Enterprise Application Security HowtoBalancetheuseofCodeReviewsandWeb ApplicationFirewallsforPCIcompliance

UlfMattsson,CTOProtegrity

Page 1

Introduction...... 3 PaymentCardIndustry(PCI)Requirements...... 4 PCIRequirement6Developingandmaintainingsecureapplications...... 4 PCIRequirement6.6mandatesthefollowing:...... 4 ComplyingwithRequirement6.6...... 4 PCIquarterlynetworkscans–toolittletoolate...... 5 Requirement6.6Option1–ApplicationCodeReviews...... 5 Requirement6.6Option2–ApplicationFirewalls...... 6 ApplicationLayerAttacks...... 6 WebApplicationAttacks...... 6 Findingvulnerabilitiesinapplications...... 6 DifferenttypesofFirewalls...... 7 SelectingaDefenseStrategy...... 8 HolisticSecurityProtectingtheEnterpriseDataFlow...... 8 DataatRestEncryptionconfigurationfiles,logfiles,webpagesanddata...... 8 ProtectingtheDataFlow...... 9 FindingVulnerabilities...... 9 VulnerabilityScannersandApplicationCodeReviews...... 9 Performanceandfrequency...... 10 Attackschangefrequently...... 10 Sourcecodemaynotbeavailable...... 10 Codereviewsareoftennotsecurityoriented...... 10 Amassivelegacycodebase...... 10 Seniorskillsneeded...... 10 ComparingWAFwithScannersandCodeReview...... 11 AWAFisacomplementtothedevelopmentprocesses...... 11 DeployaWAFandbuildaplanforalongtermcodereview...... 11 WAFisanaidtoWebApplicationDevelopers...... 12 SelectingaWAFsolution...... 12 WAFselectioncriteria...... 12 WAFCriticalRequirements...... 13 TheFutureofWAFTechnology...... 13 Selectingacodereviewapproach...... 15 SecurityDevelopmentLifecycles...... 15 Toolselectioncriteria...... 20 Conclusion...... 22 ReferencesandSuggestedReading...... 23

Page 2

Introduction OrganizationshandlingcreditcardsfeelpressurebuildingasthedeadlineforPCIRequirement 6.6compliance[1]haspassedandwelldocumentedbreacheshaveheightenedthepublicand regulatoryagencies'concernsabouthowwellcompaniesaresecuringconsumerspecific information.Despitesomeinitialadvances,sensitiveinformationisstillfrequentlystolen. Internalthreatanissue,magnifiedbyextendedpartnershipswhichultimatelyleadtomoretasks willbeperformedoutsidecompanyfacilities.Inincreasinglycomplextechnicalandbusiness environments,noonesecurityapproachcandealwithallthenewandinnovativeintrusions.But thelackofasecuritysilverbulletdoesn'tmeandatasecurityisimpossible.Itsimplymeansthat businesseshavetotakeamultiprongedapproachtodatasecurity. Summary Thisarticleisbasedonaprojectcasestudyinprotectinganenterpriseapplicationenvironment, includingweborientedapplications.ThearticleisPCI6.6orientedandcomparestheuseof WebApplicationFirewalls(WAF)orcodereviewsforwebfacingapplications.Italsoaddresses codescanningthatisnotwebrelated.Extendingthecodereviewsintothenonweb applications,wealsobrieflydiscussothertypesofprotections.Otherarticlesalreadydiscussed howtoprotectfromSQLInjectionintothedatabase,orinternalthreats,includingaDBAthat impersonatesauser.Thesection"ProtectingtheDataFlow"includesafewpointersto resourcesdiscussingprotectionoftheenterprisedataflow.Thecodereviewsectionislonger sincethisisanevolvingareafromaPCIperspectivefocusingonWAFandcomplementary codescanning.ThisarticlewillcompareWAFandwebbasedcodereviews,andpointto resources[15]discussingthewholedataflow,whichtheninvolvesmuchmorethan/C++code scanning.Thepartconcerningcodeanalysisisnotweboriented,butit'saboutC/C++/Java sourcecodescanning,thoughithassomegeneralparts. The case study - company ABC ThecasestudyfromcompanyABCrecommendedusingbothWAFandcodereviews. Internalandexternalusersareaccessingsensitiveclientandcreditcarddataviawebbased applicationsandothertypesofapplications.ABCisconsideringWebapplicationsas#1focusof anattack.ABCreviewedrecentresearchthatshowsthatthemajorityofcyberattacksare performedattheWebApplicationlevel.ABCconsidersthattheirebusinessWebsitesareat immediateriskofbeinghacked.ABC’sprimaryissuesarePCIcompliance,andaconcernabout theescalatingthreatagainstfinancialdatafromorganizedcrimeandinsiders.Timeisacritical factorinselectingsolutionstopreventbreaches.ABCisasecurityawareorganizationthatwill needbothshorttermandlongtermsolutionstothisproblem.Thecasestudyfromcompany ABCwillanalyzeandidentifyanapproachtodevelopandmaintainsecuresystemsand applications,includingselectingsuitablestaticanalysiscodescanningtoolsforapplication development.ABCpositioneddifferentapproachestopreventdatatheft(andtheattackpathsto thedata–differenttypesofapps,databases)includingWAF,data(protection(encryption, hashing,tokenizing)andC++codescanning.ThesolutionforABCisbasedontheconclusion thateverylayerofdefenseiscritical.Aholisticandlayeredapproachcanprovidethebestlevel datasecurityandthesoonersensitivedatagetsencrypted,themoresecuretheenvironment. ABCisplanninganenterprisedataprotectionapproachandprotectsdataacrossthe informationlifecycle.ABCacknowledgesthatsecuredevelopmentwilltakealongtimeto

Page 3 implement,partlybasedonexpensiveandtimeconsumingmanualcodereviews.Theshort termsolutionisbasedonprotectingtheexternalwebfacingapplicationswithaWAFcombined withdataencryptioninfilesanddatabases.ThiswillgiveABCaquickandcosteffectivedata securityimplementationthatwillmeetPCIrequirementsinthisarea.ABCiscomplementingthis withamediumtermsolutionincludingcodereviewsandscanningofinternalcodenonweb applications.ABCalsoidentifiedalongtermprojectthatwillincludepenetrationtestingand scanningandreviewofthewebapplicationcodebase.

Payment Card Industry (PCI) Requirements

PCI Requirement 6 - Developing and maintaining secure applications PaymentCardIndustry(PCI)DataSecurityStandard(DSS)Requirement6,Developand maintainsecuresystemsandapplications.PCI6.6itselfhastwohalves,“codereview”(theact offinding/fixingvulnerabilities)and“applicationfirewalls”(devicedesignedtothwartwebsite attacks)thatmerchantsmaychoosebetween. Fixing custom application code is not easy Requirement6isabout“developingandmaintainingsecureapplicationsandsystems.” Requirement6.1requiresthatvendorsuppliedsecuritypatchesbeappliedwithinonemonthof release.Securingandfixingcustomapplicationcodeisnotaseasyasdownloadingapatch fromyourfavoritesoftwarevendor.Webapplicationvulnerabilitiesmustbeidentified,fixes developed,tested,anddeployed.Inshort,you'reonyourownfortheentireprocess.Setting asidethefactthatthesetwooptionsshouldnotbeperceivedascompetitive,rather complementary,theCouncilisgivingmerchantsthechoiceacknowledgingbudgetconstraints. PCI Requirement 6.6 mandates the following: PCIDSSversion1.1Requirement6.6:Ensurethatwebfacingapplicationsareprotected againstknownattacksbyapplyingeitherofthefollowingmethods.Havingallcustomapplication codereviewedforcommonvulnerabilitiesbyanorganizationthatspecializesinapplication security. Installinganapplicationlayerfirewallinfrontofwebfacingapplications. Testing Procedure: For web-based applications PCIDSSversion1.1Requirement6.6TestingProcedure:Forwebbasedapplications,ensure thatoneofthefollowingmethodsareinplaceasfollows.Verifythatcustomapplicationcodeis periodicallyreviewedbyanorganizationthatspecializesinapplicationsecurity;thatallcoding vulnerabilitieswerecorrected;andthattheapplicationwasreevaluatedafterthecorrections. Verifythatanapplicationlayerfirewallisinplaceinfrontofwebfacingapplicationstodetect andpreventwebbasedattacks.Theconfusionstemsfromtheinterpretationoftherequirement. First,let'sclearupsomehighlevelmisconceptions.Requirement6.6isnotjustfor“levelones.” Itdoesnotspecifyserviceprovidersormerchants.Itdoesnotspecifyeithersourcecode reviewsorwebapplicationfirewalls.

