view presentation

advertisement
The Future of the System
Development Life Cycle (SDLC)
Andrew Murren
Deloitte & Touche LLP
March 10, 2010
What is the Systems Development Life
Cycle (SDLC)?
Deloitte & Touche LLP
SDCL Defined
SDLC is the process of developing information systems through
investigation, analysis, design, implementation and maintenance. SDLC
is also known as information systems development or application
development. SDLC is a systems approach to problem solving and is
made up of several phases, each comprised of multiple steps:
 The software concept: Identifies and defines a need for the new system
 A requirements analysis: Analyzes the information needs of the end users
 The architectural design: Creates a blueprint for the design with the
necessary specifications for the hardware, software, people and data
resources
 Coding and debugging: Creates and programs the final system
 System testing: Evaluates the system's actual functionality in relation to
expected or intended functionality.
1
http://www.webopedia.com/TERM/S/SDLC.html
-3-
The NIST Systems Development Life Cycle (SDLC)
Initiation
Development /
Acquisition
Implementation
/ Assessment
Operations &
Maintenance
Disposal
A version from the National Institute for Standards and Technology
(NIST)1 defines the phases as:
 Initiation: During the initiation phase, the need for a system is expressed and
the purpose of the system is documented.
 Development/Acquisition: During this phase, the system is designed,
purchased, programmed, developed, or otherwise constructed.
 Implementation / Assessment: After system acceptance testing, the system
is installed or fielded.
 Operations & Maintenance: During this phase, the system performs its work.
The system is almost always modified by the addition of hardware and
software and by numerous other events.
 Disposal: Activities conducted during this phase ensure the orderly
termination of the system, safeguarding vital system information, and migrating
data processed by the system to a new system, or preserving it in accordance
with applicable records management regulations and policies.
1
NIST Special Publication 800-64 Revision 2: Security Considerations in the System Development Life Cycle
-4-
Quiz Time!
Test your knowledge of how vulnerable
systems are!
Deloitte & Touche LLP
Question 1
1. About how many new malware signatures were added by
Symantec in 4Q2009?
a. Over 1.5 million
b. Between 1 million and 1.5 million
c. Between 500,000 and 1 million
d. Less than 500,000
-6-
Question 2
2. According to McAfee in 2009 about how many new zombie
computers were created per day in 3Q2009?
a. Over 250,000
b. Between 150,000 and 250,000
c. Between 100,000 and 150,000
d. Less than 100,000
-7-
Question 3
3. (ISC)2 estimated what percentage of security breaches are
related to application related?
a. 80%
b. 70%
c. 60%
d. 50%
-8-
Question 4
4. In February 2010, Security Labs collected and tested more than
30,000 live malicious URL samples against the typical tools of
third-party URL lists and anti-virus scanners. How many
malicious URLs pass unnoticed through anti-virus scanners and
URL filtering, even when these two approaches are used
together?
a. Between 50% and 70%
b. Between 30% and 50%
c. Between 10% and 30%
d. Less than 10%
-9-
Quiz Solutions
Question 1
1. About how many new malicious code signatures were added by
Symantec in 4Q2009?
a. Over 1.5 million
b. Between 1 million and 1.5 million
c. Between 500,000 and 1 million
d. Less than 500,000
Symantec added 921,143 new malicious code signatures in 4Q2009.
- 11 -
Question 2
2. According to McAfee in 2009 about how many new zombie
computers were created per day in 3Q2009?
a. Over 250,000
b. Between 150,000 and 250,000
c. Between 100,000 and 150,000
d. Less than 100,000
McAfee estimates that 148,000 New zombie computers created per day
and 40 million in the first three quarters of 2009.
- 12 -
Question 3
3. (ISC)2 estimated what percentage of security breaches are
related to application related?
a. 80%
b. 70%
c. 60%
d. 50%
(ISC)2 estimates that 80% of security breaches are due to application. As
operating systems become more secure attacks are moving to less
secure applications and specifically web applications.
- 13 -
Question 4
4. In February 2010, Security Labs collected and tested more than
30,000 live malicious URL samples against the typical tools of
third-party URL lists and anti-virus scanners. How many
malicious URLs pass unnoticed through anti-virus scanners and
URL filtering, even when these two approaches are used
together?
a. Between 50% and 70%
b. Between 30% and 50%
c. Between 10% and 30%
d. Less than 10%
Security Labs found that in the best case scenario 60% passed through
filters and scanning.
- 14 -
Quiz Time
How did you do?
Deloitte & Touche LLP
Key Components to Secure SDLC
Security Architecture and Code Review
Security Architecture review focuses on indentifying weakness in the
design, implementation and security controls of the application, including:
 Authentication & Authorization
 Session management
 Secure communications
 Sensitive data management (Privacy of information)
 Parameter validation
 Configuration management
 Database access management
 Exception management
 Audit Log management
- 16 -
Key Components to Secure SDLC (cont)
Security Architecture and Code Review
 Audit Log management
 Code quality
 Cache Management, Pooling, and Reuse
 System Calls
 Automated line by line review of source code along with manual code reviews
 Detection of vulnerabilities in security design and/or flaws of the application
 Identification of security vulnerabilities in the Source code of the application
 Evaluation of secured application development processes
- 17 -
Key Components to Secure SDLC (cont.)
