eveloping secure application is critical to an • Misaligned capabilities - Developers lack the organization’s reputation and operational efficiency. knowledge to securely code their programs and do The effect of compromised applications resulting in not know how to use code review methods and inability to serve the community or data breaches of tools to check for security weaknesses in their student and staff information can bring an organization programs. to headline news with bad publicity, losing user confidence and even worse law suits of data privacy Since proper security testing and reviews are ignored breaches. While application development teams are and overlooked during the development life cycle, confronted with excessive functional requirements and applications can end up with vulnerabilities down the enhancements under tight time pressure, late-found road. Exploit and breaches of application vulnerabilities security vulnerabilities in application would be costly had been reported across industry’s vertical and for an organization to address and fix. geopolitical boundaries:

Security should be built as an integral part of the • In May 2011,2 Sony Music web sites suffered SQL application development framework from the beginning Injection attacks by LulzSec organization. Sony during user requirement until the stage of testing and believed SQL vulnerabilities were responsible for assurance review. All changes should also include a the attacks against Sony Plays Station Network and security risk assessment to ensure enhanced software Qriocity that leaked the private data of 77 million modules would not introduce security weaknesses. users and led Sony to shut down the services for over a month. The overall breach cost Sony more This newsletter portrays the need and strategy of than US$171 million. enhancing the present stance of application development by incorporating the necessary processes in order to • In February 2011,3 a cyber security consulting firm establish a secure development life cycle. Security HBGary was attacked by the group Anonymous. vulnerabilities and application defects would be SQL Injection vulnerability in the minimized with faster time to remediate. www.hbgaryfederal.com website, combined with Challenges of Secure Application poor cryptographic implementation, enabled Development Anonymous to extract the company officers’ There are several key challenging issues in developing usernames and passwords, which then led to a leak secure and reliable application. Developers are typically of sensitive information and confidential internal not trained on secure coding practices. As a result, they emails. CEO of HBGary Federal resigned from the are not aware of the myriad ways of introducing security company shortly thereafter. vulnerabilities into their codes. There are also misalignment issues between project team stakeholders • A cross-site scripting (XSS) vulnerability in and development team across the software development Android Market was discovered in March 2011 that life cycle: allowed attackers to remotely install apps onto user’s Android devices without their knowledge • Misaligned priorities - Development teams are and consent. asked to focus on coding to meet functional requirements in a timely manner. Non-functional Primitives of Application Security Flaw requirements such as security are typically put as lower priority and even after-thought only when First primitive technique used is the soft leak,4 which security incidents have occurred. allows RCE program to manipulate memory in the targeted application without any trace or security • Misaligned processes - Security testing only repercussions. These would happen towards most happens in the end stage of application common application extension or program which has development where vulnerabilities and codes errors valid program functionality. For example, a web issues are really costly to fix while developers are application server, by design, will accept HTTP focused on meeting application release date. requests from a client. The client will send information which is held until session termination occurs. By understanding the mechanics of how requests and sessions work, the attacker may write RCE exploits Besides understanding the primitives of exploiting targeting certain memory layout of a particular application, it is also important for developers to take application. note of the following common application security vulnerabilities: The second primitive security flaw is the hard leak.5 The hard leak, or resource leak, is quite familiar to most • Arbitrary code - Through arbitrary code execution, C/C++ programmers. The leak occurs when the an attacker may acquire control of a target system developers forget to free memory that is acquired through buffer overflow vulnerability, thereby dynamically during runtime. While most developers gaining the power to execute commands application think of this as a quality problem that will result in functions at will. These types of exploits take massive memory overflow at worst, many attackers see advantage of application bugs that allows the RCE this as an opportunity to exploit stability and burst the towards operating systems and injects shellcode to temp filesys. By acquiring memory permanently, allow the attacker to run arbitrary commands on an attacker can retain connectivity in certain portions of another’s computer. Once this is accomplished, the memory that is never subsequently used throughout the attacker will proceed to escalate privileges, which lifetime of a process. enables it to be used to perform various malicious tasks, including spreading email spam and launching The third primitive involves integer overflow.6 This denial-of-service attacks. refers to mathematical operation attempting to store a number larger than an integer can hold and then the • Data loss: This class of security vulnerability results excess is lost. The loss of the excess data is sometimes in sensitive data loss due to corruption, modification, referred to as an integer “wrap”. For example, an or theft of data. Data loss features prominently in the unsigned 32-bit integer can hold a maximum positive 2011 CWE/SANS in Top 25 Most Dangerous value. By adding 1 to that maximum positive value, the Application Errors list.9 integer will start counting again at zero (UINT_MAX + 1 == 0). A real world example is the odometer of a • Security bypass: An attacker could leverage car rolling over after 1 million miles; re-starting its application vulnerabilities to exploit and bypass mileage count from zero. By using this buffer overflow authorization and authentication modules. in memory allocation routine, an attacker can allocate Vulnerabilities in application where filenames are less memory towards file sys intended. unsafely checked before being used leading to unauthorized access to resources in extreme cases. Finally, the last primitive is about buffer overflow.7 This is a common kind of vulnerability found in firmware • Denial of service: This class of vulnerability may based on assembly programs (e.g. C/C++ programs). A lead to application slowing down or failing to buffer overflow is caused when the program writes past respond. An application can crash with unintended the end of a buffer, which causing corruption of adjacent errors, thus preventing from legitimate use. programs memory. In some cases, this will automatically execute the overwritten content of a stack • Loss of integrity: Integrity is defined as the or heap that allows an attacker to exploit the normal expectation of reliability in behaviour and operation of the system and, ultimately, take over the performance of application processes. Integrity of flow of control from the program. application is compromised when expression evaluation that do not meet common criteria As illustrated below, by limiting the number of standards leading to side effects, misuse or mixing of primitives within codes, developers can make the data types. These vulnerabilities may result in process of exploiting application much more difficult, inadvertent errors in program code and not easily thereby increasing the cost of exploitation. fixed.

Strategic Approach to Application Security In encounter these security flaws, secure development lifecycle (SDL)10 specific model for development team to perform over the course of their software development lifecycle. SDL is based on waterfall-style development methodology in which there are distinct development lifecycle phases.

Common Application Security • Training, policy and organizational capabilities - A Vulnerabilities serial of Intensive training for application development teams in the basics of secure coding and ensure they stay informed of the latest trends in • Develop secure coding guideline – To ensure security issues and vulnerabilities coding consistency and best security practices applied, a secure coding guideline should be • Planning and design - Implement STRIDE developed so that developers are trained to follow. MODEL11 consist of threat and vulnerabilities in the Quality assurance checkpoints should also be initial design of new applications and features which established at various development stages so as to permits the integration of secure way that minimizes check whether the secure coding guidelines have disruptions to plans and schedules in-time. been followed.

• Implementation - Avoid coding issues that could • Push security tests earlier in development stage – lead to vulnerabilities and leverages SDL tools to Security tests should never be performed after the assist in building more secure & reliable application. application goes into production. Minimum is to Secure coding guidelines or baseline should be perform security tests during user and system established to guide the developers how to code acceptance tests. Even better, security tests should securely (e.g. perform input and output sanity be shifted upstream of the development stage to checks, enforce strong authentication and session take place during unit tests. management, avoid insecure object references, enhance error routine handling, etc.) • Testing and assurance – Different types of tests (e.g. code review, penetration test, load and stress • Verification and testing - Perform series of security test, security functional tests) should be defined tests which should be defined during the planning with sufficient time allocated to be executed at and design stage. Examples of tests include code different stages of application development life review, penetration test, load and stress test, and cycle. Besides testing before production, some tests security functional tests to ensure the application is such as penetration tests should be carried out functionally working and secure as designed. whenever there is a major release, and even regularly after production because the threat • Release and response - Security incident response landscape and new exploits will continue to evolve. plan and mitigation process to address new threats that emerge over time. • Apply the same to third-party supplied software – Third-party codes are often used in development projects. The same security testing methods (e.g. code review, penetration test) should be applied to these third-party codes and software the same way as one would do to in-house developed application. Conclusion Just because an application meets functional requirements does not necessary mean that the

application is secure. Universities should consider 12 Figure 1 Secure Development Lifecycle Methodology enhancing their application development program to include secure development lifecycle which can offer more assurance that the resulting application will be secure from cyber attacks. Best Practices Vulnerabilities are an inevitable fact in application development. As a practical approach, application security testing will give developers and security team The following summarizes some best practices of secure higher visibility into security risks early in the application development which Universities can development process. This process serves as a common consider to build and integrate into their application trust of reliable and measurable security testing methods development programs: such as code review and penetration test against constantly morphing security threats. • Bring business risk management into application development – Because security vulnerabilities can impact an organization’s reputations and business objectives, development team executives must rethink development practices and mandate a mature process such as SDL which is capable of delivering quality and security assurance