Complying with Requirement 6.6 Requirement6.6isaboutprotectingwebapplications,plainandsimple.Givenourmodern threatlandscape,itisnowonderthatPCIRequirement11.3.2dictates“applicationpenetration tests”beperformedafterevery“significantchange.”Meaningfulwebapplicationsecurity

Page 4 managementrequiresfrequentassessmentsascodeandthreatsevolvecontinually. Requirement6.6isaboutdevelopingarepeatablemethodologythatconnectsthe“Find”(the vulnerabilitydetection)processtothe“Fix”processforthesystematic,efficienteliminationof vulnerabilitiesfromwebapplications.AdditionalpracticalPCIguidancecanbefoundat[16].

What does PCI 6.6 mean Theultimategoalistoensuresecurewebapplications.Forapplicationsdevelopedor customizedinhouse,thefollowingprocessmustbecontinuallyperformed:Identify vulnerabilities(find),correctthem(fix),andtesttoconfirmthatthecorrectioniseffective(prove). Find,fix,prove,find,fix,prove. PCI quarterly network scans – too little too late ThequarterlynetworkscanswillfindsomeSQLinjectionandcatchmissingbasicinput validation,butgenerallytheycannotfindapplicationlevelvulnerabilities.ButWebapplications needtobecheckedonacontinuousbasis,thesequarterlynetworkscansshould notbereliedontotellyouifyourWebappsarevulnerable.

Vulnerabilities must be detected, communicated, and corrected AlongtermgoalofRequirement6.6istheestablishmentofawebapplicationvulnerability lifecycle–leadingtotheeffectiveeliminationofrisk.Vulnerabilitiesmustbedetected, communicated,andcorrected.Thiscanbedonethroughvariousmeasuresincluding,blackbox testing(runtimeassessment) , whiteboxtesting(sourcecodereview) , binaryanalysis , static analysis , remediationbydevelopersor webapplicationfirewalls.

Runtime Assessments, Reviews, Binary and Static Analysis to find vulnerabilities in web applications Thereisamisconceptionthatalldetectiontechniquestrytoachievethesameendgoaland competeforthesamebudgetarydollars.Thefactofthematteristhateachtestingideology bringsdifferentbenefitstothetableatdifferentprices,almostallofwhicharecomplementary andhelppaintacompletepictureofapplicationweaknesses.WhileVulnerabilityScannersare requiredforPCIDSSsection11.3andcanbeusedforsection6.6,WAFhelpsorganizations meet8ofthe12PCIDSSrequirements.That’seightPCIDSSrequirementsthatWAFhelps meetversusjusttwothatvulnerabilityscannerscanhelpmeet.

Requirement 6.6 Option 1 – Application Code Reviews Theapplicationcodereviewoptiondoesnotnecessarilyrequireamanualreviewof sourcecode.KeepinginmindthattheobjectiveofRequirement6.6istoprevent exploitationofcommonvulnerabilities(suchasthoselistedinRequirement6.5),several possiblesolutionsmaybeconsidered.Theyaredynamicandproactive,requiringthe specificinitiationofamanualorautomatedprocess.Properlyimplemented,oneormore ofthesefouralternativescouldmeettheintentofOption1andprovidetheminimumlevel ofprotectionagainstcommonwebapplicationthreats: 1.Manualreviewofapplicationsourcecode 2.Properuseofautomatedapplicationsourcecodeanalyzer(scanning)tools 3.Manualwebapplicationsecurityvulnerabilityassessment 4.Properuseofautomatedwebapplicationsecurityvulnerabilityassessment (scanning)tools.

Page 5 Requirement 6.6 Option 2 – Application Firewalls PCIRequirement6.6canbequicklymetthroughinstallingawebapplicationfirewall. Inthecontextofrequirement6.6,an“applicationfirewall”isawebapplicationfirewall (WAF),whichisasecuritypolicyenforcementpointpositionedbetweenawebapplication andtheclientendpoint.Thisfunctionalitycanbeimplementedinsoftwareorhardware, runninginanappliancedevice,orinatypicalserverrunningacommonoperating system. PCI Auditors seek evidence of due care. ThePCICouncilhasnotasserteditselfasanauthorityonapplicationsecurity;itleavesthe verificationofcompliancetoapprovedauditors.WhatthePCIAuditorsseekisevidenceof due care .AutomatedtoolsaloneonlycoverroughlyhalfofthewebApplicationSecurity Consortium'sThreatClassifications.Ifanapplicationisworthprotecting,testitthoroughlywith bothautomatedandhumanmeans.Webapplicationsarecontinuallychanging,asisthethreat landscape.Testtheapplicationinproductionasfrequentlyasismeaningful,forexample,with eachcodechange.Vulnerabilitiesidentifiedbecomeaknownliabilityandmustbemanaged. Vulnerabilitiesmustbecommunicatedclearlyandeffectivelytogroupstaskedwithremediation. Testingcustomapplicationcodemustbedonemethodically,andretestingmustfollowthesame processeswherepossible.Patchdevelopment,validationofremediation,andcorrectionswillbe simplifiedifyoufollowaconsistentmethodology.

Application Layer Attacks

Web Application Attacks

Buffer overflows, SQL injection and Cross Site Scripting BufferoverflowsandSQLinjectionarenotnew,butattackersstillmanagetomakeeffective useofthemtogainaccessandadministrativeprivilegestodatabases.Intrusionprevention systemsareofuseindealingwithbufferoverflows.SQLinjectionisapopularmethod ofattack,sincemoderndatabasesutilizeSQLStructuredQueryLanguagetoenable userstoaccessandmanipulatedatastoredinadatabase.ThebasicprocedureforaSQL injectionexploitistoprovideavalidrequestatthebeginningfollowedbyasinglequoteand a“;”withanadditionalrequestappendedwhichcontainstheactualcommandtheattacker hopestoimplement.Bypiggybackingthe“bad”codeontothegoodcodeitispossible totrickanincorrectlyconfigureddatabaseintocarryingoutunauthorizedexecutions.Cross sitescriptingoccurswhenawebapplicationgathersmaliciousdatafromauser.Thedatais usuallygatheredintheformofahyperlinkwhichcontainsmaliciouscontent.Theuserwill mostlikelyclickonthislinkfromanotherwebsite,instantmessage,orsimplyreadingaweb boardoremailmessage.Usuallytheattackerwillencodethemaliciousportionofthelinkto thesiteinHEX(orotherencodingmethods)sotherequestislesssuspiciouslookingtothe userwhenclicked.Afterthedataiscollectedbythewebapplication,itcreatesanoutput pagefortheusercontainingthemaliciousdatathatwasoriginally,inamannertomakeit appearasvalidcontentfromthewebsite. Finding vulnerabilities in applications

Page 6

Finding vulnerabilities in web-facing applications RegardlessofyourclassificationasaMerchantorServiceProvider,ifyouhaveawebfacing application,it mustbeassessed .Thiswillbefarmoreexhaustivethananetworkvulnerability scan,andwillrequireauthenticationtoaccessthemajorityofapplicationfunctionality.This testingrequireshumanexpertisetoexercisetheapplication,validatefindings,andtestfor logicalvulnerabilitiesandotherthreatsatestingtoolcannotidentify. Vulnerabilities in custom application code Vulnerabilitiesincustomapplicationcodecanbefoundinavarietyofways.TheWeb ApplicationSecurityConsortium[12]hasclassified24differenttypesofattackstargetingweb applications.Halfofthosethreats(13technicalvulnerabilityclasses)canbeidentifiedatsome levelofeffectivenessthroughautomatedmeans,includingruntimecodetestingaswellas sourcecodeanalysis.Aswithanydetectiontechnology,thereisacertainsignaltonoiseratio; humanvalidationisrequiredtoseparatetruevulnerabilitiesfromfalsefindings.Therearemany variablesinapplicationsecuritytesting,soyourmileagewillvary.Thereare24threat classifications,withtwocurrentappendices(HTTPResponseSplittingandCrossSiteRequest Forgery),whichhavenotyetbeenformallyratifiedintotheWASCThreatClassification document.] Fixing vulnerabilities PCIRequirements11.3.2and6.6requirethis.Forcontext,rereadPCIrequirement6.1.Proving youhaveinstalledapatchtocommercialapplicationsandoperatingsystemsiseasy.Proving youhavecorrectedaweaknessincustomapplicationcodeisalittlemorecomplicated.Thisis wherehavingaconsistenttestingandreportingmethodologywillcomeinhandy.Ifyouownthe webapplicationcodefixit.Ifyoudonotownthecode,orhavevalidbusinesscaseorcost restrictionsthatareimpedimentstofixingtherawcode,correctthevulnerabilitythroughother methods(e.g.,awebapplicationfirewall). Ensure the mitigation correct the vulnerability in practice and in writing Aftersignificantinvestmentinmanagingthewebapplicationvulnerabilitylifecycle,anauditor (SOX,PCI,oranyotherauditor)needsdocumentationtoprovethefixworked.Ensurethe mitigationapplieddoesinfactcorrectthevulnerabilityinpracticeandinwriting.ThePCI6.6 complianceprocessof“Find,Fix,Prove”canbesimplifiedfurther.Ifthe“Find”processisdone withsufficientprecisionandcreatesproperdocumentation,the“Find”processcanbedoneina continualorongoingmannerandwillinturndocumentproofofthe“Fix”actionsastheyoccur. Auditorsliketoseetrends,especiallywhentheyinvolvecontinualdetectionandremovalof vulnerabilitiesthismakesprovingduecareveryeasy.WithaclearunderstandingofPCI Requirement6.6,complianceisnotonlyachievable,butcanprovidegreatvaluetoweb applicationownersandusers.Thisrequirementcreatesaneedforvisibilityintothelifecyclefor vulnerabilitydetectionandcorrection,andwillservetomaturewebapplicationsecurity. Applyingmetricstotheefficiencyofdetection,thecostofproducingvulnerablecode,andthe associatedcostsofcorrectionwillonlyservetoadvancethegoaloftotalwebapplication security.

