Cigital: Software security and software quality services

crookpatedspongySoftware and s/w Development

Dec 2, 2013 (3 years and 10 months ago)

98 views

Software Confidence. Achieved.

Cigital

Software Security and

Software Quality Services



21 July 2011



www.cigital.com

info@cigital.com

703
-
404
-
9293

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

What We Do …


Cigital helps clients design, develop, deliver, and
sustain secure software that continues to work under
malicious attack.

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

A Little Bit About Us …


Founded in 1992


Cigital “wrote the book” on software security and
software quality programs


Recognized experts in software security and software quality


Widely published in books, white papers, and articles


Industry thought leaders


Invented the first commercial Static Analysis Tool (Licensed to Fortify)


Extensive Industry Standards, Best Practices, and Regulatory Compliance
Experience


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

4

Cigital

Affiliations …


Cigital is a participating member and holds leadership positions
in key industry
organizations


ISC
2
: Technical Advisory Board for Certified Secure Software Lifecycle
Professional (CSSLP)


Cloud Security Alliance: One of the founders


OWASP Northern Virginia: Chapter Leader


IEEE: Computer Society Board of Governors member and produces the
monthly
Silver Bullet Security Podcast
for IEEE Security & Privacy
magazine







© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Our Clients Include …

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

The Security Problem …

Data

Apps

S/W




Network


Insider Threat

(Trusted Agent)

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Major Software Security Headlines …

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Even More Software Security Headlines …

Any organization that
is unwilling to believe
it may have already
been penetrated and
that is not actively
looking for signs of
intrusion beyond
what its network
black boxes are
telling it is living in a
fantasy world.

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Why You Should Care …


How likely is a successful software application attack?


Stunningly prevalent


Easy to exploit without special tools or knowledge


Little chance of being detected


Hundreds of thousands of developers, tiny fraction with
security


Consequences?


Corruption or disclosure of database contents


Root access to web and application servers


Loss of authentication and access control for users


Defacement


Secondary attacks from your site


Application Security is becoming an increasingly
important part of Cyber Security

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

But my system has been certified!!!


Cigital

has performed hundreds of software
assessments for systems that have received ATO.


For applications receiving ATO/IATO: on average
in the Federal Government ...


1 vulnerability per 8 source lines of code


1 high vulnerability per 31 source lines of code


1 critical vulnerability per 69 source lines of code

Critical Vulnerability
: extremely high likelihood and impact on application confidentiality,
integrity, and or availability.

High Vulnerability
: high potential for significant impact on application confidentiality,
integrity, and or availability.

Vulnerability
: software bug or design flaw that may be exploited by threat agents and
represents a risk to assets and owners.

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Another Reason To Care …


The new
Application Security and Development STIG
(Version 3, Release 2, dated 29 October 2010) has an
increased software assurance focus to include, but not
limited to:


software threat assessments


static/dynamic/binary analysis


other manual secure code reviews


secure coding standards


application software assurance training for


managers, designers, developers, and



testers ...


and more …

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

and the Federal Government is
Piling On



HR6523, the 2011 National Defense Appropriations
Act, Section 932
Strategy on Computer Software
Assurance

includes language in section (C) (3) requires

“(3) Mechanisms for protection against compromise of information
systems through the supply chain or cyber attack by acquiring
and improving automated tools for


(A) assuring the security of software and software
applications during software development;

(B) detecting vulnerabilities during testing of software; and

(C) detecting intrusions during real
-
time monitoring of
software applications.”


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Tools are part of the solution …


There is a tendency for over
-
reliance on tools


Software security is more art than science


Tools perform very differently depending on who
operates them


Accurately configuring tools dramatically reduces false
positives


There is no one size fits all tool


There are no tools for analyzing the security of
software architectures


Cigital

is capable of detailing how to fix discovered
vulnerabilities

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

… but Tools aren’t the answer


Code scanning tools don’t address all software
languages


Design flaws account for 50% of security problems.


Automated tools can’t help you


You can’t find design defects by staring at code

a
higher
-
level understanding is required


Tools can’t address


Security requirements


Governance and compliance


Secure coding standards


Knowledge and training


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

It’s Time To Fix the Software


Software security and
application security today
focus on finding bugs


The time has come to
stop looking for new bugs
to add to the list … and
start actually fixing things!



Which bugs in this pile should I
fix
?



But what
about flaws?


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Software Security Touchpoints

Our Value
-
Add …
Building Security In

Application security is a people, process, and technology
problem
throughout the entire software development life cycle
… because the
most effective approaches to application security include improvements
in all of these areas.

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Cigital

Services …

Integration of quality assurance and testing best practices into both your
projects and
enterprise …


Quality Review Services


Organizational Quality
Strategy & Roadmap (TPI)


Application Risk Assessment


Independent Verification and
Validation (IV&V)


Metrics & Measurement


Portfolio Risk Management


Software Quality Training


Full Life
-
cycle Testing


Test Automation


Load and Performance Testing


Security Testing


Independent QA Execution


Test Strategy and Planning


Agile Development Testing


Integration and System Testing

Software Quality Services

Software Security Services


Software Security Assurance


Security requirements


Secure code review


Architectural risk analysis


Application penetration testing


Security testing


Software Security Training


Complete curriculum


Instructor
-
led


eLearning


Enterprise Software Security


ESS Framework


ESS Roadmap


Governance and Compliance


Security Assurance


Secure SDLC


Knowledge and Training


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Other Useful Resources …


Build Security In software assurance strategic initiative of the National
Cyber Security Division (NCSD) of the Department of Homeland Security



https://buildsecurityin.us
-
cert.gov/bsi/home.html


Common Attack Pattern Enumeration and Classification (CAPEC)

http://capec.mitre.org/community/index.html


Common Weakness Enumeration (CWE)

http://cwe.mitre.org


Common Vulnerabilities and Exposures (CVE)



http://cve.mitre.org


Silver Bullet Security Podcast



http://www.cigital.com/silverbullet/


Gary McGraw on
informIT



http://www.informit.com/authors/bio.aspx?a=b283e5a4
-
703c
-
47df
-
afbf
-
a9cfa311d46b


