Cigital
Software Security and
Software Quality Services
Software Confidence. Achieved.
21 July 2011
www.cigital.com
info@cigital.com
703-404-9293
What We Do …

Cigital helps clients design, develop, deliver, and
sustain secure software that continues to work under
malicious attack.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
A Little Bit About Us …
Founded in 1992– Cigital “wrote the book” on software security and
software quality programs
 Recognized experts in software security and software quality
 Widely published in books, white papers, and articles
 Industry thought leaders
 Invented the first commercial Static Analysis Tool (Licensed to Fortify)
 Extensive Industry Standards, Best Practices, and Regulatory Compliance
Experience

© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Cigital Affiliations …

Cigital is a participating member and holds leadership positions
in key industry organizations




ISC2: Technical Advisory Board for Certified Secure Software Lifecycle
Professional (CSSLP)
Cloud Security Alliance: One of the founders
OWASP Northern Virginia: Chapter Leader
IEEE: Computer Society Board of Governors member and produces the
monthly Silver Bullet Security Podcast for IEEE Security & Privacy
magazine
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
4
Our Clients Include …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
The Security Problem …
Insider Threat
(Trusted Agent)
Network
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Apps
S/W
Data
Major Software Security Headlines …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Even More Software Security Headlines …
Any organization that
is unwilling to believe
it may have already
been penetrated and
that is not actively
looking for signs of
intrusion beyond
what its network
black boxes are
telling it is living in a
fantasy world.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Why You Should Care …

How likely is a successful software application attack?





Consequences?






Stunningly prevalent
Easy to exploit without special tools or knowledge
Little chance of being detected
Hundreds of thousands of developers, tiny fraction with
security
Corruption or disclosure of database contents
Root access to web and application servers
Loss of authentication and access control for users
Defacement
Secondary attacks from your site
Application Security is becoming an increasingly
important part of Cyber Security
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
But my system has been certified!!!


Cigital has performed hundreds of software
assessments for systems that have received ATO.
For applications receiving ATO/IATO: on average
in the Federal Government ...

1 vulnerability per 8 source lines of code
 1 high vulnerability per 31 source lines of code
 1 critical vulnerability per 69 source lines of code
Critical Vulnerability: extremely high likelihood and impact on application confidentiality,
integrity, and or availability.
High Vulnerability: high potential for significant impact on application confidentiality,
integrity, and or availability.
Vulnerability: software bug or design flaw that may be exploited by threat agents and
represents a risk to assets and owners.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Another Reason To Care …

The new Application Security and Development STIG
(Version 3, Release 2, dated 29 October 2010) has an
increased software assurance focus to include, but not
limited to:






software threat assessments
static/dynamic/binary analysis
other manual secure code reviews
secure coding standards
application software assurance training for
managers, designers, developers, and
testers ...
and more …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
and the Federal Government is Piling On …

HR6523, the 2011 National Defense Appropriations
Act, Section 932 Strategy on Computer Software
Assurance includes language in section (C) (3) requires
“(3) Mechanisms for protection against compromise of information
systems through the supply chain or cyber attack by acquiring
and improving automated tools for—
(A) assuring the security of software and software
applications during software development;
(B) detecting vulnerabilities during testing of software; and
(C) detecting intrusions during real-time monitoring of
software applications.”
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Tools are part of the solution …


There is a tendency for over-reliance on tools
Software security is more art than science

Tools perform very differently depending on who
operates them
 Accurately configuring tools dramatically reduces false
positives



There is no one size fits all tool
There are no tools for analyzing the security of
software architectures
Cigital is capable of detailing how to fix discovered
vulnerabilities
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
… but Tools aren’t the answer


Code scanning tools don’t address all software
languages
Design flaws account for 50% of security problems.
Automated tools can’t help you
 You can’t find design defects by staring at code—a
higher-level understanding is required


Tools can’t address

Security requirements
 Governance and compliance
 Secure coding standards
 Knowledge and training
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
It’s Time To Fix the Software


Software security and
application security today
focus on finding bugs
The time has come to
stop looking for new bugs
to add to the list … and
start actually fixing things!
• Which bugs in this pile should I
fix?
• But what about flaws?
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Our Value-Add … Building Security In
Software Security Touchpoints
Application security is a people, process, and technology problem
throughout the entire software development life cycle … because the
most effective approaches to application security include improvements
in all of these areas.
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Cigital Services …
Integration of quality assurance and testing best practices into both your
projects and enterprise …
Software Quality Services

Quality Review Services







Organizational Quality
Strategy & Roadmap (TPI)
Application Risk Assessment
Independent Verification and
Validation (IV&V)
Metrics & Measurement
Portfolio Risk Management
Software Quality Training
Full Life-cycle Testing




Test Automation
Load and Performance Testing
Security Testing
Independent QA Execution



Test Strategy and Planning
Agile Development Testing
Integration and System Testing
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Software Security Services

Software Security Assurance






Software Security Training


Security requirements
Secure code review
Architectural risk analysis
Application penetration testing
Security testing
Complete curriculum

Instructor-led

eLearning
Enterprise Software Security






ESS Framework
ESS Roadmap
Governance and Compliance
Security Assurance
Secure SDLC
Knowledge and Training
Other Useful Resources …

Build Security In software assurance strategic initiative of the National
Cyber Security Division (NCSD) of the Department of Homeland Security
https://buildsecurityin.us-cert.gov/bsi/home.html

Common Attack Pattern Enumeration and Classification (CAPEC)
http://capec.mitre.org/community/index.html

Common Weakness Enumeration (CWE)
http://cwe.mitre.org

Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org

Silver Bullet Security Podcast
http://www.cigital.com/silverbullet/

Gary McGraw on informIT
http://www.informit.com/authors/bio.aspx?a=b283e5a4-703c-47df-afbfa9cfa311d46b

Building Security In Maturity Model
http://bsimm.com/

Software Security: Building Security In [THE book on software security]
http://www.swsec.com/
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Contact …
Blair Vorgang
Managing Principal
Cigital Federal, Inc.
(703) 404-9293 x1278
bvorgang@cigital.com
Corporate Headquarters:
21351 Ridgetop Circle
Suite 400
Dulles, Virginia 20166
www.cigital.com
You can’t bolt security features onto code and expect it to become hack-proof. Security must be
built in throughout the application development lifecycle….
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Backup Slides
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
The Security Problem …



How much $$ are you spending on 4% of the
problem??
The U.S. Department of Homeland Security
(DHS) reports the majority of software
vulnerabilities are related to applications. If
left untreated, these vulnerabilities may lead
to arbitrary code execution, buffer overflow,
escalation of privileges, and Denial of
Service attacks
DHS reports that 96% of the reported
software vulnerabilities are related to
applications while 4% are related to the
operating system – August 2010
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Application and Operating
System Vulnerabilities
Operating System
Vulnerabilities
Application
Vulnerabilities
The Security Problem …


An almost exclusive focus on perimeter and network
security has become increasingly inadequate
The ‘Defense In Depth’ paradigm must consider the
root cause of security problems … application and data
Traditional
Defense in
Depth
Where’s the
Rest of the
Depth??
Physical
• Alarms
• Lighting
• Surveillance
• Etc …
Network
• Network Authentication
• Network Authorization
• Network Audit Service
• Hardware Encryption …
System
• System Authentication
• System Authorization
• System Audit Service …
Application / Database
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
• Function Authorization
• Data Encryption Object
• Data Authentication Object
• Database Authorization
• Database Configuration Guidelines …
The Security Problem …
Software Vulnerabilities Increasing
# of reported vulnerabilities(1)
6000
Exponential increase in reported vulnerabilities
5000
Causing Expensive Downstream Fixes
35X
30X
Cost to fix bug by development stage(2)
~35x more expensive to fix a bug
post release than in design
25X
4000
20X
3000
15X
2000
10X
1000
5X
0
'95
'96
'97
'98
'99 '00
'01
'02
'03
Design
Coding
Internal
Testing
Beta
Testing
Post
release
Despite spending $12B on Enterprise IT security in 2003, exploitation of software vulnerabilities costs the US economy
over $10B, and we continue to see increases in the number of reported vulnerabilities, the number of incidents, and the
cost per incident.
-Information Week 2004
(1)
(2)
CERT Coordination Center at Carnegie Mellon University
(Note: does not include unreported vulnerabilities which would be a much higher number)
NIST Report: “Economic Impact of Inadequate Infrastructure for Software Testing”
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Case Study … Air Force … Why ASACoE?

Over 33,000 Air
Force officer records
compromised

Sampled Air Force
applications using
automated tools

Significant risks exist
in Air Force
applications
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Case Study … Air Force Approach
Application Software Assurance
Center of Excellence
Support
Enable
Train
5 Day On-Site Triage
Assessment; Mentor
PMO Staff; Deploy the
ASACoE Tool Suite; Run
Initial Scans
Triage Assessment
Report; Augment
Remediation Efforts;
Follow-up Scans
3 Day Training Session
Covers ASACoE Tool
Suite and Defensive
Coding Practices
• Broader strategic approach addressing deployed systems
• Tool driven aimed at low-hanging fruit
• Multi-perspective analysis
• Large scale effort across multiple applications and technologies
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Case Study … Results
Critical/High Vulnerabilities Per 1,000 Lines of Code
60.00
Keep in mind that while ASACoE assessments
are not deep and architectural risk isn't
addressed ... the security posture of assessed
Air Force applications show improvement.
Initial
Follow-On
40.00
49%
20.00
26%
60%
75%
69%
9%
0.00
App1
App2
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
App3
App4
App5
App6
Cigital SecureAssist™

SecureAssist is an educational tool that provides context
sensitive application security guidance directly to the
developer’s work environment
SecureAssist Delivers:
•Near real-time identification of code
vulnerabilities as code is being
written in the IDE (no ‘build’
necessary)
•Near real-time secure coding
training and remediation techniques
•Near real-time & continuously
available secure coding policies &
rules (customizable)
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Differentiators for Whitebox SecureAssist™
Security Tools
Whitebox SecureAssist
Users
Security/Tool Staff
Developers
Scan Initialization
Press of the button
File save/File open
Scan Time
Minutes/Hours/Days
Seconds
Scan Scope
Entire codebase “build concept” File
Scan Results
Vulnerabilities/Security
problems
Remediation guidance
specific to vulnerability
and class
End Results
Make scan results “go away” by
writing custom rules, fixing
code, suppressing issues
Review results, learn on
the job, fix code real-time
Purpose
Find vulnerabilities
Fix vulnerabilities
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .
Drilling Down into dollars and cents …
© 2010 Cigital Inc. All Rights Reserved. Proprietary and Confidential .