Different types of Firewalls Traditional Network Firewalls

Page 7

AWAFisdifferentfromotherfirewallapproaches.Traditionalfirewallswhichperformpacket filteringonlycannotmonitorandblockbyuser,whichisrequiredforcompliance.Also,withouta whitelistsecuritymodel,thistypeofsolutioncannotprotectagainstparametertampering, sessionhijackingandcookiepoisoningattacks,amongothers.Thebottomlineisthatnetwork firewallsdonotunderstandenoughinformationabouttheapplicationandit’sstateovertimeto provideadequateapplicationsecurityfunctionality. 1st Generation Web Application Firewalls ReverseproxyonlyWebapplicationfirewallsintroducelatency,becausetheyterminatetraffic andrequirechangestothenetwork,DNSandtheapplicationitself,asdiscussedin[33].They mayevenbreakapplicationsintheeventoflargetrafficloads. Application Delivery Solutions with Application Security Add-ons Layer7contentswitchesandfirstgenerationWebappfirewallssharesomethingincommon: generallytheybothmandatedeployingreverseproxiestomodifyandmanagetraffic.Asa consequence,manyapplicationdeliveryvendorsacquiredWebappsecuritytechnologyand integrateditintotheircontentswitches.However,thesejointsolutionshaveretainedallofthe challengesoflegacyWebappfirewalls.Forexample,theyoftenrelyonmanuallydefinedwhite liststovalidateWebrequests.TheyprotectsessionIDsbysigningcookiesandobfuscating URLs—intrusivemeasuresthatoftenhaveunexpectedconsequences.CombiningWeb applicationsecurityanddeliveryalsointroducedmanynewchallenges.Theextensiveregular expressionsandcontentparsinginWebsecuritysignificantlydegradestheperformanceof applicationdeliveryproducts,upwardsto50%.Andlastly,mostapplicationdeliveryvendorsdo notspecializeinWebsecurity,sotheydonotregularlyresearchnewapplicationthreatsor automaticallyupdatesecuritypolicies.

Selecting a Defense Strategy Holistic Security - Protecting the Enterprise Data Flow

Management accountability Differentoptionstoprotectpaymentcarddataisdiscussedin[18].Protectingtheenterprise dataflowisdiscussedin[15]and[17]islookingatsecuritybeyondPCI.Scannersidentify vulnerabilities.Ifthosevulnerabilitiesarenotfixed,butstillknown,managementisaccountable. Weknowthatitoftentakesmonthstofixvulnerabilitiesintheapplication.WAFprovidesa uniquesolution:itpreventsthevulnerabilityfrombeingexploited,allowingtimetofixthecode– thuseliminatingtheaccountabilityissue.Theeasiestwaytoprotectagainstthesesortsof exploits Data at Rest Encryption - configuration files, log files, web pages and data WebServerApplicationsaretypicallyaccessingconfigurationfiles,logfiles,webpagesand data.Itisrecommendedtosecurethesefilesbyencryptingeachtypeoffilesusingdifferent encryptionkeys.Withamatureencryptionsolution,allfilesareencryptedyetaccesscanbe grantedtoanyofthesetypesbasedontheuser’srole.

Complementing application scanning tools

Page 8

Vulnerabilityscanningtoolscannotverifycryptographicstorageatall.Codescanningtoolscan detectuseofknowncryptographicAPIs,butcannotdetectifitisbeingusedproperlyorifthe encryptionisperformedinanexternalcomponent.Likescanning,testingcannotverify cryptographicstorage.Alsodonotuseweakalgorithms,suchasMD5/SHA1.Favorsafer alternatives,suchasSHA256orbetter.Codereviewisthebestwaytoverifythatan applicationencryptssensitivedataandhasproperlyimplementedthemechanismandkey management.PleaseseeOWASP2007itemisA8–INSECURECRYPTOGRAPHIC STORAGE[4]formoreinformation.Databasescanning,iescanningfordatabase vulnerabilitieslikedefault/weakpasswords,improperconfiguration,patchlevel,etc.since applicationsecurityisverydependentondatabaseauthentication(basedonthetransparency requirement),forinstanceaweakpasswordwouldbecritical.ThisisrelatedtoPCI2.1,2.2,6.1, 6.2and8.5.

Protecting the Data Flow

Limit the exposure of sensitive data bytes inside applications and the LAN Manyapplicationshavenoneedtoviewallbytesineverydatafieldthatispassedthrough. One approachtoprotectthisinformationinapplicationmemoryandintransitistousemaskingor partiallyencryptsensitivefieldstohidethenotneededbytesfromexposure[7].Thiscanbe enabledbyusingsomemodeofAESencryptionalgorithmthatisprovidingfullorpartialformat preservingencryptionorpreservationoflengthordatatype.Thisallowsarbitraryfieldstobe encryptedtoagiventargetformat.Thisalleviatestheneedtochangethedatabase,and minimizestheapplicationendpointchangestoaminimum.SomeofthesetypesofAES encryptionmodesmaynotbeapprovedforusewhenpermanentlystoringPCIdata. Validate the encryption mode with a certified PCI assessor ItisalwaysagoodpracticetocheckiftheAESencryptionmodeisapprovedforthetypeofuse thatyouareplanning.YoumaycheckwithacertifiedPCIassessor.Pleasesee[6]and[13] regardingmerchants,riskmanagementandotherconsiderations.I'dalsocheckthelistthatis approvedbyNIST[5].InSpecialPublication80038A,fiveconfidentialitymodesarespecified forusewithanyapprovedblockcipher,suchastheAESalgorithm.ThemodesinSP80038A areupdatedversionsoftheECB,CBC,CFB,andOFBmodesthatarespecifiedinFIPSPub. 81;inaddition,SP80038AspecifiestheCTRmode.

Finding Vulnerabilities

Source-level analysis is clearly still required Anapplicationfirewallisanexcellentsolutionforprotectingagainstknowablefrontendattacks, andcanbetheonlysolutionforapplicationswheredeeperanalysisisnotpossibleorpermitted. Havingsaidthat,sourcelevelanalysisisclearlystillrequired,becauseamajorityofcustomer creditinformationexposuresoccurbecauseofissueswithaccesscontrol,authorization,and datastorage/transmission.Theseproblemsare,andwillcontinuetobe,outsidethecapabilityof afirewallingtechnologytodistinguish. Vulnerability Scanners and Application Code Reviews Manualcodereviewshavenegativeaspectsliketime,cost,skillsrequiredetc.butmaydetect bugsthatarehardtofindinotherways.Toolbasedcodereviewsmaydetectadifferentsetof bugs.Thereareafewdifferentcodereviewalternativesdiscussedabove.

