A Paranoid Programmer is a Good Programmer Paranoid Programming Practices 26 January 2009 “It’s not a matter of whether you’re paranoid or not. It’s a matter of whether you’re paranoid enough.” - Unknown. 26 January 2009 (He wouldn’t give me his name…) I’m not paranoid – everybody IS after me! 1 A Paranoid Programmer is a Good Programmer A Mostly PCI/OWASP Agenda 1. Overview of Policy Frameworks related to an organization’s efforts towards PCI and formalizing secure programming practices. 2. Details of Secure Programming Practices. 3. Review of Vulnerabilities along OWASP Classifications A note on scope: Secure programming practices are in scope. In-depth discussions of the PCI DSS are not. 26 January 2009 I’m not paranoid – everybody IS after me! 2 A Paranoid Programmer is a Good Programmer Basic Premises • Everyone is out to get us I think we all know by this point in time that: CyberCrime pays... It has become a well organized, financed, and executed business. • Hardware isn’t the answer Direct quote from OWASP.org: “Unlike other forms of security (such as firewalls and secure lockdowns), web applications have the ability to make a skilled attacker rich, or make the life of a victim a complete misery. At this highest level of the OSI software map, traditional firewalls, and other controls simply do not help. The application itself must be self-defending.” 26 January 2009 I’m not paranoid – everybody IS after me! 3 A Paranoid Programmer is a Good Programmer Secure Programming and PCI • Policy Frameworks in general – – – – Organizational management champions security A written security policy derived from accepted standards A development methodology with adequate security checkpoints Secure release and configuration management processes • PCI DSS The Payment Card Industry (PCI) has created their Data Security Standard (DSS) to formalize their “Policy Framework”. Certification ranges from self evaluation to inspection/evaluation by an approved 3rd party auditor. https://www.pcisecuritystandards.org/ • 3 Structured Pieces of general policy frameworks – Development Methodology – Coding Standards – Source Control 26 January 2009 I’m not paranoid – everybody IS after me! 4 A Paranoid Programmer is a Good Programmer The 3 Pieces – Methodology • Development Methodology The methodology used isn’t as important as just adhering to one that is structured and has the following characteristics: – Strong acceptance of design, testing, and documentation processes – Clear instances where security controls (such as threat risk analysis, peer reviews, code reviews, etc) are used – Works well for the organization’s size and maturity – Has the potential to reduce the current error rate and improve developer productivity – Will scale as the organization or product line grows 26 January 2009 I’m not paranoid – everybody IS after me! 5 A Paranoid Programmer is a Good Programmer The 3 Pieces - Standards • Coding Standards You’ll notice that none of the following say anything about indentation and tab styles… – – – – – – – – Architectural guidance Minimum documentation levels required Mandatory testing and coverage requirements Minimum levels of code commenting and the preferred comment style Proper use of exception handling Correct use of flow of control blocks Preferred variable, function, class, and table naming styles A preference for maintainable and readable code over clever or complex code – Common sanitizing and error handling functions 26 January 2009 I’m not paranoid – everybody IS after me! 6 A Paranoid Programmer is a Good Programmer The 3 Pieces - Control • Source Control Formal source control systems increase efficiency over ad-hoc copy-and-save procedures. The orders of efficiency increase when source control systems are used for versioning code-lines, tests, and documentation together . General topics to consider with the use of a formal source control system include: – – – – – Labels, Checkpoints, Pins, and Rollbacks Branching Access Levels and Controls Integration with automated build and versioned test harnesses/tools Backup/Restore Procedures and Tests 26 January 2009 I’m not paranoid – everybody IS after me! 7 A Paranoid Programmer is a Good Programmer Approaching Secure Coding • Secure programming can be looked at from four perspectives: – – – – Attackers Tenants Architectures Principles • A note about Asset Classification While most security approaches use asset classification to partition data into low and high value systems, from a purely PCI perspective we are concerned with whether any aspect of the system lives anywhere near cardholder data. It’s not uncommon to find that given a data model and physical DB architecture, all data should be classified as part of a high value systems. 