DOCSLIB.ORG

Unit Level “Secure by Design” Approach Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju [email protected] [email protected] Abstract

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Unit Level “Secure by Design” Approach Authors: Vasantharaju MS & Joshua Cajetan Rebelo Vasantharaju MS@Mcafee.Com Joshua.Rebelo@Siemens.Com Abstract Unit Level “Secure by Design” Approach Authors: Vasantharaju MS & Joshua Cajetan Rebelo [email protected] [email protected] Abstract With cyber-attacks on the rise and high-profile breaches becoming the new normal, being on top of the current trends in cyber threats is a key to improve your cyber security posture. Organizations span the spectrum when it comes to the maturity around creating secured products. Overall, organizations should have a well-defined security software development lifecycle (SDL) process which embeds security in each SDLC process instead of considering security as a feature. Any change to the application or environment, changes the attack surface. If you don't have a “secure by design” strategy at every stage - from product development to product deployment, addressing security can become very intimidating and challenging. Security findings found late in the release cycle or post release, can ask for architecture redesigning, which can be expensive. The current scenario is that Unit test design and coverage in most cases covers the functionality and not the security aspect of the product. Security mostly gets addressed later in the SDL cycle, and the product team will rely on the penetration test results. In this paper, we present a Unit level “secure by design” approach which will help in early security defect finding. This approach will help to address multiple layered security testing i.e. address security at Unit level. Many times, penetration test, and security test might not be able to penetrate deep into the product. This is where Unit level test will help to address security. Unit testing platform supports mocking and accessing private members which can be leveraged to ensure security at different abstraction layers of software. As more organizations are adopting Test Driven development (TDD), Unit level security testing will enforce security by design, thus, addressing security early in the SDL cycle. Biography Vasantharaju M.S. is a Senior Software Development Engineer at McAfee Software with over 9 years of experience in developing enterprise-class software. His past experiences include; designing and implementing back-office solution to address a Dodd-Frank clause, enhancing web crawler and vulnerability detection in SaaS based vulnerability scanner and executing multiple Proof-of-Concepts for enhancing SaaS based security management platform. He has a keen interest in application security and secure coding. Joshua Cajetan Rebelo is a Security Researcher at Siemens with 13 years of experience in the security domain. He ensures that the products are under continuous development to incorporate the highest Security Software Development Lifecycle (SDL) standards and adheres to the Product Security Maturity Model (PSMM). He has vast experience in conducting security code reviews, evaluating software architecture for potential risk. He has expertise in Application security, System security, Cloud security, and Industrial Control System security. He is a mentor on product security to many teams. He also brings innovation with new ideas and has three patents issued to his credit. Excerpt from PNSQC 2016 Proceedings PNSQC.ORG Copies may not be made or distributed for commercial use Page 1 Intended Audience The target audience for this paper includes program managers, project managers, developers, quality assurance engineers, and IT professional who are familiar with the software security literature. This paper is also meant for people who are passionate about security and want to integrate security into their standard software development lifecycle (SDL) processes to enhance the product security maturity model to stay secured. 1 Introduction In a typical SDLC approach, unit test is always written to ensure that the unit is functional. These functional unit tests take precedence over secure architecture design. These unit tests which include standard unit testing terminology will not be exhaustive enough to test all possible negative and attack scenarios. These gaps of unexplored code path are of interest to the cyber attackers. These gaps need to be considered, reviewed and addressed. This paper ensures that The unit is secure Security is embedded at different abstraction layers of software. Unit test penetrate deeper into the application and increase the code coverage. Product teams write secure software at early stage of product development. 2 What is Secure Software? Secure software exhibits the following characteristics: Takes care of implementation errors with exploitable effects Contains security features which cannot be bypassed Is self-protective Minimizes the consequence of successful attack (“fail well”) The multi-layered security can be achieved by adopting the STRIDE Threat-Model approach. Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege This paper will help in writing unit test using this STRIDE model to get maximum security coverage, thus helping developers adopt a “Secure by Design” Approach at unit level. Before we dive deep into the paper, let us understand what Test-driven development is and how we can use it in making the unit level security tests efficient in building multi-layered security. Excerpt from PNSQC 2016 Proceedings PNSQC.ORG Copies may not be made or distributed for commercial use Page 2 Test-driven development is a software development process that relies on the repetition of a very short development cycle: first the developer writes an (initially failing) automated test case that defines a desired improvement or new function, then produces the minimum amount of code to pass that test, and finally refractors the new code to acceptable standards. For the sake of this paper, the examples shown are for java development, but can be adopted in any other technology. 3 Test-driven development (TDD) life-cycle 1. Write the test 2. Run the test (there is no implementation code, test does not pass) 3. Write enough implementation code to make the test pass 4. Run all tests (tests pass) 5. Refractor 6. Repeat Let us consider the requirement from product management of an application with logon functionality integrated to a database through the data access object layer (DAO). Let us consider the following example of an insecure login application which didn’t follow secure coding or design practices or TDD approach. This example of login application is vulnerable to attacks like SQL injection, Sensitive Information disclosure, repudiation attacks, spoofing, tampering and privilege escalation etc . Figure 1: Insecure Login Application If the unit test design and coverage was focused only on covering the functionality of the module and not the security aspect, then the unit test would be as follows. Excerpt from PNSQC 2016 Proceedings PNSQC.ORG Copies may not be made or distributed for commercial use Page 3 Figure 2: Unit Test of insecure login Application As seen in figure 2, the unit tests don’t cover attacks like spoofing, tampering, repudiation, information disclosure, denial of service and privilege escalation as defined by the STRIDE model. In the next section we shall see how secure test-driven development approach addresses this problem. 4 Secure Test-Driven development The following would be the approach of secure test-driven development to build secure software with multi-layered security: 1) Start Design discussion 2) Create Data flow diagram for all functionalities and work flows 3) Identification of mocking module 4) Threat Identification using STRIDE Threat Model 5) Unit test designing to detects identified threats 6) Run the test (there is no implementation code, test does not pass) 7) Write enough implementation code to make the test pass 8) Run all tests (tests pass) Let us see how this Secure Test-Driven development can help transform the insecure login application seen in figure 1, into a secure application having multi-layered security in-built. Excerpt from PNSQC 2016 Proceedings PNSQC.ORG Copies may not be made or distributed for commercial use Page 4 4.1 Identification of Mocking Modules It is critical to identify the applicable mocking modules, since mocks are prerequisites for fast execution of tests and ability to concentrate on a single unit of functionality. By mocking dependencies external to the method that is being tested, developer can focus on the task at hand without spending time to set them up. Execution of tests without mocks tends to be slow. Good candidates for mocks are databases and scripting engines. Following are some of the mocking module which can be leverage in writing unit test. a) HSQLDB - to mock the database to test SQL injection attack and error / exception handling. b) MOCKITO - to mock interfaces so that a dummy functionality can be added to a mock interface that can be used in unit testing. 4.1.1 Hyper SQL Database (HSQLDB) Each database will have different dialects like hint or comment, add-on features like server-side executable and limitations. As seen below, we will be using hsqldb which will help to mock the DB for faster execution and to remove the external dependencies. Figure 3: Using HSQLDB to create database for sample login application for Unit testing Similarly other mocking modules like Mockito, PowerMock etc can be evaluated for applicability. Excerpt from PNSQC 2016 Proceedings PNSQC.ORG Copies may not be made or distributed for commercial use Page 5 4.2 Threat Identification using STRIDE Model For the logon functionality
Load more

Recommended publications
  • Servicenow Vulnerability Response
    ServiceNow Vulnerability Response Connect security and IT The vulnerability challenge Coordinate response across teams for smoother task Critical vulnerabilities often hide under the radar of security challenges today. When exploited, lack of effective vulnerability response carries major impact to handoffs between groups and business reputation and data security. A study conducted by ServiceNow and quicker resolution. Get the Ponemon Institute found that over a third of organizations who suffered a accountability across the breach already knew they were vulnerable. In many cases, there was an existing organization and know work is patch for the vulnerability which was not applied due to reliance on manual getting done with remediation processes, siloed information, and lack of visibility.1 targets. Additionally, breaches are becoming more severe. Methods to exploit Drive faster, more efficient vulnerabilities are growing more sophisticated, with cybercriminals increasingly leveraging machine learning and artificial intelligence to thwart traditional security response vulnerability response mechanisms. Having a solution which interlocks all components —security, risk, and IT— is crucial to organizations staying ahead of Reduce the amount of time these tactics and taking a holistic approach to vulnerability response. spent on basic tasks with orchestration tools. Automatically prioritize and The ServiceNow solution respond to vulnerabilities with workflows and automation. ServiceNow® Vulnerability Response helps organizations respond faster and more efficiently to vulnerabilities, connect security and IT teams, and provide real-time Know your security posture visibility. It connects the workflow and automation capabilities of the Now Platform® with vulnerability scan data from leading vendors to give your teams a View your current vulnerability single platform for response that can be shared between security and IT.
    [Show full text]
  • Designing Vulnerability Testing Tools for Web Services: Approach, Components, and Tools
    Int. J. Inf. Secur. DOI 10.1007/s10207-016-0334-0 REGULAR CONTRIBUTION Designing vulnerability testing tools for web services: approach, components, and tools Nuno Antunes1 · Marco Vieira1 © Springer-Verlag Berlin Heidelberg 2016 Abstract This paper proposes a generic approach for infrastructure, which typically includes an application server, designing vulnerability testing tools for web services, which the operating system, and a set of external systems (e.g. other includes the definition of the testing procedure and the tool services, databases, and payment gateways). Web services components. Based on the proposed approach, we present are one of the cornerstones of service-oriented architecture the design of three innovative testing tools that implement (SOA), making them the lingua franca for systems integra- three complementary techniques (improved penetration test- tion. ing, attack signatures and interface monitoring, and runtime The security of web applications is, in general, quite anomaly detection) for detecting injection vulnerabilities, poor [2,3]. Web services are no exception, and research thus offering an extensive support for different scenarios. A and practice show that web services are often deployed case study has been designed to demonstrate the tools for the with software bugs (i.e. vulnerabilities) that can be mali- particular case of SQL Injection vulnerabilities. The experi- ciously exploited [4]. Injection vulnerabilities, consisting of mental evaluation demonstrates that the tools can effectively improper code that allows the attacker to inject and execute be used in different scenarios and that they outperform commands, enabling, for instance, access to critical data, are well-known commercial tools by achieving higher detection particularly frequent [2].
    [Show full text]
  • Secure App and Data Delivery
    White Paper Secure app and data delivery - across devices, networks, and locations How Citrix Virtual Apps dramatically simplifies data protection, access control, and other critical security tasks Citrix | Secure app and data delivery 2 Most discussions of application and Growing IT security challenges desktop virtualization focus on cost Corporate IT groups are continuously challenged to support critical new business initiatives and improve reduction, simplifying IT operations, and end user computing experiences, while facing limited increasing convenience for employees. budgets and mounting pressures to improve information These factors are extremely important, security. Many of these challenges involve making computing resources easier to utilize, regardless of but IT professionals should not overlook physical and geographical boundaries. Employees are the immense impact of workspace demanding the following: virtualization on information security. • Work anywhere, with a consistent experience, from In fact, application and desktop PCs, laptops, tablets and smartphone virtualization have profound advantages • Freedom from rigid IT security controls that restrict for key security functions such as performance and inhibit productivit data protection, access control, user • Access to corporate data and self-provision provisioning and compliance. They can applications on-demand also give administrators extremely Rethink Security granular control over how employees, Clearly these trends are not sustainable with current contractors and business partners use approaches to security and remote access. How can IT and share application data. groups provide easier access to resources, in the face of more sophisticated threats, with multiplying endpoints to defend? And the challenges are not just related to the quantity of end points, but to the increasing diversity.
    [Show full text]
  • Tenable and Ahnlab Leveraging Network Intelligence to Stop Malware Cold
    Tenable and AhnLab Leveraging Network Intelligence to Stop Malware Cold Key Challenges The breaching of organizations large and small occurs all too frequently, damaging the confidentiality, availability and integrity of the critical data assets that organizations rely on. Also at risk is hard-earned reputation. Most organizations focus on the perimeter of their networks, and neglect the intranet – ignoring threats that circumvent the based defenses and inject themselves directly into the core of the infrastructure. Additionally, most organizations are unprepared to deal with advanced malware threats that go undetected by traditional anti-malware technologies. Finally, the complex nature of today’s software results in vulnerabilities that appear at an alarming rate, increasing the threat surface that attackers can leverage. A solution is required that: • Addresses the network universally rather than just at the edge • Can deal with advanced malware threats using non-traditional analysis methods • Can detect and help to manage vulnerabilities that exist within the entire infrastructure on Solution Components all device types Tenable Network Security has teamed up with AhnLab to deliver just such a solution. • Tenable SecurityCenter Continuous View • Tenable Nessus Vulnerability Scanner Solution Overview The solution combines Tenable’s SecurityCenter Continuous View (SCCV) solution with AhnLab • Tenable Passive Vulnerability Scanner Malware Defense System (MDS) to provide a system that actively blocks malware bearing • Tenable Log Correlation Engine content, malicious traffic, and outbound C&C traffic. This is done within the AhnLab MDS at the network edge, using a hybrid behavior and signature based approach. • AhnLab Malware Defense System Within the intranet, Tenable’s Passive Vulnerability Scanner (PVS) monitors network segments to Key Benefits detect vulnerabilities, C&C traffic, policy violations, and signs of malicious activities.
    [Show full text]
  • IBM Qradar Vulnerability Manager Version 7.3.2
    IBM QRadar Vulnerability Manager Version 7.3.2 User Guide IBM Note Before you use this information and the product that it supports, read the information in “Notices” on page 127. Product information This document applies to IBM® QRadar® Security Intelligence Platform V7.3.2 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2012, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction........................................................................................................ vii Chapter 1. What's new for users in QRadar Vulnerability Manager V7.3.2................1 Chapter 2. Installations and deployments.............................................................. 3 Vulnerability processor and scanner appliance activation keys.................................................................4 Vulnerability backup and recovery.............................................................................................................. 4 Ports used for communication between QRadar and QRadar Vulnerability Manager managed hosts.....5 Options for moving the vulnerability processor in your QRadar Vulnerability Manager deployment....... 5 Deploying a dedicated QRadar Vulnerability Manager processor appliance........................................6 Moving your vulnerability processor to a managed host or console.....................................................7
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • The Six Dumbest Ideas in Computer Security Marcus J Ranum
    The Six Dumbest Ideas in Computer Security Marcus J Ranum http://www.ranum.com/security/computer_security/editorials/dumb/ There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems? Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well- meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
    [Show full text]
  • A Comparative Evaluation of Automated Vulnerability Scans Versus Manual
    CYBER 2018 : The Third International Conference on Cyber-Technologies and Cyber-Systems A Comparative Evaluation of Automated Vulnerability Scans versus Manual Penetration Tests on False-negative Errors Saed Alavi, Niklas Bessler, Michael Massoth Department of Computer Science Hochschule Darmstadt (h da) — University of Applied Sciences Darmstadt, and Center for Research in Security and Privacy (CRISP), Darmstadt, Germany E-mail: fsaed.alavi,[email protected], [email protected] Abstract—Security analysis can be done through different types knowledge. Then, we use two popular vulnerability scanners to of methods, which include manual penetration testing and au- generate automated vulnerability reports. We make use of the tomated vulnerability scans. These two different approaches proprietary software Nessus and the free software framework are often confused and believed to result in the same value. OpenVAS. In a final step, we validate both manually and To evaluate this, we have build a lab with several prepared automatically generated reports and determine error rates, vulnerabilities to simulate a typical small and medium-sized where we finally consider the knowledge, of building a self- enterprise. Then, we performed a real penetration test on the lab, and a vulnerability scan as well, and then compared the results. made lab environment, which has been totally absent up to Our conclusion shows, that the results obtained through both this point. types of security analysis are highly distinct. They differ in time This paper is organized as follows: Section II gives an expenditure and false-positive rate. Most importantly, we have overview of the relevant terminology. Section III summarize seen a remarkable higher false-negative rate in the vulnerability the research achievement of previous scientific publications on scan, which suggests that automated methods cannot replace this topic.
    [Show full text]
  • Secure by Design, Secure by Default: Requirements and Guidance
    Biometrics and Surveillance Camera Commissioner Secure by Design, Secure by Default Video Surveillance Products Introduction This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS. It is intended to layout the Biometrics and Surveillance Camera Commissioners (BSCC) minimum requirements to ensure such systems are designed and manufactured in a manner that assures they are Secure by Design. It also contains certain component requirements that will ensure a configuration that is Secure by Default when the component is shipped, thereby making it more likely that the system will be installed and left in a secure state. This guidance forms part of a wider suite of documentation being developed as part of the SCC Strategy, in support of the SCC Code of Practice. Background and Context The nature of the Internet means that connected devices can be subjected to a cyber attack from anywhere in the world. Widespread attacks on connected products is a current and real threat, and a number of highly publicised attacks have already occurred. The Mirai malware targeted devices such as internet-enabled cameras (IP cameras). Mirai was successful because it exploited the use of common default credentials (such as a username and password being set by the manufacturer as ‘admin’) and poor security configuration of devices. Ultimately, this facilitated attacks on a range of commercial and social media services and included an outage of streaming services such as Netflix. An evolution of Mirai, called Reaper, has also been discovered. Reaper used publicly and easily available exploits that remained unfixed (patched) and highlighted the problem around non patching of known security vulnerabilities, allowing attackers to utilise them to cause harm.
    [Show full text]
  • From Insider Threats to Business Processes That Are Secure-By-Design∗ Dieter Gollmann† Hamburg University of Technology Hamburg, Germany [email protected]
    From Insider Threats to Business Processes that are Secure-by-Design∗ Dieter Gollmanny Hamburg University of Technology Hamburg, Germany [email protected] Abstract We argue that insider threat is a placeholder term that accompanies the transition from securing IT infrastructures to securing the socio-technical systems made possible by these IT infrastructures. The term insider in its literal interpretation loses meaning in a context where there are no stable perime- ters one can refer to. Business practices such as outsourcing, employing temporary contractors, and the very use of IT, have removed security perimeters in the search for short-term efficiency gains, which may result in mid-term losses due to increased vulnerabilities. We conclude that securing socio-technical systems calls for the design of organisational (business) processes that remain viable once inside information about their implementation becomes available to potential attackers rather than for the deployment of secure IT infrastructures. Keywords: Insider threats, business process, IT security 1 Introduction Security is a fashion industry. Ever so often a new buzzword gets adopted that dresses up issues that had been around for a long time. Insider threats are an example in case. This term has entered discourses about security in recent years, reaching also into the research community, see e. g. [1, 2, 3]. However, the observation that threats to an organization can emanate from insiders is old news in IT security. Back in the early 1990s depending on whom you asked, 70%, 80%, or 90% of security incidents in commercial entities were due to insiders, where counts may have referred to the number of incidents or to the size of the damage.
    [Show full text]
  • Secure by Design White Paper
    WHITE PAPER Secure by Design: UniPrint Infinity’s Multi-Layer Approach to Cloud Printing Security © Process Fusion The moving of IT infrastructure up to the cloud usually results in companies being obliged to give up monitoring of their IT, with this being delegated to third-party vendors. Naturally, the thought of losing security controls over sensitive corporate data leads to decision-makers raising concerns surrounding the security of their files in the cloud! UniPrint Infinity’s innovative product empowers users with end-to-end cloud printing security. With its multi- layer approach, UniPrint Infinity secures your cloud printing architecture from all angles. This whitepaper will discuss the four key security features offered by UniPrint’s cloud printing solution. One Virtual Print Queue In today’s IT-driven enterprise world, user-friendliness, cost-savings, and enhanced security protection are paramount to the success of any organization! Enterprises must ensure that all their IT systems and related workflows incorporate all three of these features. Printing, over the course of time, has developed a reputation of being a source of pain for both enterprise employees and administrators. With complicated user interfaces, poor user experience, issues with driver misconfigurations, printer mapping errors, print data security concerns, and network maintenance costs, enterprise printing has been a nightmare for everyone involved. The advent of cloud printing has helped to solve some of these issues, with organizations moving their infrastructure to the cloud, effectively lowering costs and eliminating printer mapping and related misconfiguration issues. UniPrint Infinity’s Virtual Print Queue (VPQ) adds a whole new level of security to cloud printing! The implementation of UniPrint’s VPQ to your cloud printing environment means users printing from cloud environments such as Microsoft Azure send their print jobs to a single virtual print queue when they print from their workstations or mobile devices.
    [Show full text]
  • Mac OS X and Ios Zero- Day Exploit
    Mac OS X and iOS Zero- Day Exploit Security Advisory AE-Advisory 16-08 Criticality High Advisory Released On 28 March 2016 Impact Allows someone to escalate privileges and also to bypass system integrity Solution See the solution section below for mitigation processes. Affected Platforms Mac OS X 10.11.3 and older, iOS 9.2 and older Summary aeCERT has researched and found out about a new threat on Apple Mac OS X and iOS; with the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac. The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation. However, it has been uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without karnel exploit impacting all versions to date. Threat Details The zero day vulnerability is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes. The attacker then escalates the malware's privileges to bypass System Integrity Protection SIP, alter system files, and then stay on the infected system. By default, System Integrity Protection or SIP protects these folders: /System.
    [Show full text]