Page 9 Performance and frequency Scanningwebsitesinproductioncandisruptwebsiteperformance.Applications,especially Webapplications,changefrequently,sothetargetofvulnerabilityscanningandcodereviewis amovingtarget,andnewvulnerabilitiescanbeintroducedatanytime.Inmanycasesthe applicationcanchangebeforeareviewcyclehasbeencompleted

Attacks change frequently Attacks,especiallyWebattacks,alsochangefrequently.Afewyearsago,novulnerabilityscan orcodereviewwouldhavefoundresponsesplittingproblematic.Thenapaperdescribing responsesplittingattacktechniquesrequireddeveloperstosendthesamecodebacktoreview. Source code may not be available Formanyapplicationsthesourcecodeisnotreadilyavailableorunderstood–and,insome cases,cannoteasilybechangedbytheorganizationusingtheWebapplication.Thiscouldbe eitherbecausetheapplicationisathirdpartyapplicationorbecausetheoriginaldevelopersofa legacyapplicationarenolongeravailabletoexplainwhattheydid. Code reviews are often not security oriented Oneoftheproblemswithmanualcodereviews;theyaremoreoftendoneforfunctionality purposes.Itisexpensiveandtimeconsumingprocesstogothroughmanualcodereviewslike theOWASPbasedsourcecodereview.Onthecodereviewside,justaboutallformsoftesting optionsarestillonthetable.Blackandwhitebox,withorwithoutautomatedscanning assistance,andthatkindofflexibilityisagoodthing.Thecatchistheperson/firmdoingthe testing“musthavetheproperskillsandexperiencetounderstandthesourcecodeand/orweb application,knowhowtoevaluateeachforvulnerabilities,andunderstandthefindings.”This goesfortooluseaswell.That’sgoingtobethelittlebitfuzzypartsinceourindustryisnewand doesn’treallyhaveformalizedcertificationoreducationprocesses.Soit’llbeuptothemerchant toprovethecasetotheirauditororbank.

A massive legacy code base Wenotonlydevelopcodeatastaggeringpace,wehaveamassivelegacycodebase.While manyleadingorganizationsfollowsecuresoftwaredevelopmentlifecycles,andmanymorewill beadoptingatleastsomelevelofcodescanningoverthenextfewyearsthankstoPCI6.6,it’s naivetothinkthateventhemajorityofsoftwarewillgothroughsecuredevelopmentanytime soon.Ontopofthat,weareconstantlydiscoveringnewvulnerabilityclassesthataffecteverybit ofcodewritteninthepast.And,truthbetold,notoolwillevercatcheverything,andevenwell educatedpeoplestillmakemistakes.

Senior skills needed

Manualcodereviewsandmanualassessmentsofscanresultsareonlyasgoodasthe reviewer.Skillsetsvarywidelyandcanbeveryexpensive.Manualcodefixesareonlyas goodasthedeveloper.Skillsetsvarywidelyandcanbeveryexpensive.Often,manualcode fixingintroducesnewvulnerabilities.

Penetration tests ApplicationvulnerabilitiescanbeasignificantclassofvulnerabilitiesandnoscannerorWAF canidentify.Applicationvulnerabilitiescanbeintroducedbybaddesignorprogramming.The

Page 10 bestwaytofindthosevulnerabilitiesisbyapenetrationtest.Penetrationtestsshouldbe performedbyasecurityexpertandcanbebetterthancodereviewinfindingproblemsfromthe overallsystemview.

Comparing WAF with Scanners and Code Review Web applications and WAF Companiesneedtodosecuritycodereviews,specificallydesignedforwebapplicationscoding errorsandwebapplicationvulnerabilities.Thenthefeedbackfromthereviewprocess–which requiresautomatedtoolstointegrateintotheWebapplicationdevelopmentdesigntemplates andscriptsandtools.Webapplicationsareaspecialbreedoflivingcodealwaysonline, alwaysaccessible,alwaysbeingmodified,andalwayssubjecttoattack.Diligentwebapplication securitydemandsfrequentassessment/attackresearchandfindingstargetingspecificweb applicationsareposteddaily. WAF - immediate protection and without changing the application AWAFcanbedeployedtoprovideimmediateprotectionandwithoutchangingtheapplication. Vulnerabilityscannersandapplicationcodereviewarebothstillrequiredeveloperstomanually fixcode–thistakestimeandisn’talwayspossible.WAF’sDynamicProfilingtechnology automaticallyprofilesapplicationsanduserbehavior,automaticallyprovidesaccurateprotection forwebapplicationsandcardholderdata,andautomaticallyadjustsasapplicationsanduser behaviorchangetoprovidecontinuousprotectionofwebapplicationsandcardholderdata,and canbeusdtoprovidevaluableinformationtodeveloperstoimprovetheapplicationunder normalcycles.

A WAF is a complement to the development processes

AWAFisuseful,andcomplementarytobuildingsecurityintothedevelopmentprocesses.The WAFisprobablythebestchoiceinmanysituations.TheWAFisthebestfirststepasitcan provideanimmediatesolutionforimmediatethreats.Itcanalsoprovidenewimmediate solutionsasothermethodsuncoverissuesovertime,orasnewattackmethodsevolveover time.evenifthecustomerisawareofwebthreatsanddevelopshiswebapplicationwith securityinmind,thecustomerisawareofthePRESENTthreats,NotaboutFUTUREthreats. Soactuallytoday'ssecuredapplicationswillnotnecessarilystaysecuredtomorrow.Thereisa greatopportunityforafeedbackloopinbothdirectionsfromWAFtocodereviewand/orpen testingand/orscanningsolutions.

Deploy a WAF and build a plan for a long term code review AWAFcanhelptobalancedifferentoptions.OneissueisthatPCIputstwoverydifferent techniquesagainsteachother.Organisationsaregoingtochooseonlyonetechniqueto achievecompliance,where,inreality,theyshouldbeusingboth.Lookingpastthat,thewording worksverywellforwebapplicationfirewalls,inthesensethatmostorganizationsarelikelyto choosetodeployaWAFratherthangothroughaverylongandveryexpensiveprocessofcode review.

Page 11 WAF is an aid to Web Application Developers

WAFprovidescriticalinformationonusagepatternsandchangesinusagepatternsthatcan GUIDEcodereviewteamsandpointoutproblemssotheycanfixanyunderlyinglogicalissues intheapplication.

After WAF is deployed, code review and code fixing can proceed at a controlled pace WAFsecureswebapplicationsandcardholderdatawithoutincurringthetimeandcosttobring 3rdpartyconsultantsormaintainingaseparatededicatedgrouptoreviewcode.AfterWAFis deployed,codereviewandcodefixingprojectscanproceedatacontrolledpace,reducingrisk oferrorsandreducingtheextracostsofemergencymodedevelopment.Thebasicpremiseis thatweneedtoassumethatanybrowserthatconnectstoourapplicationsiscompletely compromised.Attackslikecrosssiterequestforgeryarejusttoodifficultfortheaverage browser/applicationtodefendagainst.Abigpartoftheproblemisthatthebrowserisamulti sessiontool.Unlikemostofourclient/serverdesktopapplications,thebrowserneedstheability tomixcontentfrommultiplesources,ofteninasinglewindow.It’showthewholedarnInternet works.Someorganizationsdon'tunderstandwhatanapplicationfirewalldoesorhowdoes,to useit,andmayuseanetworkscannerasasubstituteforanappfirewall.

Selecting a WAF solution

WAF selection criteria TheclarificationprovidesmoredepthonwhatisrequiredofasolutioninordertomeetOption2 forSection6.6.Severalvendorsviewsthisclarificationasapositivestepfortheindustryas therehavebeenfrequentmisleadingclaimsbysolutionsattemptingtoclaimapplicationsecurity functionalitywherenoneinfactexists.Thenewguidanceprovidesastepintherightdirectionin definingthespecificfunctionalitythatWebapplicationsecuritycomprises. Animportantpartoftheguidancestressestheneedforasolutiontoprovidespecificapplication securityfunctionality,saying: “Increasingly,WAFtechnologyisintegratedintosolutionsthatincludeotherfunctionssuchas packetfiltering,proxying,SSLtermination,loadbalancing,objectcaching,etc.Thesedevices arevariouslymarketedas“firewalls,”“applicationgateways,”“applicationdeliverysystem,” “secureproxy,”orsomeotherdescription.Itisimportanttofullyunderstandthedatainspection capabilitiesofsuchaproducttodeterminewhethertheproductcouldsatisfytheintentof Requirement6.6.” Only a WAF in blocking mode to satisfy PCI 6.6 requirements BeawarethatsimplybuyingexpensiveWAFhardwaredoesnotmeetthisrequirement. Configuringthatapplicationlayerfirewalltofixknownvulnerabilitiesisrequired,andentailsthe riskofmisconfiguration,andpotentiallyblockinglegitimatetraffictoyourwebsitebutyou mustconfiguretheWAFinblockingmodetosatisfyPCI6.6requirementsthatthevulnerability hasbeencorrected.

PCI require a sophisticated Blocking WAF Andthelisttheyprovidedisquitedetailedandextensiverequiringasophisticatedproduct,no marginalnetworksecuritydevicewithafewwebappsecchecksisgoingtocutithere.Ofcourse

Page 12 thecatchhereisthedevicemustbeconfiguredto“block”theattacks,notjustalertonthem. That’sgoingtobethemostchallengingpartinmyestimationasthisisnotatrivialprocess.An issuethat’snotbeenbroughttothefrontiswhathappensfromaPCIperspectiveifan organizationchoosescodereview(oriftheclarificationallowsforpentest/scanninginthe future)andthatreviewturnsupanissuerequiringalongfixcycle. WAF - Critical Requirements

A"sophisticatedWAF"shouldsearchforREQUESTvulnerabilitiesandshouldlookforREPLY vulnerabilities(lookforforbiddenpatterns...).ThesecapabilitiesareverydifferentfromIDS/IPS andnetworksniffers.