26 January 2009 I’m not paranoid – everybody IS after me! 8 A Paranoid Programmer is a Good Programmer Know Your Attackers • You know the old saying, “keep your friends close and your enemies closer.” Well, besides from all the bad guys out there, the set is more than just willful malice: – Disgruntled staff or developers – “Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack – Motivated criminal attackers, such as organized crime – Criminal attackers without motive against your organization, such as defacers – Script kiddies – Accidental information exposure – Accidental functionality exposure 26 January 2009 I’m not paranoid – everybody IS after me! 9 A Paranoid Programmer is a Good Programmer Tenants • Confidentiality Only allow access to data for which the user is permitted • Integrity Ensure data is not tampered or altered by unauthorized users • Availability Ensure systems and data are available to authorized users when they need it 26 January 2009 I’m not paranoid – everybody IS after me! 10 A Paranoid Programmer is a Good Programmer Architecture • Basic considerations: – – – Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? If I were evil, how would I abuse this feature? Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? • Threat Risk Modeling: – – Threat Modeling provides a way to focus resources on the real risks through a process of analysis and validation of both concerns and mitigations. Examples include: “Thinking Evil™”, DREAD/STRIDE, Microsoft’s “SDL” Threat Modeling • Quotes from OWASP: – – “The best system architecture designs and detailed design documents contain security discussion in each and every feature, how the risks are going to be mitigated, and what was actually done during coding.” “Security architecture starts on the day the business requirements are modeled, and never finish until the last copy of your application is decommissioned. Security is a life-long process, not a one shot accident.” 26 January 2009 I’m not paranoid – everybody IS after me! 11 A Paranoid Programmer is a Good Programmer Principles • Security Principles are guidelines designed to give us a framework to consider our designs and implementations against: – – – – – – – – – – Minimize attack surface area Establish secure defaults Principle of Least privilege Principle of Defense in depth Fail securely Don't trust services Separation of duties Avoid security by obscurity Keep security simple Fix security issues correctly 26 January 2009 I’m not paranoid – everybody IS after me! 12 A Paranoid Programmer is a Good Programmer Security Principles - I • Minimize attack surface area – Every feature that is added to an application adds a certain amount of risk to the overall application. The aim for secure development is to reduce the overall risk by reducing the attack surface area. • Establish secure defaults – There are many ways to deliver an “out of the box” experience for users. However, by default, the experience should be secure, and it should be up to the user to reduce their security – if they are allowed. • Principle of Least privilege – The principle of least privilege recommends that accounts have the least amount of privilege required to perform their business processes. This encompasses user rights, resource permissions such as CPU limits, memory, network, and file system permissions. 26 January 2009 I’m not paranoid – everybody IS after me! 13 A Paranoid Programmer is a Good Programmer Security Principles - II • Principle of Defense in depth – The principle of defense in depth suggests that where one control would be reasonable, more controls that approach risks in different fashions are better. Controls, when used in depth, can make severe vulnerabilities extraordinarily difficult to exploit and thus unlikely to occur. With secure coding, this may take the form of tier-based validation, centralized auditing controls, and requiring users to be logged on all pages. • Fail securely – Applications regularly fail to process transactions for many reasons. How they fail can determine if an application is secure or not. • Don't trust services – Many organizations utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. It is unlikely that you can influence or control any external third party, whether they are home users or major suppliers or partners. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion. 26 January 2009 I’m not paranoid – everybody IS after me! 14 A Paranoid Programmer is a Good Programmer Security Principles - III • Separation of duties – A key fraud control is separation of duties. For example, someone who requests a computer cannot also sign for it, nor should they directly receive the computer. This prevents the user from requesting many computers, and claiming they never arrived. • Avoid security by obscurity – Security through obscurity is a weak security control, and nearly always fails when it is the only control. This is not to say that keeping secrets is a bad idea, it simply means that the security of key systems should not be reliant upon keeping details hidden. • Keep security simple – Attack surface area and simplicity go hand in hand. Certain software engineering fads prefer overly complex approaches to what would otherwise be relatively straightforward and simple code. • Fix security issues correctly – Once a security issue has been identified, it is important to develop a test for it, and to understand the root cause of the issue. When design patterns are used, it is likely that the security issue is widespread amongst all code bases, so developing the right fix without introducing regressions is essential. 26 January 2009 I’m not paranoid – everybody IS after me! 15 A Paranoid Programmer is a Good Programmer Threat Risk Modeling • Microsoft has robust and well documented threat modeling methodologies. They include the following steps: 1. 2. 3. 4. 5. Identify Security Objectives Survey the Application Decompose it Identify Threats Identify Vulnerabilities • The Microsoft SDL Threat Modeling Tool – http://msdn.microsoft.com/en-us/security/dd206731.aspx 26 January 2009 I’m not paranoid – everybody IS after me! 16 A Paranoid Programmer is a Good Programmer STRIDE • Stride is an methodology for identifying the following “known” threats: – – – – – – Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege 26 January 2009 I’m not paranoid – everybody IS after me! 17 A Paranoid Programmer is a Good Programmer DREAD • DREAD is a methodology for risk rating. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories. Risk = ( DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY ) / 5 – Damage Potential If a threat exploit occurs, how much damage will be caused? – Reproducibility How easy is it to reproduce the threat exploit? – Exploitability What is needed to exploit this threat? – Affected Users How many users will be affected? – Discoverability How easy is it to discover this threat? 26 January 2009 I’m not paranoid – everybody IS after me! 18 A Paranoid Programmer is a Good Programmer And my own favorite… • Quantify Risk Financially It’s not something that engineers often talk about but at a business level it is critical to understand the cost of exploited risks against the cost of mitigation. This allows a financial balance to be maintained between mitigation strategies and risks. The following quote is from the ANSI document: The Financial Impact of Cyber Risk “The key to understanding the financial risks of cyber security is to fully embrace its multidisciplinary nature. Cyber risk is not just a “technical problem” to be solved by the company’s Chief Technology Officer. Nor is it just a “legal problem” to be handed over to the company’s Chief Legal Counsel; a “customer relationship problem” to be solved by the company’s communications director; a “compliance issue” for the regulatory guru; or a “crisis management” problem. Rather, it is all of these and more.“ Complete document is available for free download here: http://webstore.ansi.org/cybersecurity.aspx 26 January 2009 I’m not paranoid – everybody IS after me! 19 A Paranoid Programmer is a Good Programmer Here’s the formula… • Net financial risk can be expressed as: 26 January 2009 I’m not paranoid – everybody IS after me! 20 A Paranoid Programmer is a Good Programmer Key OWASP Areas • OWASP identifies the following areas as having clear objectives within a development methodology: – – – – – – – – – – – – – – – – – – – – Handling E-Commerce Payments Phishing Web Services Ajax and Other "Rich" Interface Technologies Guide to Authentication Guide to Authorization Session Management Data Validation Interpreter Injection Canonicalization, locale and Unicode Error Handling, Auditing and Logging File System Distributed Computing Buffer Overflows Administrative Interface Guide to Cryptography Configuration Software Quality Assurance Deployment Maintenance 26 January 2009 I’m not paranoid – everybody IS after me! 21 A Paranoid Programmer is a Good Programmer Key Areas Objectives - I • Handling E-Commerce Payments – – – – Secure Payment Account Number handling Minimize fraud from cardholder not present (CNP) transactions Maximize privacy and trust for users of e-commerce systems Comply with all local laws and PCI (merchant agreement) standards • Ajax and Other "Rich" Interface Technologies – – – – – Secure Communications Authentication and Session Management Access Control Input Validation Error Handling and Logging 26 January 2009 I’m not paranoid – everybody IS after me! 22 A Paranoid Programmer is a Good Programmer Key Areas Objectives - II • Authentication – Tying an system identity to an individual user by the use of a credential – Providing reasonable authentication controls as per the application’s risk – Denying access to attackers who use various methods to attack the authentication system • Authorization – To ensure only authorized users can perform allowed actions within their privilege level – To control access to protected resources using decisions based upon role or privilege level – To prevent privilege escalation attacks, for example using administration functions whilst only an anonymous user or even an authenticated user 26 January 2009 I’m not paranoid – everybody IS after me! 23 A Paranoid Programmer is a Good Programmer Key Areas Objectives - III • Session Management – Authenticated users have a robust and cryptographically secure association with their session – Applications enforce authorization checks – Applications avoid or prevent common web attacks, such as replay, request forging and man-in-the-middle • Data Validation – To ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems • Interpreter Injection – To ensure that applications are secure from well-known parameter manipulation attacks against common interpreters 26 January 2009 I’m not paranoid – everybody IS after me! 24 A Paranoid Programmer is a Good Programmer Key Areas Objectives - IIII • Canonicalization, locale and Unicode – To ensure the application is robust when subjected to encoded, internationalized and Unicode input • Error Handling, Auditing and Logging – Auditable – all activities