Building Security In Maturity Model



http://bsimm.com/


Software Security: Building Security In
[THE book on software security]



http://www.swsec.com/



© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Contact …

Corporate Headquarters
:

21351 Ridgetop Circle

Suite 400

Dulles, Virginia 20166

www.cigital.com

You can’t bolt security features onto code and expect it to become hack
-
proof. Security must be
built in throughout the application development lifecycle….

Blair
Vorgang

Managing Principal

Cigital Federal, Inc.

(703) 404
-
9293 x1278

bvorgang@cigital.com





© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.




Backup Slides

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

The Security Problem …


How much $$ are you spending on 4% of the
problem??









Application and Operating
System Vulnerabilities


The U.S. Department of Homeland Security
(DHS) reports the majority of software
vulnerabilities are related to applications. If
left untreated, these vulnerabilities may lead
to arbitrary code execution, buffer overflow,
escalation of privileges, and Denial of
Service attacks


DHS reports that
96%

of the reported
software vulnerabilities are related to
applications while
4%

are related to the
operating system


August 2010

Application
Vulnerabilities

Operating System
Vulnerabilities

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

The Security Problem …


An almost exclusive focus on perimeter and network
security has become increasingly inadequate


The ‘Defense In Depth’ paradigm must consider the
root cause of security problems … application and data

Physical

Network

System

Application / Database


Alarms


Lighting


Surveillance


Etc …


Network Authentication


Network Authorization


Network Audit Service


Hardware Encryption …


System Authentication


System Authorization


System Audit Service …


Function Authorization


Data Encryption Object


Data Authentication Object


Database Authorization


Database Configuration Guidelines …

Traditional
Defense in
Depth

Where’s the
Rest of the
Depth??

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

0
1000
2000
3000
4000
5000
6000
'95
'96
'97
'98
'99
'00
'01
'02
'03
Software Vulnerabilities Increasing

Causing Expensive Downstream Fixes

Design
Coding
Internal
Testing
Beta
Testing
Post
release
Cost to fix bug by development stage
(2)

~35x more expensive to fix a bug

post release than in design

# of reported vulnerabilities
(1)

(1)
CERT Coordination Center at Carnegie Mellon University

(Note: does not include unreported vulnerabilities which would be a
much

higher number)

(2)
NIST Report: “Economic Impact of Inadequate Infrastructure for Software Testing”


Exponential increase in reported vulnerabilities

35X

30X

5X

25X

20X

15X

10X

Despite spending $12B on Enterprise IT security in 2003, exploitation of software vulnerabilities costs the US
economy
over $10B, and we continue to see increases in the number of reported vulnerabilities, the number
of incidents
, and the
cost per incident.






-
Information Week 2004

The Security Problem …

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Case Study … Air Force … Why ASACoE?


Over 33,000 Air
Force officer records
compromised



Sampled Air Force
applications using
automated tools



Significant risks exist
in Air Force
applications


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Case Study … Air Force Approach

3 Day Training Session
Covers
ASACoE

Tool
Suite and Defensive
Coding Practices

5 Day On
-
Site Triage
Assessment; Mentor
PMO Staff; Deploy the
ASACoE Tool Suite; Run
Initial Scans

Triage Assessment
Report; Augment
Remediation Efforts;
Follow
-
up Scans

Train

Enable

Support



Broader strategic approach addressing deployed systems



Tool driven aimed at low
-
hanging fruit



Multi
-
perspective analysis



Large scale effort across multiple applications and technologies

Application Software Assurance
Center of Excellence

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Case Study … Results

0.00
20.00
40.00
60.00
App1
App2
App3
App4
App5
App6
Critical/High Vulnerabilities Per 1,000 Lines of Code

Initial
Follow-On
26%


9%

49%

60%

75%

69%

Keep in mind that while ASACoE assessments
are not deep and architectural risk isn't
addressed ... the security posture of assessed
Air Force applications show improvement.

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Cigital
SecureAssist



SecureAssist

is an educational tool that provides context
sensitive application security guidance directly to the
developer

s work environment



SecureAssist

Delivers:



Near real
-
time identification of code
vulnerabilities as code is being
written in the IDE (no

build


necessary)



Near real
-
time secure coding
training and remediation techniques



Near real
-
time & continuously
available secure coding policies &
rules (customizable)


© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Differentiators for
Whitebox

SecureAssist


Security Tools

Whitebox

SecureAssist

Users

Security/Tool Staff

Developers

Scan Initialization

Press of the button

File save/File open

Scan Time

Minutes/Hours/Days

Seconds

Scan Scope

Entire codebase

build concept


File

Scan Results

Vulnerabilities/Security
problems

Remediation guidance
specific to vulnerability
and class

End Results

Make scan results

go away


by
writing custom rules, fixing
code, suppressing issues

Review results, learn on
the job, fix code real
-
time

Purpose

Find vulnerabilities

Fix vulnerabilities

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential
.

Drilling Down into dollars and cents …