Soft appliance, a hardware appliance or any combination WAFshouldbeabletobe deployedassoftware,asoftappliance,ahardwareapplianceoranycombinationofthethree. ThiswillenabletheWAFtobeacompletely“green”solution,coupledwithdeploymentflexibility, makeitanidealchoiceforsharedhostingandvirtualserverenvironments.AWAFshouldalso beabletooperateasaninlinegatewayoroutofbandmonitor.

Latency issues with traditional application firewalls Mostapplicationfirewalls,whethertheyareimplementedasseparatereverseproxy servermachines,colocatedwiththeapplicationonthesamehostmachine,orcolocated withnetworkfirewallmachines,generallyoperateinrealtime,intrusivelyinlinewiththe applicationstheyprotect.Thisintroduceslatencywhiletheapplicationfirewallexamines thetraffic,logstheactivity,alertsITOperationsand/ornetworkfirewallstosuspected attacksandpassestrafficontotheapplication.Additionallatencyisintroduced whenHTTPStrafficisexamined.Forinstance,securesocketlayer("SSL")protocols usedinHTTPSareterminatedanddecryptedpriortoexamination;insomeimplementations, trafficisadditionallyencryptedagainbeforepassingtrafficontotheWeb,application,and/or databaseserversforfinalHTTPStermination.Applicationfirewallsarenotconfiguredtotake advantageofsecurityeventsorbehavioralanomaliesdetectedelsewhereintheenvironmentin thesameapproximatetimeframe,althoughcorrelationwiththoseeventsisatypicalpractice whenauditingtheforensicsofeventsvialogfiles,longaftertheeventshaveoccurred. Web application firewalls combined with an escalation system Automated,synchronizedthreatmonitoringandresponsebetweentheapplicationlevel anddatabaselevelprovidesahighlyeffectiveprotectionagainstbothexternalandinternal attacks.Anescalationsystem[14]cansolvemostofthelatencyissueswithtraditional applicationfirewallsbydynamicallyswitchWebapplicationfirewallsbetweendifferent protectionmodesisdescribedbelow.

The Future of WAF Technology

Neither approach can solve the web application security problem It’sincreasinglyclearthatnomatterhowgoodweareatsecureprogrammingandnomatter howeffectiveourcodescanningandvulnerabilityanalysistoolsare,neitherapproachcan “solve”ourwebapplicationsecurityproblem.

Need to change how we view WAFs

Page 13

Idon’tthinkstandaloneexternalWAFswilleverbeeffectiveenoughtoprovideusthesecurity weneedforwebapplications.Rather,weneedtochangehowweviewWAFs.Theycanno longerbemerelyexternalboxesprotectingagainstgenericvulnerabilities;theyneedtighter integrationintoourapplications.

Web application firewalls, applications, databases and file systems combined with an escalation system Thinkofitasacombinationofawebapplicationfirewall,anagentontheapplicationserver watchingactivity(whatauserclickson,wheredatagoes)andadatabaseagentorpassive monitorwatchingallSQLactivity,see[19]and[2].

A Multi-layer security advisory framework AMultilayerSecurityAdvisorySystemprovidesaframeworktoeffectivelydealwiththreats ofsomeclassesofattacks.Thewarningsystemhas5riskofattacklevels(ThreatLevels) whichwhentriggered,initiatespecificactionsbylocalserverswithinthesamepolicy domain.Informationaboutdatasecurityeventsiscollectedfromsensorsatdifferentsystem layers(web,application,databaseandfilesystem).TheThreatLevelispropagatedto systemsthatareconnectedwithinadataflow.TheThreatLevelwillalsoadjustfortimeof day,dayofweek,andotherfactorsthatarerelevant. A Score-card to keep track of usage abnormalities Ascorecardismaintainedforeachsubject(userorserviceaccount/proxyuser,ipaddress, application,process)andobject(databasecolumn,file)withahistoryofprocessing sensitivedata.Thescorecardsummarizescurrentandhistoricalinformationaboutdata accesspatternsforeachentity(subjectsandusers).Thescorecardalsoincludesa‘finger print’thatreflectshistoricaldeviationfromacceptableaccesspatternsatthelevelofs/i/u/d (select/insert/update/delete)operations.Ahighscorecardvaluewillinitiatemoreextensive analysisbeforereleasingdatatothesubject.Thedynamicandautomaticalteringofthe protectionpolicybetweenmultiplesystemlayersincludesmodifyingtheprotectionpolicyof dataatoneorseveralofthesystemlayers.Themodificationisperformedbasedonaresult ofthepreventionanalysis.Thescorecardcanalsokeeptrackofwhenaremotesystem needtoreconnecttothecentralsystemtoreneworrechargeit’scapabilitytoencryptand decryptdata.Thepolicymayallowthelocalsystemtoonlyoperatestandaloneforacertain timeorprocessingafixednumberofcryptooperationsbetweeneachhostconnectionand centralpasswordrenewal.Thisbehaviorwillactlikearechargeablekeyboxandcan automaticallyshutdownthelocalaccesstosensitivedataincasethelocalsystemisstolen, clonedorcompromisedinsomeotherway,see[3].

Welinkintotrackactivitythroughtheapplicationstackandcanalertonthingslikeauser seeingcreditcardnumbersthey’veneverhadaccesstobefore,oractivitythatresembles XSS.Soit’ssomeofwhatyoutalkedabout,butreallylookingmoreatanendtoenduser transactionandseeingifthatviolatespolicyornot.Multilayersystemforprivacyenforcement andmonitoringofsuspiciousdataaccessbehaviorAmethodforcontrollingdataaccessina dataatrestsystemincludesexecutingalinkintrusionpreventionanalysisbetweenmultiple layersofthedataatrestsystem,introducingaprivacypolicyatenforcementpointsthatspan multiplesystemlayers,anddynamicallyalteringtheprivacypolicy.

Page 14 Selecting a code review approach Web development and code management Webdevelopmentwith.NET,C#,Java,PHP,JavaScript,AJAX,iscoveredin[8]and[9]and OWASP[10].Codereviewsofmanagedcode(.NETenvironment)fromMicrosoftiscoveredin "HowTo:PerformaSecurityCodeReviewforManagedCode(BaselineActivity)"at[11].One ofthecodescanningtoolsmentionedbelowforgeneralapplicationdevelopmentusingJava, C/C++andotherlanguages. Security Development Lifecycles

Microsoft’s Trustworthy Computing Security RelatedtothisisMicrosoft’s TrustworthyComputingSecurityDevelopmentLifecycle(SDL) initiative .SDLdescribesrequirementsfordifferentphasesindevelopment,withthemaingoalto reducethenumberofvulnerabilitiesinsoftwareproducts.IthasbeenproposedthatYyyshould followSDLrulesbythenendof2008.FortheImplementationPhaseit’ssaidin[23]that: Apply coding and testing standards Codingstandardshelpdevelopersavoidintroducingflawsthatcanleadtosecurity vulnerabilities.Testingstandardsandbestpracticeshelptoensurethattestingfocuseson detectingpotentialsecurityvulnerabilitiesratherthanconcentratingonlyoncorrectoperationof softwarefunctionsandfeatures."Fuzzing"suppliesstructuredbutinvalidinputstosoftware applicationprogramminginterfaces(APIs)andnetworkinterfacessoastomaximizethe likelihoodofdetectingerrorsthatmayleadtosoftwarevulnerabilities. Apply static-analysis code scanning tools and code reviews Toolscandetectsomekindsofcodingflawsthatresultinvulnerabilities,includingbuffer overruns,integeroverruns,anduninitializedvariables.Microsofthasmadeamajorinvestment inthedevelopmentofsuchtools(thetwothathavebeeninlongestuseareknownasPREfix andPREfast)andcontinuallyenhancesthosetoolsasnewkindsofcodingflawsandsoftware vulnerabilitiesarediscovered. Codereviewssupplementautomatedtoolsandtestsbyapplyingtheeffortsoftrained developerstoexaminesourcecodeanddetectandremovepotentialsecurityvulnerabilities. Theyareacrucialstepintheprocessofremovingsecurityvulnerabilitiesfromsoftwareduring thedevelopmentprocess. Separate code reviews as a way to enhance security BothPCIDSSandSDLmentionseparatecodereviewsasawaytoenhancesecurity.In additionSDLmentionstheuseof staticanalysiscodescanningtools .Suchtoolsoftenassists duringcodereviews,butmayalsobeappliedduringnormaldevelopment.