Application Vulnerability Testing
Consists of a controlled security test of the application environment to
identify potential external exposures. Application testing includes the
following:
 Black-box (un-credentialed) and grey-box (credentialed) testing
 Insecure configuration Testing (e.g., missing patches, improper file or directory
permissions, default accounts, excessive services, unnecessary coding files)
 Manipulation testing (e.g., Injection flaws, privilege escalation, insecure direct
object reference, cross-site scripting, forceful browsing)
 Aggregation Testing (e.g., error messages, support data, legacy code,
Developer comments)
 Iteration Testing (e.g., “brute force” techniques can be used for timing attacks
or to bypass session/state management)
- 18 -
Source Code Analysis Tools
 Ounce 6 - automatically delivers confirmed vulnerabilities directly to the
developer's IDE as part of the SDLC build process.
 Fortify 360 - integrates source code analysis, program trace analysis and realtime analysis to identify the most comprehensive and accurate list of
vulnerabilities
 Veracode - provides code analysis and web application security testing through
a software-as-a-service delivery model
 Coverity – offers integrated static and dynamic code analysis, build analysis
and architecture analysis
- 19 -
Web Application Assessment Tools
 IBM AppScan - automates Web application security assessments.
Automatically validates and provides fix advisories for both Common Web
Vulnerabilities (CWVs) and application-specific vulnerabilities, such as crosssite scripting, and SQL injection
 Nikto - Web server scanner that performs comprehensive tests, including more
than 3,550 potentially dangerous files/CGIs, versions on more than 115
products/CGIs, and reports details on more than 180 products/CGIs.
 Whisker - CGI scanner.
 Web Sphinx - A fully customizable web crawler that browses and processes
Web pages automatically.
 NGS OraScan - A security tool designed to automate the process of assessing
an Oracle web front end and its online applications.
- 20 -
What Changes are Happening?






Virtualization
Pervasive, Always On Connectivity
Cloud Computing
Breakdown of the Traditional Perimeter
Social Networking / Web 2.0
New Laws and Regulations
• Privacy
• Due Diligence
 Increased Sophistication and Capability of Attackers
• Criminal Organizations
• Government Agencies
• Non-Nation/State Political Actors
- 21 -
Current SDLC Issues / Trends
 “The most obvious issue is that security defects come in two flavors –
implementation bugs found at the code level and architectural flaws found at
the design level. Each of these accounts for roughly half of the defects in
practice.” - Gary McGraw, CTO Cigital
 Application breaches today are primarily the result of poor coding, yet security
embedded in SDLC processes continues to be an afterthought
 Simply maintaining patches on COTS can address a number of vulnerabilities,
however, few organizations stay ahead of the curve
 Most security groups state that security resources are not involved early and
often enough in the SDLC process, yet when asked to participate, security
groups do not always dedicate the time/resources required
 To address above, organizations are moving towards:
• More formalized security integration into SDLC
• Code scanning during SDLC process
- 22 -
Emerging Security Considerations
 Virtualization
• Multiple Virtual Machines (VM) on One Physical Host
• Security Zones
• Inter-VM communications
 Cloud Computing
• Trusted Connections
• Legal & regulatory compliance of actual hosting location
• Shared physical hosts
 Embedded & Mobile Applications
• Multiple methods of connecting (Bluetooth, IR, Wireless)
• Always on
 Data Protection
• Backup
• Data Loss Protection
- 23 -
Microsoft’s Security Development Lifecycle (SDL)
The Trustworthy Computing Security
Development Lifecycle (or SDL) is the
process that Bill Gates announce in Jan
2002 and Microsoft adopted for the
development of software after a number
of high profile security attacks that
embarrassed the company.
It was added on top of Microsoft’s
existing SDLC. It is designed for
Microsoft’s SDLC and is considered by
many smaller organizations too
complex and heavy. In Feb 2010
Microsoft released a simpler version for
organizations that don’t have the same
resources as Microsoft.
- 24 -
Stage 0: Education and Awareness
Stage 1: Project Inception
Stage 2: Define and Follow Design
Best Practices
Stage 3: Product Risk Assessment
Stage 4: Risk Analysis
Stage 5: Creating Security Documents,
Tools, and Best Practices for
Customers
Stage 6: Secure Coding Policies
Stage 7: Secure Testing Policies
Stage 8: The Security Push
Stage 9: The Final Security Review
Stage 10: Security Response Planning
Stage 11: Product Release
Stage 12: Security Response
Execution
Microsoft’s Changes to their SDLC
Microsoft’s Trustworthy Computing effort has four major benefits: 1) risk reduction,
2) cost reduction, 3) improved time-to-market, 4) enhanced functionality
 Microsoft reduced the number of security incidents by half using their Security
Development Lifecycle (SDL)
 On average, a critical vulnerability costs Microsoft $100k
 Cost of any defect increase exponentially throughout the SDLC
 Unsecured applications raise the operational cost by constantly reacting to
operational security issues
 Security review costs are reduced
significantly using SDL
Pre-SDL
 Time to market improves after the
initial investment
 Componentized software security
with clearly defined interfaces and
guidelines encourages reuse which
results in cost savings and faster
time to market
Post-SDL
Microsoft Research Faculty Summit 2005: The Trustworthy Computing
Security Development Lifecycle by Steve Lipner
- 25 -
Quiz Time Again!
