Software Assurance: an Overview of Current Industry Best Practices

Total Page:16

File Type:pdf, Size:1020Kb

Software Assurance: an Overview of Current Industry Best Practices Software Assurance: An Overview of Current Industry Best Practices February 2008 Executive Summary Software Assurance: An Overview of Current Industry Best Practices Software underpins the information infrastructure that govern- ments, critical infrastructure providers and businesses worldwide depend upon for daily operations and business processes. These organizations widely and increasingly use commercial off-the- shelf software (“COTS”) to automate processes with information technology. At the same time, cyber attacks are becoming more stealthy and sophisticated, creating a complex and dynamic risk environment for IT-based operations that users are working to better understand and manage. As such, users have become in- creasingly concerned about the integrity, security and reliability of commercial software. To address these concerns and meet customer requirements, vendors have undertaken significant efforts to reduce vulner- abilities, improve resistance to attack and protect the integrity of the products they sell. These efforts are often referred to as “software assurance.” Software assurance is especially impor- tant for organizations critical to public safety and economic and national security. These users require a high level of confidence that commercial software is as secure as possible, something only achieved when software is created using best practices for secure software development. This white paper provides an overview of how SAFECode mem- bers approach software assurance, and how the use of best practices for software development helps to provide stronger controls and integrity for commercial applications. Table of Contents The Challenge of Software Assurance and Security 4 Industry Best Practices for Software Assurance and Security 7 Framework for Software Development 9 Software Security Best Practices 12 Related Roles of Integrators and End Users 16 SAFECode’s Goals 18 Conclusion 18 Questions for Vendors about Product Assurance and Security 19 About SAFECode 20 The Challenge of Software Assurance and Security Software assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intend- ed while mitigating the risks of vulnerabilities, malicious code or defects that could bring harm to the end user. Software assurance is vital to ensuring the security of critical information tech- nology resources. Information and communications technology vendors have a responsibility to address as- surance through every stage of application development. This paper will focus on the software assur- ance responsibilities of software vendors. SAFECode Software However, integrators, operators and end Assurance Definition: users share some responsibility for en- Confidence that software, suring the security of critical information hardware and services are systems. Because of the rapidly changing free from intentional and nature of the threat environment, even an application with a high level of qual- unintentional vulnerabilities ity assurance will not be impervious from and that the software attack if improperly configured and main- functions as intended. tained. Managing the threats we face to- day in cyberspace requires a layered system of security, with vendors building more secure software, integrators ensuring that the software is installed correctly, operators maintaining the system properly, and end users using the products in a safe and secure manner. 4 5 New Risks and Countermeasures The dynamic threat environment creates The Changing Technological challenges for all software-related opera- Environment tions. Vectors for attacks that could interrupt or stop critical software functions must be Rapid change and innovation are two of considered in design and development. The the most enduring characteristics of the IT software assurance risks faced by users to- industry. But innovation is not unique to day can be categorized in three areas: vendors. Criminals can and do innovate. In the span of only a few years a complex and 1. Accidental design or imple- lucrative criminal economy capable of sup- mentation errors that lead to porting specialized skill sets for identifying exploitable code vulnerabilities and attacking software has developed. 2. The changing technological The development of this sophisticated crimi- environment, which exposes new nal economy contributes to increasingly tar- vulnerabilities and provides adversar- geted and complex attacks. Vendors commit ies with new tools to exploit them resources to understand emerging threats and use state-of-the-art technologies, tools 3. Malicious insiders who seek to and techniques to develop software, hard- do harm to users or vendors ware and services that can resist attack. The process is one of on-going improvement as Accidental Design or new vulnerabilities are exposed, new threats Implementation Errors are created and new countermeasures de- The prevalence of hackers, viruses, worms veloped and implemented. and other malicious software that attack systems and networks highlights the first risk area when programmers inadvertently create faulty software design or implemen- tations. Developers address this risk through developer training and the use of secure development practices and tools. These processes are discussed in depth in the next section of this paper. 4 5 Malicious Insiders There is a growing concern that global From a development perspective, these con- software development processes could be trols are focused more on “how it was made” exploited by a rogue programmer or an or- than “where they were sitting” during the ganized group of programmers that would coding process. compromise software, hardware or services during the development process. Vendors are extremely protec- CASE STUDY tive of their “soft assets” such EMC Corporation as their code base. The complex A centralized Product Secu- Architecture: Common development process and the rity Office coordinates inter- Security Platform A set series of controls used to pro- related programs for strong of software, standards, specifications and designs for tect the development process security assurance at EMC Corporation. common software security provide powerful management, elements such as authentica- policy and technical controls that Foundation: Product tion, authorization, audit and Security Policy Guides accountability, cryptography reduce these risks. There is no product development teams and key management using single way to manage or control and is a common reference state-of-the art RSA technol- for product organizations to a development process. Rather ogy. An open interface allows benchmark product security integration with customers’ there are proven best practices against market expectations security architectures. that companies use to manage and industry best practices. Metrics score company-wide Incident Response: Prod- their unique development infra- use of the policy. uct Security Response structure and business models. Center Defines and enforces Knowledge: Security EMC’s vulnerability response SAFECode members implement Training Role-based security policy to minimize risk of engineering curriculum trains exposure to customers. processes for vetting employees new and existing engineers and contractors regardless of on job-specific security best External Validation: Secu- practices and how to use rity Certification EMC has their country of residence. How- relevant resources. received extensive govern- ever, far more critical to soft- ment and industry certifica- ware assurance is establishing Process: Security Devel- tions in design, implementa- opment Lifecycle Over- tion and management of its and implementing processes and lays security on standard security processes and solu- controls for checking and verify- development processes for tions – including Common achieving a high degree of Criteria or FIPS 140-2. ing software assurance irrespec- compliance with the above tive of where it was produced. referenced Product Security Policy. ® ® 6 7 Managing Risk Through Software Assurance Best Practices These risks can all be managed through the and implementing practices to produce se- adoption of best practices in software assur- cure code that are better tuned to real-world ance. While a number of international stan- software development processes and result dards and certification regimes for software in higher levels of security. SAFECode’s mis- assurance have been issued, their effective- sion, in part, is to bring these practices to- ness in achieving real-world reduction in vul- gether to share across the community. nerabilities is debatable. Companies on their own have been taking the lead in developing Industry Best Practices for Software Assurance and Security Software vendors have both a responsibil- Software development processes vary by ity and business incentive to ensure product vendor according to their unique product assurance and security. Customers demand lines, organizational structures and customer that software be secure and reliable. Ven- requirements. Not surprisingly, there is no dors also must produce quality products to single method for driving security and integ- protect and enhance brand names and com- rity into and across the globally distributed pany reputations. These pressures motivate processes that yield technology products vendors to minimize mistakes in coding, and services. Yet regardless of the method reduce the occurrences of post-sale vulner- used, there is a core set
Recommended publications
  • Vulnerability Assessment and Secure Coding Practices for Middleware Part 1
    Vulnerability Assessment and Secure Coding Practices for Middleware Part 1 James A. Kupsch Computer Sciences Department University of Wisconsin © 2007-2008, James A. K1upsch. All rights reserved. Tutorial Objectives • Show how to perform the basics of a vulnerability assessment • Create more people doing vulnerability assessments • Show how different types of vulnerabilities arise in a system • Teach coding techniques that can prevent certain types of vulnerabilities • Make your software more secure 2 Roadmap • Part 1: Vulnerability Assessment Process – Introduction – Evaluation process – Architectural analysis – Computer process – Communication channels – Resource analysis – Privilege analysis – Data Flow Diagrams – Component analysis – Vulnerability Discovery Activities • Part 2: Secure Coding Practices 3 Security Problems Are Real Everyone with a computer knows this. If you’re not seeing vulnerability reports and fixes for a piece of software, it doesn’t mean that it is secure. It probably means the opposite; they aren’t looking or aren’t telling. The grid community has been largely lucky (security through obscurity). 4 Many Avenues of Attack We’re looking for attacks that exploit inherent weakness in your system. Internet Firewall: www server Attack web using www protocols Compromised host Internal bad guy 5 Impact of Vulnerabilities FBI estimates computer security incidents cost U.S. businesses $67 billion in 2005 [CNETnews.com] Number of reported vulnerabilities each year is increasing [CERT stats] 8000 6000 4000 2000 0 1994 1998
    [Show full text]
  • Opentext Product Security Assurance Program
    The Information Company ™ Product Security Assurance Program Contents Objective 03 Scope 03 Sources 03 Introduction 03 Concept and design 04 Development 05 Testing and quality assurance 07 Maintain and support 09 Partnership and responsibility 10 Privavy and Security Policy 11 Product Security Assurance Program 2/11 Objective The goals of the OpenText Product Security Assurance Program (PSAP) are to help ensure that all products, solutions, and services are designed, developed, and maintained with security in mind, and to provide OpenText customers with the assurance that their important assets and information are protected at all times. This document provides a general, public overview of the key aspects and components of the PSAP program. Scope The scope of the PSAP includes all software solutions designed and developed by OpenText and its subsidiaries. All OpenText employees are responsible to uphold and participate in this program. Sources The source of this overview document is the PSAP Standard Operating Procedure (SOP). This SOP is highly confidential in nature, for internal OpenText consumption only. This overview document represents the aspects that are able to be shared with OpenText customers and partners. Introduction OpenText is committed to the confidentiality, integrity, and availability of its customer information. OpenText believes that the foundation of a highly secure system is that the security is built in to the software from the initial stages of its concept, design, development, deployment, and beyond. In this respect,
    [Show full text]
  • Rogue Automation: Vulnerable and Malicious Code in Industrial
    In partnership with Rogue Automation Vulnerable and Malicious Code in Industrial Programming Federico Maggi Marcello Pogliani Trend Micro Research Politecnico di Milano Rogue Automation Vulnerable and Malicious Code in Industrial Programming Published by TREND MICRO LEGAL DISCLAIMER Trend Micro Research The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most Written by current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and Federico Maggi nothing herein should be construed otherwise. Trend Micro reserves the right to modify Trend Micro Research the contents of this document at any time without prior notice. Marcello Pogliani Translations of any material into other languages are intended solely as a convenience. Politecnico di Milano Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and With contributions from have no legal effect for compliance or enforcement purposes. Martino Vittone, Although Trend Micro uses reasonable efforts to include accurate and up-to-date Davide Quarta, information herein, Trend Micro makes no warranties or representations of any kind as to Stefano Zanero its accuracy, currency, or completeness. You agree that access to and use of and reliance Politecnico di Milano on this document and the content thereof is at your own risk.
    [Show full text]
  • Systems Administrator
    SYSTEMS ADMINISTRATOR SUMMARY The System Administrator’s role is to manage in-house computer software systems, servers, storage devices and network connections to ensure high availability and security of the supported business applications. This individual also participates in the planning and implementation of policies and procedures to ensure system provisioning and maintenance that is consistent with company goals, industry best practices, and regulatory requirements. ESSENTIAL DUTIES AND RESPONSIBILITIES: The Authority’s Senior Systems Manager may designate various other activities. The following statements are intended to describe the general nature and level of work being performed. They are not intended to be construed, as an exhaustive list of all responsibilities, duties and skills required of personnel so classified. Nothing in this job description restricts management's right to assign or reassign duties and responsibilities to this job at any time for any reason, including reasonable accommodation. Operational Management Manage virtual and physical servers with Windows Server 2003 – 2012 R2 and RHEL operating systems Manage Active Directory, Microsoft Office 365, and server and workstation patching with SCCM Manage the physical and virtual environment (VMware) of 300 plus servers Have familiarity with MS SQL server, windows clustering, domain controller setup, and group policy Ensure the security of the server infrastructure by implementing industry best-practices regarding privacy, security, and regulatory compliance. Develop and maintain documentation about current environment setup, standard operating procedures, and best practices. Manage end user accounts, permissions, access rights, and storage allocations in accordance with best- practices Perform and test routine system backups and restores. Anticipate, mitigate, identify, troubleshoot, and correct hardware and software issues on servers, and workstations.
    [Show full text]
  • Web Application Vulnerabilities and Insecure Software Root Causes: the OWASP Top 10
    Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications Marco Morana OWASP OWASP Cincinnati Chapter, November 2010 Meeting Copyright © 2010 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org What is OWASP? OWASP 2 Agenda For Today’s Presentation 1. The Evolution of Web 2.0 2. Web 2.0 Vulnerability Analysis 3. Building Secure Web 2.0 Applications 4. Web 2.0 Risk Management OWASP 3 The Evolution of the Internet to Web 2.0 OWASP 4 General Web 2.0 Background Can be defined as: “Web applications that facilitate interactive information sharing and collaboration, interoperability, and user-centered design on the World Wide Web” … the main characteristics of web 2.0 are: 1. Encourage user’s participation and collaboration through a virtual community of social networks/sites. Users can and add and update their own content, examples include Twitter and social networks such as Facebook, Myspace, LinkedIn, YouTube 2. Transcend from the technology/frameworks used AJAX, Adobe AIR, Flash, Flex, Dojo, Google Gears and others 3. Combine and aggregate data and functionality from different applications and systems, example include “mashups” as aggregators of client functionality provided by different in-house developed and/or third party services (e.g. web services, SaaS) OWASP 5 Web 2.0 As Evolution of Human Knowledge Source http://digigogy.blogspot.com/2009/02/digital-blooms-visual.html
    [Show full text]
  • Address Munging: the Practice of Disguising, Or Munging, an E-Mail Address to Prevent It Being Automatically Collected and Used
    Address Munging: the practice of disguising, or munging, an e-mail address to prevent it being automatically collected and used as a target for people and organizations that send unsolicited bulk e-mail address. Adware: or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software. Adware is software designed to force pre-chosen ads to display on your system. Some adware is designed to be malicious and will pop up ads with such speed and frequency that they seem to be taking over everything, slowing down your system and tying up all of your system resources. When adware is coupled with spyware, it can be a frustrating ride, to say the least. Backdoor: in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device. A back door is a point of entry that circumvents normal security and can be used by a cracker to access a network or computer system. Usually back doors are created by system developers as shortcuts to speed access through security during the development stage and then are overlooked and never properly removed during final implementation.
    [Show full text]
  • From Secure Coding to Secure Software
    From Secure Coding to Secure Software Table of Contents From Secure Coding to Secure Software ........................................................................................ 4 Why Software Security? .................................................................................................................. 6 Software and security failures are rampant ................................................................................... 7 Software and security failures are expensive ................................................................................. 8 Polling Question 2 ........................................................................................................................... 9 Engineering and Development ..................................................................................................... 10 Most Vulnerabilities Are Caused by Programming Errors ............................................................ 11 Secure Software Development ..................................................................................................... 12 Sources of Software Insecurity ..................................................................................................... 13 Polling Question 3 ......................................................................................................................... 15 Coding rules – 2016 Edition .......................................................................................................... 17 CWE Guidance ..............................................................................................................................
    [Show full text]
  • FANS: Fuzzing Android Native System Services Via Automated Interface Analysis
    FANS: Fuzzing Android Native System Services via Automated Interface Analysis Baozheng Liu1;2,∗ Chao Zhang1;2 , Guang Gong3, Yishun Zeng1;2, Haifeng Ruan4, Jianwei Zhuge1;2 1Institute of Network Science and Cyberspace, Tsinghua University [email protected] 2Beijing National Research Center for Information Science and Technology [email protected] 3Alpha Lab, 360 Internet Security Center 4Department of Computer Science and Technology, Tsinghua University Abstract 1 Introduction Android has become the most popular mobile operating sys- Android native system services provide essential supports and tem, taking over 85% markets according to International Data fundamental functionalities for user apps. Finding vulnerabil- Corporation1. The most fundamental functions of Android ities in them is crucial for Android security. Fuzzing is one of are provided by Android system services, e.g., the camera the most popular vulnerability discovery solutions, yet faces service. Until October 2019, hundreds of vulnerabilities re- several challenges when applied to Android native system lated to Android system services had been reported to Google, services. First, such services are invoked via a special inter- revealing that Android system services are still vulnerable and process communication (IPC) mechanism, namely binder, attractive for attackers. A large portion of these vulnerabilities via service-specific interfaces. Thus, the fuzzer has to recog- reside in native system services, i.e., those mainly written in nize all interfaces and generate interface-specific test cases C++. Vulnerabilities in Android native system services could automatically. Second, effective test cases should satisfy the allow remote attackers to compromise the Android system, interface model of each interface. Third, the test cases should e.g., performing privilege escalation, by means of launching also satisfy the semantic requirements, including variable IPC requests with crafted inputs from third-party applications.
    [Show full text]
  • Vulnerabilities, Threats, and Secure Coding Practices
    Vulnerabilities, Threats, and Secure Coding Practices Barton P. Miller Elisa Heymann Computer Sciences Department Computer Sciences Department University of Wisconsin University of Wisconsin [email protected] & Universitat Autònoma de Barcelona [email protected] NSF CyberSecurity Summit 2015 Arlington, August 17 2015 1 What do we do • Assess Middleware: Make cloud/grid software more secure • Train: We teach tutorials for users, developers, sys admins, and managers • Research: Make in-depth assessments more automated and improve quality of automated code analysis http://www.cs.wisc.edu/mist/papers/VAshort.pdf 2 Our History 2001: “Playing Inside the Black Box” paper, first demonstration of hijacking processes in the Cloud. 2004: First formal funding from US NSF. 2004: First assessment activity, based on Condor, and started development of our methodology (FPVA). 2006: Start of joint effort between UW and UAB. 2006: Taught first tutorial at San Diego Supercomputer Center. 2007: First NATO funding, jointly to UAB, UW, and Ben Gurion University. 2008: First authoritative study of automated code analysis tools. 2009: Published detailed report on our FPVA methodology. 2009: U.S. Dept. of Homeland Security funding support. 2012: DHS Software Assurance Marketplace (SWAMP) research center. 3 Our experience includes Condor, University of Wisconsin Batch queuing workload management system 15 vulnerabilities 600 KLOC of C and C++ Google Chrome, Google Web browser 1 vulnerability 2396 KLOC of C and C++ MyProxy, NCSA Credential Management System 5 vulnerabilities
    [Show full text]
  • A United States Perspective on the Ethical and Legal Issues of Spyware Janice C
    A United States Perspective on the Ethical and Legal Issues of Spyware Janice C. Sipior Burke T. Ward Georgina R. Roselli College of Commerce & Finance College of Commerce & Finance College of Commerce & Finance Villanova University Villanova University Villanova University Villanova, PA 19085 USA Villanova, PA 19085 USA Villanova, PA 19085 USA +1-610-519-4347 +1-610-519-4375 +1-610-519-4347 [email protected] [email protected] [email protected] ABSTRACT While information concerning user characteristics and Spyware is regarded as the largest threat to internet users since preferences may be used beneficially to improve product and spam, yet most users do not even know spyware is on their service offerings, the surreptitious nature of its acquisition personal computers. Ethical and legal concerns associated with coupled with no indication of its intended use may raise ethical spyware call for a response. A balance must be found between and legal issues regarding its acceptability. Ethically, spyware legitimate interests of spyware installers, who have obtained installers have an obligation to users to obtain informed consent informed consent of users who accept advertisements or other for the collection and use of personal information. However, in marketing devices, and users who are unwitting targets. the commercially competitive environment of electronic Currently, there is not widespread awareness or understanding commerce, information gathering may be undertaken without of the existence of spyware, its effects, and what remedies are users’ knowledge or permission. available to defend against it. For industry sectors subject to For industry sectors which are subject to data collection laws, data collection and protection laws, spyware results in “spyware can be an unwitting avenue to noncompliance” [9].
    [Show full text]
  • Authentication and Authorization for Mobile Devices
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Göteborgs universitets publikationer - e-publicering och e-arkiv Authentication and Authorization for Mobile Devices Bachelor of Science Thesis in Software Engineering and Management NAVID RANJBAR MAHDI ABDINEJADI The Author grants to Chalmers University of Technology and University of Gothenburg the non-exclusive right to publish the Work electronically and in a non-commercial purpose make it accessible on the Internet. The Author warrants that he/she is the author to the Work, and warrants that the Work does not contain text, pictures or other material that violates copyright law. The Author shall, when transferring the rights of the Work to a third party (for example a publisher or a company), acknowledge the third party about this agreement. If the Author has signed a copyright agreement with a third party regarding the Work, the Author warrants hereby that he/she has obtained any necessary permission from this third party to let Chalmers University of Technology and University of Gothenburg store the Work electronically and make it accessible on the Internet. Authentication and Authorization for Mobile Devices NAVID RANJBAR MAHDI ABDINEJADI © NAVID RANJBAR, June 2012. © MAHDI ABDINEJADI, June 2012. Examiner: HELENA HOLMSTRÖM OLSSON University of Gothenburg Chalmers University of Technology Department of Computer Science and Engineering SE-412 96 Göteborg Sweden Telephone + 46 (0)31-772 1000 Department of Computer Science and Engineering Göteborg, Sweden June 2012 2 Authentication and Authorization for Mobile Devices Navid Ranjbar Mahdi Abdinejadi Department of Computer Science and Engineering Department of Computer Science and Engineering University of Gothenburg University of Gothenburg Gothenburg, Sweden Gothenburg, Sweden [email protected] [email protected] Abstract— Nowadays market demand forces companies to adapt to mobile technology.
    [Show full text]
  • Software Analysis for Security
    Software Analysis for Security Spiros Mancoridis Department of Computer Science College of Engineering Drexel University Philadelphia, PA 19147, USA E-mail: [email protected] Abstract ware architecture to assure the system’s security. The qual- ity of a security architecture, however, also depends on the This is a survey of the processes, practices, and technolo- security of the applications that constitute the system. In gies that can help software maintenance engineers improve low security operating environments, such as most commer- the security of software systems. A particular emphasis is cial operating systems, it is assumed, albeit optimistically, placed on validating security architectures, verifying that that these applications are trustworthy. Therefore, it is im- the implementation of an architecture’s constituent appli- portant to articulate the practices to support the secure cod- cations adhere to secure coding practices, and protecting ing of applications and the tools for detecting malware. Se- software systems against malicious software. In addition to cure coding involves programming practices and run-time surveying the state-of-the-art, research challenges pertain- mechanisms that can be used to limit the vulnerabilityof ap- ing to software security are posed to the software mainte- plications to dangerous malware that exploit, for example, nance research community. buffer overflows, format string vulnerabilities, and integer vulnerabilities to attack computer systems. One approach to software security is to verify that (a) the security mechanisms used are trustworthy; (b) the security 1. Introduction architecture has been validated against the security policy; and (c) the software applications that constitute the system The goal of computer security is to protect computer as- are trustworthy (e.g., they have been developed using secure sets (e.g., servers, applications, web pages, data) from cor- coding practices, or they are not malware).
    [Show full text]