Page 15

Static/dynamic analysis and other definitions Therearetwoprincipaltypesofprogramanalysis.Static ,orcompiletime,analysisisaimedto investigateaprogram’sruntimepropertieswithoutactuallyexecutingit.Normallythisis performedbysourcecodeinspection,butbinariesmayalsobeused. Dynamic ,orruntime, analysisisperformedwhenobservingtheprogramatexecution.Testing,debuggingand performancemonitoringareexamplesofdynamicanalysis. Example of a very simple static analysis Anexampleofaverysimplestaticanalysiswouldbesearchingforspecificwordslike strcpy usingafilesearchutilitylike grep .Thegoalwouldbetoidentifywhereunsafefunctionsare used. Asearchfor strcpy willhoweveralsolistvalueslike strcpy_s .If strcpy ispartofa comment,thiswillalsobepresentedasavalidoccurrence.Suchoutputiscalleda false positive ,iesomethingreportedasavulnerabilitythoughnot.Falsepositivesareabigissuein staticanalysissincetheygivetheusermoredatatoevaluatethannecessary.Eachprogram constructionreportedasavulnerabilitymustbeconsideredandreviewed. Suppose strcpy isrenamedtosomethingelse,forinstancewithamacrolike‘#define mycopy strcpy’. Inthiscaseawordsearchfor strcpy won’tlistanyoccurrenceofmycopy ,though strcpy reallyisused.Thisiscalleda falsenegative ,iearealvulnerabilitythathasn’tbeenpresented. An ideal analysis tool Anidealanalysistoolwouldhavenofalsenegativesandnofalsepositives,onlytrue vulnerabilitieswouldbepresented.Thatishowevernotrealistic.Insteadtheyareoften somewhatrelated;alowerfalsepositiveratemeansahigherfalsenegativerate,andvice versa. Free open source static-analysis tools Therearedifferentfreeopensourcestaticanalysistools,asdesribedfurtherbelow.Theseare onlymarginallybetterthanthesimplewordsearchasabove.Theysearchforspecificunsafe callslike strcpy aslistedinaninternaldatabase,andwhenfoundtheypresenttheposition andageneralcommentabouttheproblem.Thishandlinggivesalotoffalsepositives,butalso alotoffalsenegativessincetheyonlylookforsomecalls.Suchsimpletoolsareoflimited value. More advanced tools Moreadvancedtoolstrytointerpretthecontextoftheword,basedontheprogramming languageused.Thisiscalled semanticanalysis .Thebetterthisanalysisis,thefewerfalse positivestherewillbe.Thefreeopensourcetoolsdoperformsomesemanticanalysis,meaning atleastsomefalsepositiveswillbeskipped. Inadditiontolookforcertainlanguagespecificwords,advancedtoolsalsolookatthegeneral programcontext.An intraprocedural analysisonlylooksatwhathappenswithinaspecific function.Thismaybeinaccurate,forinstancewhenexternalentitieslikeglobalsareused.An interprocedural analysistriestoconsiderallparametersofthefunction,andtheinteractionof functions.Thisismuchmorecomplicatedthanintraproceduralanalysis,consideringdifferent

Page 16 possibleparametervaluesandpathsforexecution.Relatedtothisis flowsensitive and path sensitive analysis,whichtrytoconsidertheprogramflowandthedifferentpathspossible. Inter-procedural analysis may in some cases not be impossible Evenifsupportedbythetool,interproceduralanalysismayinsomecasesnotbepossible.If therearethirdpartylibrariesforwhichsourcecodeisn’tavailable,orthereareyet unimplementedfunctions,thetoolscan’tinspectwhathappensinsidethesecalls.Thismay resultinfalsenegativesproduced. Tools often try to simplify analysis, to get better performance Toolsoftentrytosimplifyanalysis,togetbetterperformance.Doingsuchasinterprocedural andflowsensitiveanalysiscouldconsumeconsiderableresources.Atoolmayforinstanceonly considermin/maxvalueswhenhandlingintegerinput.Suchsimplificationsarealsoasourceof falsenegatives. Ingeneral,atoolwillneverbetotallyaccurate,butthebetteritperformsdifferenttypesof advancedanalysis,themorevulnerabilitiesitwillfind.

Using static-analysis tools during development Thereisawiderangeofstaticanalysistools,fromsimplesyntaxcheckerstoadvancedtools performingsemantic,interproceduralandflowsensitiveanalysis.Theadvancedtoolsarealso gettingmoreadvancedforeachversion,applyingnewtypesofanalysisandvulnerability detectionrules. Examplesofwhattoolsmaylookatare: • resourceleaks • referencestoNULLpointers • useofuninitializeddata • bufferarrayoverruns • unsafeuseofsignedvalues • useofresourcesthathavebeenfreed • concurrencyhandling Withoutdoubtatoolcapableofsuchanalysiswouldbevaluableduringdevelopment.Atool mayhoweverbeusedindifferentconfigurations.Thequestionsarewhen,whereandbywhom shouldthetoolbeapplied?Therearedifferentoptions: 1) When the code is written by the developer Firstoptionwouldbetorunthetoolwhenthecodeisbeingwritten.Inthiscaseit’sthe developerthatrunsthetool,inthelocalIDEused.Laterversionsofcommercialtoolsalso supportamixedhandlingwheretherearelocalinstances,butstillsomecentralrepositoryfor handlingoverallmetrics,forinstancetoseeifcodingskillisevolvingovertime. Therearebothadvantagesanddisadvantageswiththelocalapproach: + it’seasierandfastertohandleabugifcaughtdirectlywhenthecodeiswritten;the knowtheirowncodebest,andthecodeisincurrentfocus + handlingabuglocallymeansit’snotpropagatedtothecentralrepository,thereby affectingotherdevelopers

Page 17

+ runningatoolandinterpretingtheoutputwilleducatethedevelopersinsecurecoding. Toolshavecontextualhelpthatexplainsagivenvulnerabilityandhowtohandleit − toolsareoftenlicensedperuser,onetoolinstanceperdevelopercouldmeanalarge totalcostforthetool − runningatooltooearlycouldmeananunnecessarilyhighnumberoffalsepositives. Toolsarelessprecisewhenthecodeisinaninitialphase,andinterproceduralanalysis doesn’treallyapplywhenmanycodepiecesaremissing(laterversionsofcommercial toolshoweverclaimtobebetterinthisaspect) − eachdevelopermustbetrainedinusingthetool.Interpretingtooloutputisforsenior developers,withappropriatesecurityknowledge.Markingavalidbugasafalsepositive couldmeantheweaknessislost − eachdeveloperworkstationneedsalocalinstallationofadditionalsoftware 2) At build time, when scheduled builds are performed Asecondoptionwouldbeuseatoolintegratedinacentralbuildprocess.Thescanis performedwhenthetotalapplicationisbuilt.Thisisanoptionoftenusedwithcommercialtool offerings. + acentralconfigurationmeansagroupofseniordevelopersmayevaluatetooloutput beforeit’sdistributedtoresponsibledeveloper,theanalysiscouldbetransparentto developers. + providingerrorreportstoresponsibledevelopersmeanseducationinsecurecodingstill applies + serverinstallationsminimizesthenumberofsoftwaredeploymentsnecessary + reportsareeasilygeneratedconcerningoverallsecurecodingmetrics,andmaybe accessedbyeveryone + toolisexecutedabitlaterinthedevelopmentprocess,notuntilthecodehasbeen checkedintothebuildsystem.Thiswillreducefalsepositivescausedbyprematurecode − toollicensecostmaystillbebasedonnumberofusers,oritmaybesomegeneral serverlicense.Thelicensingcostcouldstillbehigh − bugsarenothandleddirectly,butifthebuildisperformedoftenthecodeisstillcurrent andnotthathardtomodify − errorsarepropagatedtothecentralrepository,therebyaffectingotherdevelopersuntil corrected − isusingaspecificgroupofreviewers,theymaybecomeaconstrainedresource.They willhoweverlikelybecometoolexpertsaftersometime,speedinguptheprocess 3) At certain code review checkpoints, by a security oriented code reviewer Athirdoptionwouldbetousethetoolasanassistantduringcodereviews,tobeperformedat certainprojectmilestoneslikebeforeproductrelease. + toollicensecostshouldbesmaller,sinceonlyafewsecurityorienteduserswillhavethe tool.Licensecouldhoweveralsobebasedoncodesizeandotheraspects. + toolisexecutedlateinthedevelopmentprocess,whichwillreducefalsepositives causedbyprematurecode + seniorsecurityorienteddevelopersareevaluatingoutputbeforeit’sdistributedto responsibledeveloper,theanalysiscouldbetransparenttodevelopers

Page 18

+ distributingerrorreportstothedeveloperinchargemeanseducationinsecurecoding willstillapply.Errorshavebeenfilteredbythecodereviewer,though + reportsmaybegeneratedconcerningoverallsecurecodingmetrics − bugsarenothandleddirectly,butratherlateinthedevelopmentprocess.Fixinganerror willtakelongertimeandbemorecostly,codemaynotevenbecurrentfordeveloper whenbugispresented − errorsarepropagatedtothecentralrepository,therebyaffectingotherdevelopersuntil corrected − thesecurityreviewermaynotknowthecode,whichcouldslowdowntheinterpretation ofthetooloutput − thegroupofreviewerswilllikelybecomeaconstrainedresource,possiblyhandling differentprojects.Theywillhoweverbecometoolexpertsaftersometime,speedingup theprocess All these three cases could apply for ABC development AllthesethreecasescouldapplyforABCdevelopment.Thefirstcaseseemslikeanattractive waytogo;theerrorsarehandleddirectlybythedeveloperandwon’taffectothers,the developerswillbecomemoreskilledastimegoesby.Butbasedonthecostinvolvedtopursue suchaconfiguration,it’sabsolutelynecessarytofirstverifyhowgoodthetoolisintheABC environment.Asimilarhighcostwouldalsobetrueforthesecondconfiguration. A specific platform library, where system calls are hidden ABChasaspecificplatformlibrary,wheresystemcallsarehidden.Therearedifferenttypesof wrapperfunctionsandclassesusedthroughoutthecode.VitalpartslikeencryptionandSSL areimplementedinexternallibraries.Allofthismeansinterproceduralanalysiswillbe importantforaABCanalysistool.UntilatoolistestedintheABCenvironment,it’snotpossible tosayhowgooditwillbe,anditshouldn’tbeusedonalargescale. Since there are much code already developed in ABC SincetherearemuchcodealreadydevelopedinABC,andallthiscodeisabouttohaveacode review,thethirdoptioncouldbeagoodstarter.Thiswillgiveanindicationofgeneralcode quality,andshouldminimizetheinitialcostforthetool.Ifthetoolusedisfoundtobevery helpful,andthetoolbudgetallows,thetoolmaylaterbepropagatedintothewholedeveloper communityeitherasoptiononeortwo. ABC is a highly security oriented organization AnotherconsiderationisthatABCisahighlysecurityorientedorganization.Ahigherdegreeof falsepositivescouldbeacceptedforaABCscan,sincethisnormallyalsomeansahigher percentageoferrorsidentified.Butthisalsomeanstherewillbemoretimespentwiththetool output,eacherrorreportedmustbeevaluated.Thisisabigissueinatimeconstrained environment,whichisarealityformanydevelopers.Ifusingthefirstconfiguration,anoption wouldbetorestrictthevulnerabilityrulesetforlocaldevelopment,andthenhaveamore thoroughrulesetforacentralbuildorsecurityreview.

Page 19

Tool selection criteria Astaticanalysistoolwouldcertainlybevaluableduringdevelopment,nomatterwhereit’s appliedinthedevelopmentchain.Butalltoolswillofcoursenotbeequallygood.Thereare differentthingstoconsiderwhenselectingastaticanalysistool,especiallyforacommercial tool.Someconsiderationswilldependonhowthetoolisgoingtobeused. 1) Multiple language support Thetoolmustsupporttheprogramminglanguagesusedfordevelopment.Thisisarequirement nomatterwherethetoolisapplied. ThemainlanguagesusedforABCdevelopmentareC/C++andJava;supportfortheseisa basictoolrequirement.ButABCalsohassomecodebuiltwithforinstanceC#,PL/SQLandT SQL.Supportfortheseadditionallanguageswouldbeafurtheradvantage,thoughnota requirement. 2) Capability in finding vulnerabilities Theprincipaltaskforthetoolistofindcodevulnerabilities.Strongcapabilityinthisareais anothermajorrequirement.Thisisarequirementnomatterwherethetoolisapplied. Thisabilityistwofold;thereshouldbeahighrateoftrueerrorsidentifiedcomparedtothetotal numberoferrors,butthereshouldalsobealowrateoffalsepositives.Theseareoftenabit contradictory;alowerfalsepositiverateoftenmeansahigherrateofmissederrors. Beingasecurityorientedorganization,ahigherdegreeoffalsepositivescouldbeacceptedfor aABCscanifthismeansalowerfalsenegativerate.Thetargetforasecurityoriented organizationmustbetohavethesmallestamountofbugspossible,evenifthismeanstimefor analysiswillbeextended. 3) Integration into development environment Ifthetoolistobeusedaspartofnormaldevelopmentoperations,it’simportantthatthetool integratessmoothlyintothedevelopmentenvironmentused,forinstanceVisualStudio.If necessarytorunaseparatetool,itwilllikelybelessoftenusedthanifcloselyintegrated,and additionaltimemustbespentonhandlingtwodifferentoutputlists. Ifusedinacentralbuildenvironment,thetoolmustofcourseintegrateintowhat’susedthere. SinceABCisamultiplatformproduct,theremustbesupportforatleastoneUNIXversionand Windows. 4) Management of true errors and false positives Toolsnormallyprovidesomeexplanationwhyanerrorhasbeenreported.Themorespecific thisexplanationis,theeasierandfasteritwillbetoevaluateifthereporteditemreallyisan error,orifit’safalsepositive.Goodexplanationsarealsoimportantforeducationalpurposes. Whenanerrorhasbeenfixeditshouldn’tbelistedanymore.Itshouldalsobeeasytomarken errorasafalsepositivewhenthishasbeendecided,andthismarkshouldbeconsistent(saved inbetweeninvocations).Otherwiseitwillbenecessarytomarkitasafalsepositiveforeach execution,andmuchtimewillbespentonthesameerrors.

Page 20

Relatedtothisisthepossibilitytohavedifferenttypesofreportsgenerated,forinstance providingtrendsinnumberoferrorsreported.Thismaybeusefulforeducationand management. 5) Management of rule set Toolsareoftenbasedonsomeruleset,wheredifferenterrorsaregrouped.Therewillalways befalsepositivesproduced.It’simportantthatit’spossibletotweaktheruleset,toadjustthe amountoferrorsand/orfalsepositivesreported.Arecommendationistostartwithasmall subsetofrulesinthebeginning,tonotgetoverwhelmedbytooloutput,andthenstepbystep extendtherulesetused.IntheendasecurityorientedorganizationlikeABCmustbeusingan extensivelistofrules. Relatedtothisisthecomplexitytoaddinternalrules,toextendthedefaultruleset.Thisisfor advancesusers,butmaybenecessaryinsomesituations,likewhenusingexternallibrariesor tocatchcertainerrortypes.WritinganextensioncouldmeanwritingaseparateC/C++library, orusingsomeinternaltoollanguageformat. 6) Price Assumingthetoolbudgetisn’tunlimited,pricemaybeanimportantparameterforatool.Ifusing onecopyofthetoolperdeveloper,costmayeasilybeveryhighsincethetoolsareoften licensedperuser. Licensecostmayoftenbeselectedeitherasanannualfee,oraperpetualonewithsome maintenancecost. Considered paths to go Concerningtoolselection,therearethreepathstogofromhere:  Usefreetoolsonly  Selectacommercialtoolbasedontrialswithallfourpossiblevendors  Selectasinglecommercialtool,andeitherbuyasinglelicenseorperformtrial 1) Use free tools only UsingafreetoolforC/C++likeFlawfinderdoesn’tseemtobeanoption.EspeciallysinceABC hasaplatformlibrary,whichistheonlyplaceforunsafecallsasforinstancelistedinFlawfinder. Freetoolscouldpossiblybeusedaseducationsources,learningtheunsafefunctionsifnot knownalready.TheGPLlicensetypemustalsobeconsidered. UsingMicrosoft’sPREfastshouldbeaddedtonormaldevelopmentprocess.AllexistingABC C/C++codeshouldbescannedwithPREfast,andbeforenewcodeisbeingcheckedin,it shouldhavebeenscannedwithPREfast(sincecompilationtimewillbelongerwhenusing PREfast,itprobablyshouldn’talwaysbeused).CodescanningwithPREfastwillhoweverbe restrictedtotheWindowsenvironment,someUNIXspecificpartsinABCwon’tbehandled. LookingatJava,theFindBugstoolshouldbeagoodchoice.IthasaLGPLlicense,andiseven usedintheFortifycommercialtool.AllexistingABCJavacodeshouldbescannedwith FindBugs,andbeforenewJavacodeisbeingcheckedin,itshouldhavebeenscannedwith FindBugs. 2) Select a commercial tool based on trials with all four possible vendors

