A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. Q&A sessions with the presenters will follow. Please have your speakers turned on. Do you hear the music? Tweet with us live @SWAMPTEAM & @TENandISE A transformative force in the software eco-system Good Security Starts with Software Assurance Jan. 23, 2014 Agenda Agenda: 2:00pm EST – Welcome Remarks – Barton Miller 2:10pm EST – SWAMP High Level Overview – Pat Beyer 2:25pm EST – Executive Insight – Phil Agcaoili 2:45pm EST – Q&A 3:00pm EST – Program Conclusion You may earn 1CPE for this event. If you would like us to submit on your behalf, please email your certification number to Deb Jones at djones@ten-inc.com. A transformative force in the software eco-system Welcome! Prof. Barton P. Miller, Chief Scientist Nothing New Under the Sun In November 1988, Robert Morris Jr. released the first Internet worm that shutdown the entire Internet (literally): The enabling exploit was a buffer overflow caused by not checking the bounds on a C character buffer. In 1989, we introduced fuzz random testing and studied the robustness of system utilities on a wide variety of UNIX implementations (and could crash 25-40% of them): The #1 source of errors were uncheck bounds on strings. Still this year, in the CWE/SANS Top 25 Most Dangerous Software Errors (www.mitre.org/top25): #3 on the list is unchecked bounds on strings. And Plenty of New Stuff, Too Since then, we also have to worry about: Injections (SQL, command line, code) Numeric attacks Exception attacks Race attacks (TOCTOU) File path name manipulations Privilege escalations Sandbox escapes VM escapes DNS spoofing Web attacks (cross site scripting, cross site forgeries, session hijacking, open redirect) … just to mention a few. Your First Line of Defense: Clean Code We need to teach our programmers to write code with security in mind. … and … We need to equip them with the tools to help them do so: Software assurance tools are our first line of defense: source code analysis, binary analysis, dynamic analysis, and domain specific (mobile, web) … and … We need to make it easy to run these tools: The SWAMP will be a key asset. Run the Tools Early, Run Them Often Build in security from day one, or the task becomes overwhelming for the programmer to fix them all: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’ src/irpc.C: In member function ‘void int_iRPC::setState(int_iRPC::State)’: src/irpc.C:118: warning: unused variable ‘old_state’ src/irpc.C:119: warning: unused variable ‘new_state’ src/irpc.C: In member function ‘bool int_iRPC::saveRPCState()’: src/irpc.C:714: warning: unused variable ‘result’ src/irpc.C:723: warning: unused variable ‘result’ src/irpc.C:736: warning: unused variable ‘result’ src/irpc.C:1030: warning: unused variable ‘result’ src/irpc.C:1041: warning: unused variable ‘result’ src/irpc.C:1081: warning: unused variable ‘result’ dyninst/proccontrol/src/response.h:35, dyninst/proccontrol/src/int_process.h:39, dyninst/proccontrol/src/mailbox.C:33: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’ Provide the Facilities Needed to Run Them Early and Often The SWAMP offers: • The automation to run tools easily: applying a tool to a new software package takes little effort. • The automation to run tools easily: get feedback on each code update or commit. • The resources to run many tools over each software package on each relevant platform. • The smarts to combine results in unified reports. • The ability to track progress and trends over time. Help for Both the Novice and Expert The novice will be able to start using assurance tools with little effort or preparation. With management guidance that requires clean commits, the code stays in stable condition. The expert does familiar tasks, but with less effort and more precision. Running tools is easier, tracking results is easier, and understanding their performance over time is easier. And Now, a Message from the Front Lines A transformative force in the software eco-system Vision of the SWAMP Patrick D. Beyer PhD, PMP Project Manager Software Assurance Marketplace Morgridge Institute for Research THE SWAMP This five year, $23M project is led by the Morgridge Institute for Research, which also provides a state-of-the-art, secure hosting facility. What is the SWAMP? The Software Assurance Marketplace is: • 5 year, $23 Million Grant • Funded by Department of Homeland Security, Science and Technology Directorate • Goal is to build a facility where open source software can be tested for vulnerabilities for FREE • Enable Software Researchers a place where they can do research in new testing tools Team Profile Building and Operating the SWAMP is a joint effort of four research institutions – Morgridge Institute for Research (lead), Indiana University, University of Illinois Urbana Champaign and University of Wisconsin – Madison The Problem Increased Use of Open Source Software in product development • Why use open Source Software* • • • • High reliability Peer Reviewed Low Cost Speeds Development cycle • Concerns • • • Unverified Code Unknown Source Hidden Vulnerabilities * Open Source Initiative – opensource.org Solution Test and Analyze Open Source Software • Many Analysis tools available (Not One Size Fits all) • May Require dedicated test environment (Sand Box) • Cost/Time prohibitive for small developers to maintain tools Non-standard Results from Different tools • Continuous Integration vs. Continuous Assurance Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies with a shared mainline several times a day. Continuous Assurance (CoA) takes the software engineering practice of Continuous Integration to a new level. CoA incorporates SwA tools into the frequent process of building and testing the software throughout its life cycle. Continuous Assurance Laboratory (COSALAB) Housed in the Wisconsin Institutes for Discovery • Intel Xeon Processors • 700 cores • 5 TB of RAM • 104 TB of HDD space • Capable of 12 teraFLOPS (12 trillion floatingpoint operations per second) Initial Operating Capabilities Once Live, the SWAMP will give users access to: • 5 Assurance tools (2 Java, 3 C/C++) • 100 Packages (Code with Known Vulnerabilities to test tools) • Support for 8 Operating Systems (Linux, Windows) Results Viewer The SWAMP will provide a simple result viewer: • Output parsed to individual weaknesses with location • A single software package can be assessed multiple times • • • • Different Tools Different Tool Versions Different Operating Systems Multiple results merged, filtered and sorted into a common viewer interface Results Viewer The SWAMP will provide a Commercial Viewing Tool: Code Dx (DHS SwA Grant Performer) Code Dx is a software assurance visual analytics tool that is being built by Secure Decisions to visualize and correlate weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation. SWAMP Core Services • • • • • Manage Accounts, Projects and Access Control Manage Software Packages and SwA Tools Assess a Software Package View Assessment Results and the Dashboard Conduct Continuous Assurance SWAMP Standard Tools/Packages JOIN SWAMP Build Assessment Run RUN AN ASSESSMENT VIEW RESULTS Future Capabilities A transformative force in the software eco-system Software Assurance Executive Insight Phil Agcaoili Jan. 23, 2014 “An ounce of prevention beats a pound of cure.” ~Ben Franklin Discussion Points • The Ubiquitous Presence of Software • The Appetite for Assured Software • Assured Software is Smartware • By the Numbers • Assured Software Benefits • The Path Forward The Ubiquitous Presence of Software It’s the driving force behind day-to-day life (literally) •Right now, you are reading this rendering enabled by millions of lines of code…software •Transportation: It runs your car’s Controller Area Network (CAN) bus and manages control surfaces and a whole bunch of other stuff on aircraft…software •Power: utilities, water, natural gas all delivered via...software •Banking and finance: ATM, POS systems...yup software •Manufacturing: Oh, that precision targeting maneuver performed by the gamma knife at the medical center…..uh-huh, software controlled We put a lot of faith in unassured and incompetent software. Would you let a 7 year old drive you around on the highway? Pilot an aircraft or balance your checkbook? The Appetite for Assured Software The organizational appetite for assured software is driven by the net losses realized from compromised software •The consumer has been living with nearly 60 years of poorly developed and incompetent software. •Hundreds of millions of dollars are spent annually on post software compromise and incident recovery, lost opportunities and productivity (ask me). •Insecure software represents a pervasive kinetic threat to critical infrastructure and our way of life…..make no mistake about it. The prudent approach is to take a proactive one. That is, software assurance measures must be a top integration priority in the enterprise cyber security risk management schema. Assured Software is Smartware Smartware is software which contains superior qualitative and qualitative attributes. It is: •Secure – Free of common vulnerabilities and exposures •Safe – Any single function does not conflict or impede upon other software functions resulting in severe and deleterious outcomes •Reliable – Code can perform repeatedly, as expected, over extended periods of time without degradation •Functional – Code is efficient and is designed to only perform a discrete (purposeful) function and no more •Extensible – Code is modular and has strong reuse characteristics (secure, safe, reliable and functional) By the Numbers Feel my pain. Lack of a good software assurance program is a painful experience At one time – 127 applications were tested and; •81 (64%) contained high vulnerabilities that facilitated exposure of sensitive data or system take over; •45 applications (36%) exposed Personally Identifiable Information (PII) At another time – 50 applications were tested and; •41 applications (82%) hosted OWASP top 10 defects •5 applications (10%) taken offline due to high risk •19 (38%) contained high vulnerabilities that facilitated exposure of sensitive data or system take over •12 applications (24%) exposed PII Assured Software Benefits Programs such as the SWAMP provide excellent bottom line and programmatic benefits. • Over time, application development gets faster and software quality increases significantly because developers learn to code securely (Thank you John Keane) • Program managers can clearly demonstrate cost avoidance through defect identification and remediation during the development and test stages • Software built under assurance standards processes streamline security approvals. Subsequent applications that adhere to the same standards can readily inherit accreditation and authorization The Path Forward The SWAMP is ripe for providing assurances that software is secure. The time to implement software assurance in the development lifecycle is now. •Patching is passé. Frankly, I’m tired of buying toys that are already broken when I take them out of the box •Given the austere budget environment, showing value through ROI and cost avoidance goes a very, very long way •The SWAMP provides mechanisms that can render the security posture of the enterprise “measurable better” •Community. This must be a community effort. No single tool, process, person or organization can solve this issue. While this challenge appears intractable, it is not. The whole is in fact greater than the sum of its parts and to that end, we must continue to take on the challenge as a community. Things I challenge you to think out…. • Is software security important for you and your company? If not, why? • Where have you been successful promoting and implementing application security? • Where are you stuck? • What's holding you back? • • Funding? Support? The need to deliver over security? How do we fix this? Any questions? A transformative force in the software eco-system Thank you for attending! An on-demand version of today’s event with Q&A session will be offered soon for viewing by you and your colleagues. An announcement will be emailed when the on-demand event premiers. @SWAMPTEAM