
Strategy & Roadmap (TPI)
Application Risk Assessment
Independent Verification and
Validation (IV&V)
Metrics & Measurement
Portfolio Risk Management
Software Quality Training
Full Life
-
cycle Testing
Test Automation
Load and Performance Testing
Security Testing
Independent QA Execution
Test Strategy and Planning
Agile Development Testing
Integration and System Testing
Software Quality Services
Software Security Services
Software Security Assurance
Security requirements
Secure code review
Architectural risk analysis
Application penetration testing
Security testing
Software Security Training
Complete curriculum
Instructor
-
led
eLearning
Enterprise Software Security
ESS Framework
ESS Roadmap
Governance and Compliance
Security Assurance
Secure SDLC
Knowledge and Training
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Other Useful Resources …
Build Security In software assurance strategic initiative of the National
Cyber Security Division (NCSD) of the Department of Homeland Security
https://buildsecurityin.us
-
cert.gov/bsi/home.html
Common Attack Pattern Enumeration and Classification (CAPEC)
http://capec.mitre.org/community/index.html
Common Weakness Enumeration (CWE)
http://cwe.mitre.org
Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org
Silver Bullet Security Podcast
http://www.cigital.com/silverbullet/
Gary McGraw on
informIT
http://www.informit.com/authors/bio.aspx?a=b283e5a4
-
703c
-
47df
-
afbf
-
a9cfa311d46b
Building Security In Maturity Model
http://bsimm.com/
Software Security: Building Security In
[THE book on software security]
http://www.swsec.com/
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Contact …
Corporate Headquarters
:
21351 Ridgetop Circle
Suite 400
Dulles, Virginia 20166
www.cigital.com
You can’t bolt security features onto code and expect it to become hack
-
proof. Security must be
built in throughout the application development lifecycle….
Blair
Vorgang
Managing Principal
Cigital Federal, Inc.
(703) 404
-
9293 x1278
bvorgang@cigital.com
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Backup Slides
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
The Security Problem …
How much $$ are you spending on 4% of the
problem??
Application and Operating
System Vulnerabilities
The U.S. Department of Homeland Security
(DHS) reports the majority of software
vulnerabilities are related to applications. If
left untreated, these vulnerabilities may lead
to arbitrary code execution, buffer overflow,
escalation of privileges, and Denial of
Service attacks
DHS reports that
96%
of the reported
software vulnerabilities are related to
applications while
4%
are related to the
operating system
–
August 2010
Application
Vulnerabilities
Operating System
Vulnerabilities
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
The Security Problem …
An almost exclusive focus on perimeter and network
security has become increasingly inadequate
The ‘Defense In Depth’ paradigm must consider the
root cause of security problems … application and data
Physical
Network
System
Application / Database
•
Alarms
•
Lighting
•
Surveillance
•
Etc …
•
Network Authentication
•
Network Authorization
•
Network Audit Service
•
Hardware Encryption …
•
System Authentication
•
System Authorization
•
System Audit Service …
•
Function Authorization
•
Data Encryption Object
•
Data Authentication Object
•
Database Authorization
•
Database Configuration Guidelines …
Traditional
Defense in
Depth
Where’s the
Rest of the
Depth??
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
0
1000
2000
3000
4000
5000
6000
'95
'96
'97
'98
'99
'00
'01
'02
'03
Software Vulnerabilities Increasing
Causing Expensive Downstream Fixes
Design
Coding
Internal
Testing
Beta
Testing
Post
release
Cost to fix bug by development stage
(2)
~35x more expensive to fix a bug
post release than in design
# of reported vulnerabilities
(1)
(1)
CERT Coordination Center at Carnegie Mellon University
(Note: does not include unreported vulnerabilities which would be a
much
higher number)
(2)
NIST Report: “Economic Impact of Inadequate Infrastructure for Software Testing”
Exponential increase in reported vulnerabilities
35X
30X
5X
25X
20X
15X
10X
Despite spending $12B on Enterprise IT security in 2003, exploitation of software vulnerabilities costs the US
economy
over $10B, and we continue to see increases in the number of reported vulnerabilities, the number
of incidents
, and the
cost per incident.
-
Information Week 2004
The Security Problem …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Case Study … Air Force … Why ASACoE?
Over 33,000 Air
Force officer records
compromised
Sampled Air Force
applications using
automated tools
Significant risks exist
in Air Force
applications
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Case Study … Air Force Approach
3 Day Training Session
Covers
ASACoE
Tool
Suite and Defensive
Coding Practices
5 Day On
-
Site Triage
Assessment; Mentor
PMO Staff; Deploy the
ASACoE Tool Suite; Run
Initial Scans
Triage Assessment
Report; Augment
Remediation Efforts;
Follow
-
up Scans
Train
Enable
Support
•
Broader strategic approach addressing deployed systems
•
Tool driven aimed at low
-
hanging fruit
•
Multi
-
perspective analysis
•
Large scale effort across multiple applications and technologies
Application Software Assurance
Center of Excellence
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Case Study … Results
0.00
20.00
40.00
60.00
App1
App2
App3
App4
App5
App6
Critical/High Vulnerabilities Per 1,000 Lines of Code
Initial
Follow-On
26%
9%
49%
60%
75%
69%
Keep in mind that while ASACoE assessments
are not deep and architectural risk isn't
addressed ... the security posture of assessed
Air Force applications show improvement.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Cigital
SecureAssist
™
SecureAssist
is an educational tool that provides context
sensitive application security guidance directly to the
developer
’
s work environment
SecureAssist
Delivers:
•
Near real
-
time identification of code
vulnerabilities as code is being
written in the IDE (no
‘
build
’
necessary)
•
Near real
-
time secure coding
training and remediation techniques
•
Near real
-
time & continuously
available secure coding policies &
rules (customizable)
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Differentiators for
Whitebox
SecureAssist
™
Security Tools
Whitebox
SecureAssist
Users
Security/Tool Staff
Developers
Scan Initialization
Press of the button
File save/File open
Scan Time
Minutes/Hours/Days
Seconds
Scan Scope
Entire codebase
“
build concept
”
File
Scan Results
Vulnerabilities/Security
problems
Remediation guidance
specific to vulnerability
and class
End Results
Make scan results
“
go away
”
by
writing custom rules, fixing
code, suppressing issues
Review results, learn on
the job, fix code real
-
time
Purpose
Find vulnerabilities
Fix vulnerabilities
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.
Drilling Down into dollars and cents …
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο