Build Secure Applications with Software Analysis

Size: px

Start display at page:

Download "Build Secure Applications with Software Analysis"

Wilfrid Martin
5 years ago
Views:

1 White Paper Build Secure Applications with Software Analysis Despite the fact that application security has become an increasingly major concern in recent years, many application development teams treat security as an afterthought either security features are glued on to a nearly complete program or developers assume that the infrastructure and operations team will prevent intruders. This approach to application security can be disastrous, leaving many vulnerabilities undetected and allowing applications to be attacked. So what can be done to make application security a more integral part of the development process? The answer is Software Analysis and Measurement (SAM). Simply put, SAM solutions analyze the source code of application software to identify vulnerable code patterns. This paper reviews a number of important objectives to consider when managing application security, and discusses how SAM solutions can help you understand and prioritize security risks.

2 Page 2 Contents I. Challenges of Building Secure Software II. Software Analysis and Measurement: Enable Secure Programming in Software Development A. Key Components of Software Security Analysis B. Effectiveness of Software Security Analysis III. Conclusion: A False Sense of Security IV. References I. Challenges of Building Secure Software PACE OF DEMAND: To stay competitive, business requirements are constantly changing, so new software is always needed yesterday. In agile development environments that are designed to meet this demand, security is the last thing on the mind of developers and the business is often content if they can get a functional application. For the majority of organizations and application development teams, security is an afterthought. Either security features are glued on to a nearly complete program or developers assume that the infrastructure and operations team will prevent intruders. Perimeter monitoring is insufficient, as hackers and crackers have started to focus their attention on an organization s most critical asset its data. Since 2005, when the U.S. Privacy Rights Clearinghouse started collecting and publishing the Chronology of Data Breaches, the number of data breaches have been increasing every year, with 543 million records reported to be disclosed or breached. In a report to the President of the United States entitled Cyber Security: A Crisis of Prioritization, the President s Information Technology Advisory Committee summed up the problem of non-secure software as follows: Vulnerabilities in software that are introduced by mistake or poor practices are a serious problem today. Software development is not yet a science or a rigorous discipline, and the development process by and large is not controlled to minimize the vulnerabilities that attackers exploit. Today, as with cancer, vulnerable software can be invaded and modified to cause damage to previously healthy software, and infected software can replicate itself and be carried across networks to cause damage in other systems. LACK OF TRAINING: A fundamental issue is that most developers are handicapped by a lack of proper training and relative inexperience in identifying vulnerabilities. How many web developers know what a cross-site scripting (XSS) or SQL injection is? It is not their fault; programmers seldom have any security training or experience. Although providing training will be a good start, it won t be enough. Organizations need to leverage Software Analysis and Measurement (SAM) solutions to identify vulnerabilities and provide feedback to developers during development. Simply performing security audits and building firewalls is no longer enough security must be built into an application.

that are inherent in software applications. Typical SAM solutions process code in a manner similar to a code compiler.

3 Page 3 Highlight Application security cannot be an afterthought, it must be built in II. Software Analysis and Measurement: Enable Secure Programming in Software Development Mature organizations are leveraging SAM during the development stage to understand and prioritize security risks that are inherent in software applications. Typical SAM solutions process code in a manner similar to a code compiler. They analyze source code files and convert them into an intermediate model that is optimized for security analysis. This model is then put through a series of analyzers (Data Flow, Semantic, Control Flow, Configuration, Architecture, and Structural) to analyze the code base for violations of secure coding practices. The results can be viewed in a number of ways, including an out-of-the-box dashboard, developer IDE, defect tracking tools, or raw data that can be integrated into any Application Lifecycle Management solution. Table 1: Checklist for evaluating SAM solution for security analysis However the SAM solution space is relatively new, and since there are several solutions in the market to address the challenge, it s important to understand the key criteria based on what your organization is trying to achieve. In this paper we try to outline the most important objectives to build secure applications, as recommended by industry experts and practitioners, and make security integral to SDLC. The paper also provides a framework for evaluating SAM solutions in the context of evaluating security risks in your application software. Α. Key Components of Software Security Analysis Although evaluating a SAM solution for use in the SDLC will have to be put in the context of individual organizational needs, Table 1 provides a framework to map your current needs with the type of solution.

