Finding security vulnerabilities - Secure Application Development

About meSecurity Researcher @ Fortify SoftwareFocus on new techniques to find vulnerabilities(static and dynamic)Find new ways to protect WebAppsContributor to BSIMM EuropeConference Speaker (academic and industry)History in Code Obfuscation (& Binary Rewriting)2

SetupIntroduction to static analysisDemo:Scanning a sample applicationGoing through issuesFine tuning the analysis (custom rules)3

4Success is foreseeing failure.– Henry Petroski

Security approach these daysTry Harder• Our people are smartand work hard.• Just tell them to stopmaking mistakes.________________Fix It Later• Code as usual.• Build a better firewall(app firewall, intrusiondetection, etc.)________________Test Your Way Out• Do a penetration teston the final version.• Scramble to patchfindings.________________• Not everyone is goingto be a security expert.• Getting security rightrequires feedback.• More walls don’t helpwhen the software ismeant to communicate.• Security team can’tkeep up.• Pen testing is good fordemonstrating theproblem.• Doesn’t work for thesame reason you can’ttest quality in.5

Security in the Development LifecyclePlan Build Test Field• Firewalls• Intrusion Detection• Penetration Testing6

Security in the Development LifecyclePlan Build Test Field• Risk Assessment• Code Review• Security Testing7Effective security from non-experts

Security in the Development Lifecycle8

This Talk: Analysis during the Development LifecyclePlanBuildTestFieldStaticAnalysisDynamicAnalysisRuntimeProtection9

Security in the Development LifecyclePlanBuildTestFieldStaticAnalysisDynamicAnalysisRuntimeProtection10

Static Analysis: DefinedAnalyze code without executing itConsider many more possibilities than you couldexecute with conventional testingDoesn’t know what your code is supposed to doMust be told what to look for11

Static Analysis: The Toolchainsaw12

Under the Hood of a Static Analysis Tool13

Code Example: SQL Injection...user = request.getParameter("p_user");ClassFunctiontry {sql = "SELECT * FROM users " +"WHERE id='" + user + "'";}stmt.executeQuery(sql);Class Function...1. Source Code2. Model3. Security KnowledgeSources of taint: Class: ServletRequest, Function: getParameter returnPassThrough: Class: String returnSinks Class: Statement, Function: executeQuery arg114

Code Example: SQL Injection...user =try {sql =request.getParameter("p_user");ClassFunction"SELECT * FROM users " +"WHERE id='" + user + "'";}stmt.executeQuery(sql);Class Function...1. Source Code2. Model3. Security Knowledge4. Perform Analysis5. Present ResultsSources of taint:PassThrough:Sinks15Class: ServletRequest, Function: getParameterClass: StringClass: Statement, Function: executeQueryreturnreturnarg1

Critical Attributes16Language supportUnderstands the relevant languages/dialectsAnalysis algorithmsUses the right techniques to find and prioritize issuesCapacityAble to gulp down millions of lines of codeRule setModeling rules, security propertiesResults managementAllow human to review resultsPrioritization of issuesControl over what to report

Only Two Ways to Go WrongFalse positives (false issues reported)Incomplete/inaccurate modelMissing rulesConservative analysisFalse negatives (real issues not reported)Incomplete/inaccurate modelMissing rulesForgiving analysisThe tool thatcried “wolf!”Missing adetail can kill.17DeveloperAuditor

Two Ways to Use the Static Analysis Tool1. Analyze completed programsLarge number of resultsMost people have to start hereGood motivator1. Analyze as you write codeRun as part of buildNightly/weekly/milestoneFix as you go18

Adopting a Static Analysis Tool191) Some culture change requiredMore than just another toolOften carries the banner for software securityprogramPitfall: the tool doesn’t solve the problem by itself2) Define the playing fieldChoose specific objectivesBuild a gate3) Teach up frontSoftware security education is paramountTool training is helpful too

Adopting a Static Analysis Tool4) Start smallDo a pilot rollout to a friendly dev groupBuild on your success5) Go for the throatTools detect lots of stuff. Turn most of it off.Focus on easy-to-understand, highly relevant problems.6) Appoint a championMake sure there is a point person on the dev teamChoose a developer who knows a little about everything20

Adopting a Static Analysis Tool217) Measure the outcomeKeep track of tool findingsKeep track of outcome (issues fixed)8) Make it your ownInvestigate customizationMap tool against internal security standards.Best case scenario is cyclic:The tool reinforces coding guidelinesCoding guidelines are written with automated checking in mind9) The first time around is the worstBudget 2x typical cycle costTypical numbers: 10% of time for security,20% for the first time

Challenges of Static Analysis1. Completed programsAre not written with security in mindContain multiple paradigms and technologiesExemplify varying developer skill and techniques2. Which causes static analysis to produceLarge numbers of issuesWidely varying issuesIssues that are difficult to triage22

Demo Time!24

Security in the Development LifecyclePlanBuildTestFieldStaticAnalysisDynamicAnalysisRuntimeProtection25

Team Sizes at Microsoft26From The Build Master: Microsoft’s Software ConfigurationManagement Best Practices (Maraia 2005)

ProblemQA people lack security understanding(and we will not force them to have that!)Good:Have good test coverageTime and resources27

Why Fault Injection FailsBad input derail the programCannot mutate function tests and retain coverageAddto cartEnterAddressEnterCCInput Input InputResult:Bad test coverageMissed Vulnerabilities28

Example: SQL Injection...user = request.getParameter("p_user");try {TaintUtil.setTaint(user, 1);sql = "SELECT * FROM users " +"WHERE id='" + user + "'";TaintUtil.setTaint(sql,user.getTaint());29TaintUtil.checkTaint(sql);stmt.executeQuery(sql);}...

Framework30Instrument the program1. Methods that introduce inputHttpServletRequest.getParameter()PreparedStatement.executeQuery()…2. Methods to check for taintStatement.execuetQuery()JspWriter.print()…Mechanism to track TaintModify the java.lang.String classModify StringBuilder en StringBuffer

Security in the Development LifecyclePlanBuildTestFieldStaticAnalysisDynamicAnalysisRuntimeProtection31

Protecting Programs at RuntimeIf you can find bugs: fix them!Additional layer of protectionMore context than external systems:Web Application FirewallsApache TomcatWeb ApplicationClientApachehttpdRuntime Protection32Flexible response: log, block, etcLow performance overhead is a mustPotential to detect misuse in addition to bugs

Security in the Development LifecyclePlanBuildTestFieldStaticAnalysisDynamicAnalysisRuntimeProtectionSo the 360 view of the program during the development cycle33

SummaryMistakes happen. Plan for them!Security is now part of the SDLCTools bring security expertiseTools make code review efficientThey are not an out-of-the box solution34

Thanks!Matias Madoummadou@fortify.com35