The Future of the System Development Life Cycle (SDLC) Andrew Murren Deloitte & Touche LLP March 10, 2010 What is the Systems Development Life Cycle (SDLC)? Deloitte & Touche LLP SDCL Defined SDLC is the process of developing information systems through investigation, analysis, design, implementation and maintenance. SDLC is also known as information systems development or application development. SDLC is a systems approach to problem solving and is made up of several phases, each comprised of multiple steps: The software concept: Identifies and defines a need for the new system A requirements analysis: Analyzes the information needs of the end users The architectural design: Creates a blueprint for the design with the necessary specifications for the hardware, software, people and data resources Coding and debugging: Creates and programs the final system System testing: Evaluates the system's actual functionality in relation to expected or intended functionality. 1 http://www.webopedia.com/TERM/S/SDLC.html -3- The NIST Systems Development Life Cycle (SDLC) Initiation Development / Acquisition Implementation / Assessment Operations & Maintenance Disposal A version from the National Institute for Standards and Technology (NIST)1 defines the phases as: Initiation: During the initiation phase, the need for a system is expressed and the purpose of the system is documented. Development/Acquisition: During this phase, the system is designed, purchased, programmed, developed, or otherwise constructed. Implementation / Assessment: After system acceptance testing, the system is installed or fielded. Operations & Maintenance: During this phase, the system performs its work. The system is almost always modified by the addition of hardware and software and by numerous other events. Disposal: Activities conducted during this phase ensure the orderly termination of the system, safeguarding vital system information, and migrating data processed by the system to a new system, or preserving it in accordance with applicable records management regulations and policies. 1 NIST Special Publication 800-64 Revision 2: Security Considerations in the System Development Life Cycle -4- Quiz Time! Test your knowledge of how vulnerable systems are! Deloitte & Touche LLP Question 1 1. About how many new malware signatures were added by Symantec in 4Q2009? a. Over 1.5 million b. Between 1 million and 1.5 million c. Between 500,000 and 1 million d. Less than 500,000 -6- Question 2 2. According to McAfee in 2009 about how many new zombie computers were created per day in 3Q2009? a. Over 250,000 b. Between 150,000 and 250,000 c. Between 100,000 and 150,000 d. Less than 100,000 -7- Question 3 3. (ISC)2 estimated what percentage of security breaches are related to application related? a. 80% b. 70% c. 60% d. 50% -8- Question 4 4. In February 2010, Security Labs collected and tested more than 30,000 live malicious URL samples against the typical tools of third-party URL lists and anti-virus scanners. How many malicious URLs pass unnoticed through anti-virus scanners and URL filtering, even when these two approaches are used together? a. Between 50% and 70% b. Between 30% and 50% c. Between 10% and 30% d. Less than 10% -9- Quiz Solutions Question 1 1. About how many new malicious code signatures were added by Symantec in 4Q2009? a. Over 1.5 million b. Between 1 million and 1.5 million c. Between 500,000 and 1 million d. Less than 500,000 Symantec added 921,143 new malicious code signatures in 4Q2009. - 11 - Question 2 2. According to McAfee in 2009 about how many new zombie computers were created per day in 3Q2009? a. Over 250,000 b. Between 150,000 and 250,000 c. Between 100,000 and 150,000 d. Less than 100,000 McAfee estimates that 148,000 New zombie computers created per day and 40 million in the first three quarters of 2009. - 12 - Question 3 3. (ISC)2 estimated what percentage of security breaches are related to application related? a. 80% b. 70% c. 60% d. 50% (ISC)2 estimates that 80% of security breaches are due to application. As operating systems become more secure attacks are moving to less secure applications and specifically web applications. - 13 - Question 4 4. In February 2010, Security Labs collected and tested more than 30,000 live malicious URL samples against the typical tools of third-party URL lists and anti-virus scanners. How many malicious URLs pass unnoticed through anti-virus scanners and URL filtering, even when these two approaches are used together? a. Between 50% and 70% b. Between 30% and 50% c. Between 10% and 30% d. Less than 10% Security Labs found that in the best case scenario 60% passed through filters and scanning. - 14 - Quiz Time How did you do? Deloitte & Touche LLP Key Components to Secure SDLC Security Architecture and Code Review Security Architecture review focuses on indentifying weakness in the design, implementation and security controls of the application, including: Authentication & Authorization Session management Secure communications Sensitive data management (Privacy of information) Parameter validation Configuration management Database access management Exception management Audit Log management - 16 - Key Components to Secure SDLC (cont) Security Architecture and Code Review Audit Log management Code quality Cache Management, Pooling, and Reuse System Calls Automated line by line review of source code along with manual code reviews Detection of vulnerabilities in security design and/or flaws of the application Identification of security vulnerabilities in the Source code of the application Evaluation of secured application development processes - 17 - Key Components to Secure SDLC (cont.) Application Vulnerability Testing Consists of a controlled security test of the application environment to identify potential external exposures. Application testing includes the following: Black-box (un-credentialed) and grey-box (credentialed) testing Insecure configuration Testing (e.g., missing patches, improper file or directory permissions, default accounts, excessive services, unnecessary coding files) Manipulation testing (e.g., Injection flaws, privilege escalation, insecure direct object reference, cross-site scripting, forceful browsing) Aggregation Testing (e.g., error messages, support data, legacy code, Developer comments) Iteration Testing (e.g., “brute force” techniques can be used for timing attacks or to bypass session/state management) - 18 - Source Code Analysis Tools Ounce 6 - automatically delivers confirmed vulnerabilities directly to the developer's IDE as part of the SDLC build process. Fortify 360 - integrates source code analysis, program trace analysis and realtime analysis to identify the most comprehensive and accurate list of vulnerabilities Veracode - provides code analysis and web application security testing through a software-as-a-service delivery model Coverity – offers integrated static and dynamic code analysis, build analysis and architecture analysis - 19 - Web Application Assessment Tools IBM AppScan - automates Web application security assessments. Automatically validates and provides fix advisories for both Common Web Vulnerabilities (CWVs) and application-specific vulnerabilities, such as crosssite scripting, and SQL injection Nikto - Web server scanner that performs comprehensive tests, including more than 3,550 potentially dangerous files/CGIs, versions on more than 115 products/CGIs, and reports details on more than 180 products/CGIs. Whisker - CGI scanner. Web Sphinx - A fully customizable web crawler that browses and processes Web pages automatically. NGS OraScan - A security tool designed to automate the process of assessing an Oracle web front end and its online applications. - 20 - What Changes are Happening? Virtualization Pervasive, Always On Connectivity Cloud Computing Breakdown of the Traditional Perimeter Social Networking / Web 2.0 New Laws and Regulations • Privacy • Due Diligence Increased Sophistication and Capability of Attackers • Criminal Organizations • Government Agencies • Non-Nation/State Political Actors - 21 - Current SDLC Issues / Trends “The most obvious issue is that security defects come in two flavors – implementation bugs found at the code level and architectural flaws found at the design level. Each of these accounts for roughly half of the defects in practice.” - Gary McGraw, CTO Cigital Application breaches today are primarily the result of poor coding, yet security embedded in SDLC processes continues to be an afterthought Simply maintaining patches on COTS can address a number of vulnerabilities, however, few organizations stay ahead of the curve Most security groups state that security resources are not involved early and often enough in the SDLC process, yet when asked to participate, security groups do not always dedicate the time/resources required To address above, organizations are moving towards: • More formalized security integration into SDLC • Code scanning during SDLC process - 22 - Emerging Security Considerations Virtualization • Multiple Virtual Machines (VM) on One Physical Host • Security Zones • Inter-VM communications Cloud Computing • Trusted Connections • Legal & regulatory compliance of actual hosting location • Shared physical hosts Embedded & Mobile Applications • Multiple methods of connecting (Bluetooth, IR, Wireless) • Always on Data Protection • Backup • Data Loss Protection - 23 - Microsoft’s Security Development Lifecycle (SDL) The Trustworthy Computing Security Development Lifecycle (or SDL) is the process that Bill Gates announce in Jan 2002 and Microsoft adopted for the development of software after a number of high profile security attacks that embarrassed the company. It was added on top of Microsoft’s existing SDLC. It is designed for Microsoft’s SDLC and is considered by many smaller organizations too complex and heavy. In Feb 2010 Microsoft released a simpler version for organizations that don’t have the same resources as Microsoft. - 24 - Stage 0: Education and Awareness Stage 1: Project Inception Stage 2: Define and Follow Design Best Practices Stage 3: Product Risk Assessment Stage 4: Risk Analysis Stage 5: Creating Security Documents, Tools, and Best Practices for Customers Stage 6: Secure Coding Policies Stage 7: Secure Testing Policies Stage 8: The Security Push Stage 9: The Final Security Review Stage 10: Security Response Planning Stage 11: Product Release Stage 12: Security Response Execution Microsoft’s Changes to their SDLC Microsoft’s Trustworthy Computing effort has four major benefits: 1) risk reduction, 2) cost reduction, 3) improved time-to-market, 4) enhanced functionality Microsoft reduced the number of security incidents by half using their Security Development Lifecycle (SDL) On average, a critical vulnerability costs Microsoft $100k Cost of any defect increase exponentially throughout the SDLC Unsecured applications raise the operational cost by constantly reacting to operational security issues Security review costs are reduced significantly using SDL Pre-SDL Time to market improves after the initial investment Componentized software security with clearly defined interfaces and guidelines encourages reuse which results in cost savings and faster time to market Post-SDL Microsoft Research Faculty Summit 2005: The Trustworthy Computing Security Development Lifecycle by Steve Lipner - 25 - Quiz Time Again! Test your knowledge of some system vulnerabilities! Deloitte & Touche LLP Question 1 1. According to Symantec what application was the top target of web attacks in 2009? a. Microsoft Internet Explorer b. Adobe Acrobat c. Microsoft Movie Maker d. Mozilla’s Firefox - 27 - Question 2 2. What percentage of applications evaluated by Veracode got a passing score for security the first time tested? a. Between 50% and 70% b. Between 30% and 50% c. Between 10% and 30% d. Less than 10% - 28 - Question 3 3. What is the Number 1 programming error on The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list? a. SQL Injection b. Buffer Overflow c. OS Command Injection d. Cross-site Scripting - 29 - Question 4 4. How much was stolen by cybercriminals from small to medium sized businesses in 3Q2009? a. Over $20 million b. Between $10 and $20 million c. Between $5 and $10 million d. Less than $5 million - 30 - Quiz Solutions Deloitte & Touche LLP Question 1 1. According to Symantec what application was the top target of web attacks in 2009? a. Microsoft Internet Explorer b. Adobe Acrobat c. Microsoft Movie Maker d. Mozilla’s Firefox The Acrobat PDF file download vulnerability accounted for 47% of all web attacks. When various attacks against Microsoft IE were combined they accounted for 37% of attacks. - 32 - Question 2 2. What percentage of applications evaluated by Veracode got a passing score for security the first time tested? a. Between 50% and 70% b. Between 30% and 50% c. Between 10% and 30% d. Less than 10% Open Source applications passed 39% Commercial applications passed 38% Internally Developed applications passed 31% Applications were evaluated against the CWE/SANS Top 25 Most Dangerous Programming Errors. - 33 - Question 3 3. What is the Number 1 programming error on The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list? a. SQL Injection b. Buffer Overflow c. OS Command Injection d. Cross-site Scripting CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting') “Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. “ XSS is an easy to detect and fix design flaw. Top 5 were: Cross-site Scripting SQL Injection Classic Buffer Overflow Cross-Site Request Forgery (CSRF) Improper Access Control (Authorization) - 34 - Question 4 4. How much was stolen by cybercriminals from small to medium sized businesses in 3Q2009? a. Over $20 million b. Between $10 and $20 million c. Between $5 and $10 million d. Less than $5 million According to FBI statistics cybercriminals stole over $25 million in the 3Q2009. During the same period traditional bank robberies stole less than $9.5 million. - 35 - Quiz Time Again How did you do? Deloitte & Touche LLP Models for Securing SDLC Microsoft’s Security Development Lifecycle • Adds activities on top of existing SDLC • Used by many large software developers • Can be expensive Cigital’s Touch Points • Seven activities that can be added into existing SDLC • Designed to be phased in and minimal impact • Adopted by DHS and DoD The Open Web Application Security Project (OWASP) Comprehensive, Lightweight Application Security Process (CLASP) Set of process pieces that can be integrated into any software development process Designed to be easy to adopt and effective Freely available for organizations to obtain and adopt - 37 - Trends in SDLC Adopting all or parts of the Secure Development models Use of Source Code Analysis (SCA) tools such as Fortify and Ounce Increased Risk Analysis throughout the SDLC Adding Threat Modeling, Abuse Cases and Security Requirements to the initial design requirements External reviews Incorporating Web Application Firewalls and other application layer security devices to the network Vulnerability Assessments and Penetration Testing as part of the application testing and acceptance Adding checklists of do’s and don’ts to development policies Movement to add security assurances to software acquisition contracts - 38 - Take Aways SLDC is the process to develop and maintain software Applications are now the prime targets of attackers as the OS layer gets more secure The diffusion of the client environment makes securing applications more critical Virtualization and Cloud Computing will make designers and developers adapt due to less certainty of the hosting environment Current network and host based defenses are not enough Legal issues are becoming increasingly important, with increased visibility by lawyers Rewards for cyber theft significantly higher than for traditional theft - 39 - Questions? Deloitte & Touche LLP