How the Cloud Shifts the Burden of Security to Development

Paraso& Copyright © 2014 1

11/4/14

Cloud Shi*s the Burden of Security to Development

Paraso& -‐ Arthur Hicken Evangelist / Security Specialist

Paraso& Copyright © 2014 2 2

Agenda

The problem: The porous nature of clouds

Types of security tesGng

Divide and conquer with service virtualizaGon

ProacGve prevenGon


Security Problems are Growing

§  ANacks are on the rise §  It’s beNer to fix it BEFORE than a&er


The castle has been breached

§  Enterprise network protected by firewall

§  ApplicaGon is the only way in

§  Must keep applicaGon open for business

§  User (potenGal hackers) must have access to the applicaGon



General IT System Security

§  Network firewall §  AuthenGcaGon and access control systems §  Network Intrusion DetecGon System (NIDS) §  Network Intrusion PrevenGon System (NIPS) §  AnG-‐virus §  AnG-‐spyware §  Secure Sockets Layer (SSL) §  “Defense in depth”


Security is vital

§  Suddenly there are openings everywhere §  Can’t rely on “it was checked elsewhere in the applicaGon”

§  Input validaGon covers wide swath of potenGal problems

§  OWASP Top 10 §  CWE Top 25


One weak spot is all it takes


PenetraGon TesGng for Security

•  Verify that security policy is being met • Outside-‐in tesGng CapabiliGes

•  Validates against known aNack scenarios Benefits

• Not a complete system •  Late stage technology •  ReacGve

Drawbacks


ConGnuous Regression TesGng

•  Runs all exisGng test on a conGnuous basis •  Alerts team of failures CapabiliGes

•  Ensures that the applicaGon remains secure •  Ensures stability during change Benefits

• Must keep test cases in sync Drawbacks


StaGc Analysis for Security

•  Find real security bugs •  Low cost method CapabiliGes

• Detects problems early •  Trains developers by idenGfying problemaGc code

Benefits

•  Requires proper configuraGon •  Flow-‐analysis alone cannot prevent Drawbacks


Peer Code Review

•  Facilitates high-‐level analysis of security and design CapabiliGes

•  IdenGfies complex vulnerabiliGes • Keeps team in sync Benefits

• Peer code review is mostly talked about and easily delayed Drawbacks


Unit TesGng

• Starts tesGng validaGon methods and verifying security funcGonality before the system is complete

CapabiliGes

• Reduces the Gme required for validaGon • Can expose potenGal vulnerabiliGes earlier than pre-‐producGon

Benefits

• Test cases must be kept in sync with evolving applicaGon Drawbacks


ApplicaGon Tracing for Unit Tests

Record internal method calls inside

the running applicaGon as the problem occurs

Replicate the problem in a JUnit

test

Alter the JUnit test to assert the

correct behavior

Possible soluGons can be tested quickly without redeploying the web applicaGon


RunGme Error DetecGon

Check anG-‐paNerns at runGme

ViolaGons in context of real-‐world data values

RunGme error categories include: • Threads and SynchronizaGon • Performance and OpGmizaGon • ApplicaGon Crashes • FuncGonal Errors • Security


Divide & Conquer

Separate criGcal

components

Move tesGng earlier

Isolate aNack surfaces

Run funcGonal tests vs. security scenarios


Virtualize to Divide and Conquer

Capture

Initiated from the system under test, the user has the ability to capture detail from a live monitor that analyzes system traffic, from analyzing transaction logs or by modeling virtual behavior within the Parasoft Virtualized interface.

Provision

After the virtualized artifact has been captured, users can now instruct the details of the virtualized asset behavior. This includes: performance, data sources and conditional response criteria. The virtualized asset is then provisioned for simplified uniform access across teams and business partners.

Test

The virtualized asset can now be called for unit, functional and performance tests. The virtualized asset can be leveraged by any test suite – including Parasoft Test.

Leveraging application behavior virtualization the team can reduce the complexity and the costs of managing multiple environments while providing

ubiquitous access for development, test and training


Database

Service

Mainframe

ERP

Application

Web

Service VirtualizaGon Example

Application Under Test

1 Define

4 Provision

Testing Application Cloud Resource

Partner

Partner

Bus

Bus

Bus

Dependent Architecture

2 Capture

3 Instruct

5 Consume


Service VirtualizaGon Examples

Mobile ApplicaGon development and extension

Agile/Parallel development limited by system dependencies

Capacity Constrained staged environments

Limited access to mainframes, ERPs, or 3rd party systems

Test data management for complex transacGons

Service Virtualization delivers a simulated dev / test environment allowing an organization to test anytime or anywhere


Security prevenGon criteria

• Naming/Formalng • Quality ImplementaGon Best-‐PracGces (Java, C++, HTML, XML, WSI, etc.) • DocumentaGon

Coding Standards

• Language Security (“cloning”, private member classes, etc.) • PenetraGon VulnerabiliGes (SQL injecGons, cross-‐site scripGng, XML bombs, etc.) • SecGon 508

Policies

• Code Coverage (>80%) • Performance (<100ms) • Memory Issues (leaks, overwrites, etc.)

RunGme Analysis

• Load CapabiliGes (how many users?) • ConnecGon CapabiliGes (how many db connecGons?) System RunGme

Others ..


Web applicaGon prevenGon example

Detect the error • Load tesGng shows leaking connecGons to the database

Find the cause • Open connecGons aren’t being closed, causing resource leaks

Locate the point in producGon that caused the error • Developer has forgoNen to close db connecGons upon client terminaGon

Implement preventaGve process • Use a coding standard to ensure each open connecGon is closed before exit

Monitor the process • Use staGc analysis to enforce the standard

Add regression test • Add a test to see the problem was fixed and doesn’t return


MisconcepGons…

§  Security can be tested into the applicaGon at the end of the cycle §  Checks only common known exploits §  Requires coverage of all paths and possible inputs §  End of cycle penetraGon tesGng may overlook:

§  Backdoor access §  A difficult to reach secGon of code in the error handling rouGne that performs an unsafe database query

§  The lack of an effecGve audit trail for monitoring security funcGons

§  End of cycle staGc analysis does not consider nuances of actual operaGon, reports false posiGves


Security Policy Development

Make security-‐relevant decisions so individuals don’t have to

Centralize and reuse security mechanisms

Coordinate security efforts


Securing An ApplicaGon

§  Determine risks/threats §  Develop countermeasures

§  Security policy development

§  Implement security policy process at code level §  Eliminate security vulnerabiliGes in code

§  StaGc analysis

§  Test applicaGon from outside §  PenetraGon tesGng

§  Fix code to address problems found §  Prevent recurring problems

§  Regression tesGng


Current Standards

OWASP

CWE/SANS

Cigital

HIPAA

SAMATE

Oracle CERT

Microso& Secure Coding


Security Resources

CWE – Common Weakness EnumeraGon • hNp://cwe.mitre.org

OWASP -‐ Open Web ApplicaGon Security Project • hNp://www.owasp.org

PCI – Payment Card Industry Security Standards • hNps://www.pcisecuritystandards.org

Hack.me – Community based security learning project • hNps://hack.me

SAMATE -‐ So&ware Assurance Metrics And Tool EvaluaGon • hNp://samate.nist.gov

Build Security In – CollaboraGve security effort • hNps://buildsecurityin.us-‐cert.gov


§  Web §  hNp://www.paraso&.com/jsp/resources

§  Blog §  hNp://alm.paraso&.com

§ Social § Facebook: hNps://www.facebook.com/paraso&corporaGon

§ TwiNer: @Paraso& @MustRead4Dev @CodeCurmudgeon

§ LinkedIn: hNp://www.linkedin.com/company/paraso&

§ Google+ Community: StaGc Analysis for Fun and Profit

Software

How the Cloud Shifts the Burden of Security to Development