Page 21

Usingacommercialtoolisrecommended.Acommercialtoolwillbemoreadvancedconcerning interproceduralanalysisthanPREfast,andisexpectedtofindmorevulnerabilities.TheC/C++ codeislikelywheremostbugswillbefoundinABC,beinglesssecureprogramminglanguages thanforinstanceJava. Thechoiceofacommercialtoolishowevernotthatclear.Basedonthepublictestsavailable, theredoesn’tseemtobeanymajordifferencesconcerningbugfindingcapability.Different rankingisratherbasedontoolmanagement. Ageneralrecommendationistotestthetoolintheownenvironment,andmostvendorssupport trials.AnenvironmentaltestismaybeevenmoreimportantforABC,withitsplatformlibraryand differenttypesofwrapperfunctions/classes.Strongabilityininterproceduralanalysisis important. 3) Select a single commercial tool, and either buy a single license or perform trial Ifdecidednotworthtospendtoomuchtimeontoolevaluation,onecommercialtoolvendor couldbechosen.Afeelingisthatallproductswillprovidegoodassistance.Atoolmaycertainly savetime,sincemorebugscanbehandledinanearlyphase.Whenevaluatingthetoolcost,a considerationmustbehowmuchtimeatoolwillsave,andtheearningsfromthat.Asstatedin [20]: "Anindustryruleofthumbisthatabugwhichcosts$1tofixonthe'sdesktop costs$100tofixonceitisincorporatedintoabuild,andthousandsofdollarsifitisidentified onlyafterthesoftwarehasbeendeployedinthefield..." Thedecisionfallsbacktohowmanyunknownbugsthetoolwillfind,andhowearlythesebugs areidentifiedthankstothetool.

Conclusion ThecasestudyfromcompanyABCrecommendedusingbothWAFandcodingreviews .ABCis planninganEnterpriseDataProtectionapproachandprotectdataacrosstheInformationLife Cycle.TheprimaryissuesarePCIcompliance,andaconcernabouttheescalatingthreat againstfinancialdatafromorganizedcrimeandinsiderthreats.Timeisacriticalfactorin selectingsolutionstopreventbreaches.WAFanddataencryptionwillgiveABCaquickand soliddatasecuritysolutiontostartwith.ABCiscomplementingthiswithalongtermapproach includingcodereviewsandscanning.ABCpositioneddifferentapproachestopreventData Theft(andtheattackpathstothedata–differenttypesofapps,databases)includingWAF, data(protection(encryption,hashing,tokenizing),C++codescans.ImplementationofSecure DevelopmentmaytaketimeandABCarelookingatPCI6.6asapartoftheirshorttermyear's budgetandinstallappliances.Theapplianceiseasiertoimplementandwillcostless,basedon researchdonebyABC.WAFisthemosteffectivemechanismtoimmediatelyaddresssecurity issuessincethesecurityrulesetcanbeadjustedtostopnewattacktypeswithoutthetime requiredtochangetheapplicationcode.WAFcanprotectcustomapplications,3rdparty applications,andlegacyapplications–evenincaseswheretheorganizationdoesnotcontrol thesourcecode(asforSAP,Oracle,PeopleSoftwebapplicationsandportals)andwherethe peoplewhounderstandtheapplicationarenolongeraccessible.ThesolutionforABCisbased ontheconclusionthateverylayerofdefenceiscritical.Aholisticandlayeredapproachcan providethebestleveldatasecurityandthesoonersensitivedatagetsencrypted,themore

Page 22 securetheenvironment.Earlydataencryptionwillprotectsensitivedataatrestandwhileit’s movingbetweentheapplicationsanddatabasesandbetweendifferentapplicationsanddata stores.AneffectivecodescanningtoolwoulddefinitelybeusefulinABCdevelopment.Beinga securityorientedorganization,it’sveryimportanttominimizethenumberofbugs.Theuseof codescanningtoolsisalsomandatedbyMicrosoft’sSDL.Nomatterwhattoolused,thisshould beaccompaniedwithcodereviews,appropriatetestingincludingsuchasfuzzytesting,code standardsthatarefollowed,andpropereducation.Nomatterwhattoolconfigurationselected, manualcodereviews,education,codingstandardsandpropertestingmustalsobeapplied.

References and Suggested Reading [1]InformationSupplement:Requirement6.6CodeReviewsandApplicationFirewallsClarified,Feb2008, https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf [2]TheFutureOfApplicationAndDatabaseSecurity,December2007,http://securosis.com/ [3]Multilayersystemforprivacyenforcementandmonitoringofsuspiciousdataaccessbehavior,February,2006, UnitedStatesPatentApplication20060259950 [4]OWASP2007itemisA8–INSECURECRYPTOGRAPHICSTORAGE,PROTECTIONsectionandinthe VERIFYINGSECURITYsection,http://www.owasp.org [5]NIST(http://csrc.nist.gov/CryptoToolkit/modes/).InSpecialPublication80038A [6]http://usa.visa.com/merchants/risk_management/cisp_merchants.html [7]Datatypepreservingencryption,November2000,UnitedStatesPatent7,418,098 [8]NIST–ApplicationVulnerabilityScanners https://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners [9]OWASPTools http://www.owasp.org/index.php/Phoenix/Tools [10]ThecodereviewprojectatOWASP http://www.owasp.org/index.php/OWASP_Code_Review_Project [11]HowTo:PerformaSecurityCodeReviewforManagedCode(BaselineActivity), http://msdn.microsoft.com/enus/library/ms998364.aspx [12]WebApplicationSecurityConsortium,http://www.webappsec.org/ [13]ITSecurityisanewsandinformationpublication,bhttp://www.itsecurity.com/meetexperts/expertbiographyulf mattson100206/ [14]Protegrity'sDefianceThreatManagementSystem,http://www.protegrity.com [15]Protectingtheenterprisedataflow,http://www.ulfmattsson.com [16]ThePCIKnowledgeBaseisaResearchCommunity, http://www.knowpci.com/index.php?option=com_adsmanager&page=show_ad&adid=25&catid=1&Itemid=97 [17]DataSecurityforPCIandBeyond,http://papers.ssrn.com/sol3/papers.cfm?abstract_id=974957 [18]PaymentCardDataKnowYourDefenseOptions, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1126002

Page 23

[19]AMultiLayeredApproachtoPreventDataLeakage,HelpNetSecurity(HNS),November2007 http://www.netsecurity.org/article.php?id=1092 [20]Softwarethatmakessoftwarebetter,Economist,Mar2008 http://www.economist.com/research/articlesBySubject/PrinterFriendly.cfm?story_id=10789417 [21]PaymentCardIndustry(PCI)DataSecurityStandardv1.1,Sep2006 https://www.pcisecuritystandards.org/ [22]PaymentCardIndustry(PCI)DataSecurityStandardv1.1SecurityAuditProcedures,Sep2006 https://www.pcisecuritystandards.org/ [23]TrustworthyComputingSecurityDevelopmentLifecycle,Microsoft,Mar2005 http://msdn2.microsoft.com/enus/library/ms995349.aspx [24]CodeScanners,FalseSenseofSecurity?,NetworkComputingReport,Apr2007 http://www.networkcomputing.com/channels/security/199000936 http://www.networkcomputing.com/channels/security/198900460 http://www.fortify.com/products/sca/ [25]FortifySCA5.0ExtendsAppProtection,RedmondDeveloperNews,Nov2007 http://reddevnews.com/news/devnews/article.aspx?editorialsid=855 [26]FortifySoftwareExtendsLeadershipinDetecting,Fortifypressrelease,May2007 http://www.fortify.com/newsevents/releases/2007/20070514.jsp [27]SourceCodeAssessmentToolsKillBugsDead,SecureEnterprise,Dec2005 http://www.klocwork.com/company/releases/12_05_05.asp http://www.neohapsis.com/publications/articles.html [28]CoverityandKlocworkcodeanalyzersdrilldeeper,InfoWorld,Jan2006 http://www.infoworld.com/article/06/01/26/73919_05FEcode_1.html [29]DHSFundsOpenSourceSecurityProject,eWeek,Jan2006 http://www.eweek.com/c/a/Security/DHSFundsOpenSourceSecurityProject/ [30]ScanProjectRung1status,Coverity,Mar2008 http://scan.coverity.com/rung1.html [31]ClosingSecurityHoleswithApplicationScanners,EnterpriseSystems,Jul2007 http://esj.com/news/article.aspx?EditorialsID=2714 [32]KlocworkInc,TheWallStreetTranscript,Nov2007 http://www.nohau.se/page.asp?page=artall [33] Imperva,http://www.imperva.com/

Page 24