Test your knowledge of some system
vulnerabilities!
Deloitte & Touche LLP
Question 1
1. According to Symantec what application was the top target of
web attacks in 2009?
a. Microsoft Internet Explorer
b. Adobe Acrobat
c. Microsoft Movie Maker
d. Mozilla’s Firefox
- 27 -
Question 2
2. What percentage of applications evaluated by Veracode got a
passing score for security the first time tested?
a. Between 50% and 70%
b. Between 30% and 50%
c. Between 10% and 30%
d. Less than 10%
- 28 -
Question 3
3. What is the Number 1 programming error on The 2010
CWE/SANS Top 25 Most Dangerous Programming Errors list?
a. SQL Injection
b. Buffer Overflow
c. OS Command Injection
d. Cross-site Scripting
- 29 -
Question 4
4. How much was stolen by cybercriminals from small to medium
sized businesses in 3Q2009?
a. Over $20 million
b. Between $10 and $20 million
c. Between $5 and $10 million
d. Less than $5 million
- 30 -
Quiz Solutions
Deloitte & Touche LLP
Question 1
1. According to Symantec what application was the top target of
web attacks in 2009?
a. Microsoft Internet Explorer
b. Adobe Acrobat
c. Microsoft Movie Maker
d. Mozilla’s Firefox
The Acrobat PDF file download vulnerability accounted for 47% of all
web attacks. When various attacks against Microsoft IE were combined
they accounted for 37% of attacks.
- 32 -
Question 2
2. What percentage of applications evaluated by Veracode got a
passing score for security the first time tested?
a. Between 50% and 70%
b. Between 30% and 50%
c. Between 10% and 30%
d. Less than 10%
 Open Source applications passed 39%
 Commercial applications passed 38%
 Internally Developed applications passed 31%
Applications were evaluated against the CWE/SANS Top 25 Most Dangerous
Programming Errors.
- 33 -
Question 3
3. What is the Number 1 programming error on The 2010
CWE/SANS Top 25 Most Dangerous Programming Errors list?
a. SQL Injection
b. Buffer Overflow
c. OS Command Injection
d. Cross-site Scripting
CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
“Cross-site scripting (XSS) is one of the most prevalent, obstinate, and
dangerous vulnerabilities in web applications. “ XSS is an easy to detect
and fix design flaw.
Top 5 were:





Cross-site Scripting
SQL Injection
Classic Buffer Overflow
Cross-Site Request Forgery (CSRF)
Improper Access Control (Authorization)
- 34 -
Question 4
4. How much was stolen by cybercriminals from small to medium
sized businesses in 3Q2009?
a. Over $20 million
b. Between $10 and $20 million
c. Between $5 and $10 million
d. Less than $5 million
According to FBI statistics cybercriminals stole over $25 million in the
3Q2009. During the same period traditional bank robberies stole less
than $9.5 million.
- 35 -
Quiz Time Again
How did you do?
Deloitte & Touche LLP
Models for Securing SDLC
 Microsoft’s Security Development Lifecycle
• Adds activities on top of existing SDLC
• Used by many large software developers
• Can be expensive
 Cigital’s Touch Points
• Seven activities that can be added into existing SDLC
• Designed to be phased in and minimal impact
• Adopted by DHS and DoD
 The Open Web Application Security Project (OWASP) Comprehensive,
Lightweight Application Security Process (CLASP)
 Set of process pieces that can be integrated into any software development
process
 Designed to be easy to adopt and effective
 Freely available for organizations to obtain and adopt
- 37 -
Trends in SDLC
 Adopting all or parts of the Secure Development models
 Use of Source Code Analysis (SCA) tools such as Fortify and Ounce
 Increased Risk Analysis throughout the SDLC
 Adding Threat Modeling, Abuse Cases and Security Requirements to
the initial design requirements
 External reviews
 Incorporating Web Application Firewalls and other application layer
security devices to the network
 Vulnerability Assessments and Penetration Testing as part of the
application testing and acceptance
 Adding checklists of do’s and don’ts to development policies
 Movement to add security assurances to software acquisition contracts
- 38 -
Take Aways
 SLDC is the process to develop and maintain software
 Applications are now the prime targets of attackers as the OS layer
gets more secure
 The diffusion of the client environment makes securing applications
more critical
 Virtualization and Cloud Computing will make designers and
developers adapt due to less certainty of the hosting environment
 Current network and host based defenses are not enough
 Legal issues are becoming increasingly important, with increased
visibility by lawyers
 Rewards for cyber theft significantly higher than for traditional theft
- 39 -
Questions?
Deloitte & Touche LLP
Download