TTipsips andand TTricksricks GuideGuidetm TToo Software Security Assurance Kevin Beaver Introduction Introduction to Realtimepublishers by Sean Daily, Series Editor The book you are about to enjoy represents an entirely new modality of publishing and a major first in the industry. The founding concept behind Realtimepublishers.com is the idea of providing readers with high-quality books about today’s most critical technology topics—at no cost to the reader. Although this feat may sound difficult to achieve, it is made possible through the vision and generosity of a corporate sponsor who agrees to bear the book’s production expenses and host the book on its Web site for the benefit of its Web site visitors. It should be pointed out that the free nature of these publications does not in any way diminish their quality. Without reservation, I can tell you that the book that you’re now reading is the equivalent of any similar printed book you might find at your local bookstore—with the notable exception that it won’t cost you $30 to $80. The Realtimepublishers publishing model also provides other significant benefits. For example, the electronic nature of this book makes activities such as chapter updates and additions or the release of a new edition possible in a far shorter timeframe than is the case with conventional printed books. Because we publish our titles in “real-time”—that is, as chapters are written or revised by the author—you benefit from receiving the information immediately rather than having to wait months or years to receive a complete product. Finally, I’d like to note that our books are by no means paid advertisements for the sponsor. Realtimepublishers is an independent publishing company and maintains, by written agreement with the sponsor, 100 percent editorial control over the content of our titles. It is my opinion that this system of content delivery not only is of immeasurable value to readers but also will hold a significant place in the future of publishing. As the founder of Realtimepublishers, my raison d’être is to create “dream team” projects—that is, to locate and work only with the industry’s leading authors and sponsors, and publish books that help readers do their everyday jobs. To that end, I encourage and welcome your feedback on this or any other book in the Realtimepublishers.com series. If you would like to submit a comment, question, or suggestion, please send an email to [email protected], leave feedback on our Web site at http://www.realtimepublishers.com, or call us at 800-509- 0532 ext. 110. Thanks for reading, and enjoy! Sean Daily Founder & Series Editor Realtimepublishers.com, Inc. i Table of Contents Note to Reader: This book presents tips and tricks for four software security topics. For ease of use, the questions and their solutions are divided into topics, and each question is numbered based on the topic, including • Topic 1: Managing for Software Security • Topic 2: Developing for Software Security • Topic 3: Auditing for Software Security • Topic 4: Testing for Software Security Introduction to Realtimepublishers.................................................................................................. i Topic 1: Managing for Software Security .......................................................................................1 Q 1.1: What software security-related problems exist in business today and what are the underlying causes?...........................................................................................................................1 The Root Cause....................................................................................................................1 Contributing Factors ............................................................................................................2 Q 1.2: What software is affected by poor quality and security vulnerabilities?..............................4 Q 1.3: As a software development manager, why should I be worried about reducing the number of vulnerabilities in the software my teams produce? .....................................................................5 Q 1.4: What are some tangible benefits of enhancing the security of our software? ......................6 Q 1.5: What can I do to feel confident answering the common question “How do I know your software is secure?” .........................................................................................................................7 Q 1.6: Is there a solid security strategy I can implement to help ensure my teams build solid applications? ....................................................................................................................................8 Integration with the Software Development Life Cycle......................................................8 Establish Goals.....................................................................................................................9 Proven Strategies .................................................................................................................9 Q 1.7: With so many security technologies at our disposal, how it is possible that software is still being compromised and applications are still being attacked?......................................................10 Q 1.8: At what point in the development process should we focus our efforts in order to minimize software security vulnerabilities? ..................................................................................12 Q 1.9: Which software components and functions are plagued by the most security vulnerabilities and why? ................................................................................................................13 Q 1.10: As a business executive, why should I be worried about security problems with my company’s software? .....................................................................................................................14 Q 1.11: Are there specific areas I should be concerned with regarding the identification and removal of software security vulnerabilities that arise related to offshoring?...............................16 Q 1.12: Are there specific software security areas I should be concerned with or that might require a specific approach related to mergers and acquisitions?..................................................17 ii Table of Contents Topic 2: Developing for Software Security...................................................................................18 Q 2.1: Why should software developers be bothered with tacking on security as yet another task to have to worry about?..................................................................................................................18 Q 2.2: What key areas should our development team focus on to ensure the most solid and secure applications long term?..................................................................................................................19 Q 2.3: What are some commonly overlooked software security vulnerabilities? .........................20 Revealing Comments.........................................................................................................20 Buffer Overflows ...............................................................................................................20 Mishandling Passwords and Logins...................................................................................20 Assumption that Encrypting Data in Transit Means Everything Is Secure .......................21 Not Considering the Network or Operating System Layers ..............................................21 Q 2.4: How can software security vulnerabilities be categorized so they’re easier to understand?22 Denial of Service................................................................................................................22 Authentication Weaknesses ...............................................................................................22 Input Attacks......................................................................................................................23 Directory Traversals...........................................................................................................23 Improper Storage of Files and Data...................................................................................23 Q 2.5: Are there any common software development practices that stand out as serious risks?...24 Q 2.6: Are there other technologies or layered security measures we can integrate into our software to help prevent various attacks? ......................................................................................24 Q 2.7: What role does a layered security defense play in software development?........................25 Q 2.8: There is a general consensus in my development lab that as long as firewalls and Secure Sockets Layer (SSL) are used, the application is secure—is this true?.........................................27 Q 2.9: Do I have anything to worry about as long as I develop software with the Open Web Application Security Project (OWASP) Top 10 vulnerabilities in mind?.....................................27 Q 2.10: What development practices can we integrate into our daily development routines to reduce the number of security vulnerabilities? ..............................................................................29 Q 2.11: What development tools can we integrate into our daily development routines