that affect user state or balances are formally tracked – Traceable – it’s possible to determine where an activity occurs in all tiers of the application – High integrity – logs cannot be overwritten or tampered by local or remote users • File System – To ensure that access to the local file system of any of the systems is protected from unauthorized creation, modification, or deletion 26 January 2009 I’m not paranoid – everybody IS after me! 25 A Paranoid Programmer is a Good Programmer Key Areas Objectives - V • Distributed Computing – Time of check, time of use race conditions – Distributed synchronization issues – Common multi-programming, multi-threaded and distributed security issues • Buffer Overflows – Applications do not expose themselves to faulty components – Applications create as few buffer overflows as possible – Developers are encouraged to use languages and frameworks that are relatively immune to buffer overflows 26 January 2009 I’m not paranoid – everybody IS after me! 26 A Paranoid Programmer is a Good Programmer Key Areas Objectives - VI • Administrative Interface – Administrator level functions are appropriately segregated from user activity – Users cannot access or utilize administrator functionality – Provide necessary audit and traceability of administrative functionality • Cryptography – To ensure that cryptography is safely used to protect the confidentiality and integrity of sensitive user data • Configuration – To produce applications which are secure out of the box 26 January 2009 I’m not paranoid – everybody IS after me! 27 A Paranoid Programmer is a Good Programmer Key Areas Objectives - VII • Software Quality Assurance – The software quality assurance goal is to confirm the confidentiality and integrity of private user data is protected as the data is handled, stored, and transmitted. The QA testing should also confirm the application cannot be hacked, broken, commandeered, overloaded, or blocked by denial of service attacks, within acceptable risk levels. This implies that the acceptable risk levels and threat modeling scenarios are established up front, so the developers and QA engineers know what to expect and what to work towards. • Deployment – To ensure that the application is deployed as easily and as securely as possible 26 January 2009 I’m not paranoid – everybody IS after me! 28 A Paranoid Programmer is a Good Programmer Key Areas Objectives - VIII • Maintenance – Products are properly maintained post deployment – Minimize the attack surface area through out the production lifecycle – Security defects are fixed properly and in a timely fashion • Web Services – SOAP messages that are sent on the wire should be delivered confidentially and without tampering – The server needs to be confident who it is talking to and what the clients are entitled to – The clients need to know that they are talking to the right server, and not a phishing site – System message logs should contain sufficient information to reliably reconstruct the chain of events and track those back to the authenticated callers 26 January 2009 I’m not paranoid – everybody IS after me! 29 A Paranoid Programmer is a Good Programmer Other OWASP Areas • Phishing Phishing is a vast topic area as the complexity of phishing-esque attacks has blossomed over the years. Some of the current key mitigation strategies are: – – – – – – – – – – – – – Deploy an SPF (Sender Policy Framework) Provide User Education Make it easy to report scams Never ask your customers for their secrets Fix XSS issues Do not use pop-ups Don’t use frames or iframes Move application links off of front page Enforce local referrers for images and other resources Always show the address bar, use SSL, do not use IP addresses Don’t be the source of identity theft Implement safe-guards within your application Monitor unusual account activity 26 January 2009 I’m not paranoid – everybody IS after me! 30 A Paranoid Programmer is a Good Programmer The OWASP Top 10 • For 2007, these are the published top 10 vulnerabilities: 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access 26 January 2009 I’m not paranoid – everybody IS after me! 31 A Paranoid Programmer is a Good Programmer 1 through 5 1. Cross Site Scripting (XSS) – XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. 2. Injection Flaws – Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. 3. Malicious File Execution – Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. 4. Insecure Direct Object Reference – A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. 5. Cross Site Request Forgery (CSRF) – A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. 26 January 2009 I’m not paranoid – everybody IS after me! 32 A Paranoid Programmer is a Good Programmer 6 through 10 6. Information Leakage and Improper Error Handling – Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks. 7. Broken Authentication and Session Management – Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. 8. Insecure Cryptographic Storage – Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. 9. Insecure Communications – Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. 10. Failure to Restrict URL Access – Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. 26 January 2009 I’m not paranoid – everybody IS after me! 33