Page 4 Highlight Design fl aws account for 50% of all security problems, so a holistic view of the application is necessary to identify architectural vulnerabilities A comprehensive SAM solution

B discusses how these different capabilities play an important role in assessing security risks and rolling out an effective program for the entire software development organization. Β.

4 Page 4 Highlight Design fl aws account for 50% of all security problems, so a holistic view of the application is necessary to identify architectural vulnerabilities A comprehensive SAM solution should include at least a majority of the analysis criteria in Table 1. Section 2.B discusses how these different capabilities play an important role in assessing security risks and rolling out an effective program for the entire software development organization. Β. Effectiveness of Software Security Analysis As mentioned, there are a number of SAM solutions in the market that address the issue of security in software development, and capabilities of these solutions vary from basic input validation checks to advanced Threat Modeling. While each individual organization has different needs, there are few important criteria that you need to know when managing application security and how a SAM solution can help you to understand and prioritize security risks. 1. Understand the Architecture: Since design flaws account for 50% of all security problems 1, a holistic view of the application is necessary to identify architectural vulnerabilities. Any solution that cannot analyze the entire technology stack cannot perform architecture-level checks, which is required to significantly reduce false positives, a common complaint among developers in adopting SAM solutions. Architecture checks are frequently not done as part of the software security analysis since: Application stacks contain different languages in different layers Creating custom rules is difficult, and as a result most analysis is only partially complete. Custom rules are critical as there are as many architectural designs as there are applications. Figure 1: Interactive Architecture Checker for compliance

5 Page 5 2. Use Advanced Data Flow Technology: Data flow analysis is one of the basic components of any complete software security analysis solution, however many of them are very limited in their capabilities. To evaluate against industry best practices, the data flow technology must be able to trace the flow of the application data across different tiers of the application and across different technology stacks, right down to the database. It is not enough for a SAM solution to understand each of the components individually. Most importantly, it must also understand the relationship between all of these components. A robust data flow analysis should: Take into account polymorphism, to differentiate between two methods with the same name, between two objects inherited from the same class, and avoid false positives Adapt to frameworks, as tracking data flow through framework components and configuration files can be difficult Consider sanitization methods, to avoid false positives Provide a configurable engine that adapts to specific implementation needs

Build Secure Applications with Software Analysis Page 6 Figure 2: Example of the CAST AIP

Prioritize Based on Risk: Many SAM solutions produce lists of violations that number in the

This can obviously be counterproductive, so it important to also receive guidance that can be used

6 Build Secure Applications with Software Analysis Page 6 Figure 2: Example of the CAST AIP fully-configurable Data Flow Engine 3. Prioritize Based on Risk: Many SAM solutions produce lists of violations that number in the hundreds, if not thousands. This can obviously be counterproductive, so it important to also receive guidance that can be used to prioritize these security risks based on factors such as the importance of the rule, the impact across a transaction chain, and the propagation risk across the rest of the system. Figure 3: Diﬀerent types of risk indices to prioritize remediation eﬀorts

However, most SAM solutions cannot analyze the framework stack of the application, and often bypass them.

7 Page 7 4. Support Frameworks Configuration: Virtually all applications in active development have a framework component to them. And most widely adopted frameworks are open source, making them easy prey for hackers and attackers. As a result, security becomes even more important when using these open source frameworks. However, most SAM solutions cannot analyze the framework stack of the application, and often bypass them. To be effective, the solution must be capable of analyzing the framework stack of the application and synthesizing the information in the context of overall application. Figure 4: Illustration of various open source frameworks being used in JEE applications 5. Provide Support for Threat Modeling: Building a Threat Model is one of the most critical measures for all mission critical applications, and should be considered for virtually your entire application portfolio. However, building Threat Models manually, even using a simple process as shown in Figure 5, will be quite resource intensive and may not be practical. SAM solutions should automate this process, and should also be able to identify if threats identified during Threat Modeling at the design or change request stage are validated if they have been correctly addressed. Moreover, to build comprehensive Threat Models, it is vital to have an accurate blueprint of the application that maps all of the inputs and outputs. A SAM solution should be able to provide this blueprint and analyze the impact of any changes to the system.

Page 8 Highlight Improve overall effectiveness of your auditing programs and reduce manual effort and costs by using a SAM solution Figure 5: An overview of the Threat Modeling

One of the fundamental requirements of a SAM solution is to ensure that the application is compliant with the best practices recommended by experts and practitioners such as: Open

Technical Implementation Guide (STIG) 5 Further, most organizations spend a lot of their limited budget to manually audit applications and ensure compliance with best practices.

8 Page 8 Highlight Improve overall effectiveness of your auditing programs and reduce manual effort and costs by using a SAM solution Figure 5: An overview of the Threat Modeling process 6. Ensure Compliance to Security Standards and Best Practices: There is a vast body of knowledge, discussion, and research on making applications inherently more secure. One of the fundamental requirements of a SAM solution is to ensure that the application is compliant with the best practices recommended by experts and practitioners such as: Open Web Application Security Project (OWASP) Top 10 2 Common Weakness Enumeration (CWE) Top 25 3 Payment Card Industry (PCI) Standards 4 Application Security and Development - Security Technical Implementation Guide (STIG) 5 Further, most organizations spend a lot of their limited budget to manually audit applications and ensure compliance with best practices. A SAM solution should reduce manual effort and improve the overall effectiveness of auditing programs at a lower cost. Figure 6: Sample screen shot from CAST AIP identifying code against CWE compliance

vulnerabilities in applications it also should ensure continuous improvement through detailed explanations of identified

9 Page 9 Figure 7: Sample code with detailed explanation of vulnerability and remediation 7. Enhance Developer Education: To be truly beneficial to the development team, a SAM solution should not only identify vulnerabilities in applications it also should ensure continuous improvement through detailed explanations of identified vulnerabilities along with the solution to fix it, with an example shown in Figure 7. Over time, the developers can then establish increased awareness of security issues and avoid them.

within an application portfolio. An example of an executive dashboard is shown in Figure 8.

10 Page Enable Management Insights: Executives require a comprehensive analysis of security vulnerabilities that can be used to determine the security risks within an application portfolio. An example of an executive dashboard is shown in Figure 8. This can be a powerful tool in budget requests, project portfolio management, resource prioritization, and benchmarking internal and vendor teams. Figure 8: Sample screen shot from CAST AIP dashboard view III. Conclusion: A False Sense of Security Security experts Greg Hoglund and Gary McGraw believe crosslayer security issues account for 50% of all security issues.

11 Highlight A new breed of software analytics solutions are now available to help organizations regain control of their applications It is clear that application security cannot be an afterthought that is simply tested post development it must be built into the product from the beginning. Developers are not security specialists and moreover, individual developers lack the big picture view of the entire system needed to understand the implications of their code on the overall security of the system. In addition, manual security audits are often not thorough or comprehensive. What is clear is that a new breed of software analytics solutions are now available to help organizations regain control of their applications. SAM solutions automate feedback to developers providing proactive protection and real-time education, enforce compliance to industry standards and best practices, help in complex Threat Modeling and enable management teams to assess application threat in an objective manner and help them make informed decisions. IV. References 1. G. McGraw, Software Security: Building Security In, Addison- Wesley Software Security Series, Project php 5. About CAST CAST is a pioneer and world leader in Software Analysis and Measurement, with unique technology resulting from more than $100 million in R&D investment. CAST introduces fact-based transparency into application development and sourcing to transform it into a management discipline. More than 250 companies across all industry sectors and geographies rely on CAST to prevent business disruption while reducing hard IT costs. CAST is an integral part of software delivery and maintenance at the world s leading IT service providers such as IBM and Capgemini. Founded in 1990, CAST is listed on NYSE-Euronext (Euronext: CAS) and serves IT intensive enterprises worldwide with a network of offices in North America, Europe and India. For more information, visit. Questions? us at contact@castsoftware.com Europe 3 rue Marcel Allégot Meudon - France Phone: North America 373 Park Avenue South New York, NY Phone: