Upload
erika-barron
View
519
Download
1
Tags:
Embed Size (px)
DESCRIPTION
The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Developers are extremely well-poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome. [Presented at Cloud Expo - November 2014]
Citation preview
Paraso& Copyright © 2014 1
11/4/14
Cloud Shi*s the Burden of Security to Development
Paraso& -‐ Arthur Hicken Evangelist / Security Specialist
Paraso& Copyright © 2014 2 2
Agenda
The problem: The porous nature of clouds
Types of security tesGng
Divide and conquer with service virtualizaGon
ProacGve prevenGon
Paraso& Copyright © 2014 3 3
Security Problems are Growing
§ ANacks are on the rise § It’s beNer to fix it BEFORE than a&er
Paraso& Copyright © 2014 4
The castle has been breached
§ Enterprise network protected by firewall
§ ApplicaGon is the only way in
§ Must keep applicaGon open for business
§ User (potenGal hackers) must have access to the applicaGon
Paraso& Copyright © 2014 5 5
Paraso& Copyright © 2014 6
General IT System Security
§ Network firewall § AuthenGcaGon and access control systems § Network Intrusion DetecGon System (NIDS) § Network Intrusion PrevenGon System (NIPS) § AnG-‐virus § AnG-‐spyware § Secure Sockets Layer (SSL) § “Defense in depth”
Paraso& Copyright © 2014 7 7
Security is vital
§ Suddenly there are openings everywhere § Can’t rely on “it was checked elsewhere in the applicaGon”
§ Input validaGon covers wide swath of potenGal problems
§ OWASP Top 10 § CWE Top 25
Paraso& Copyright © 2014 8 8
One weak spot is all it takes
Paraso& Copyright © 2014 9 9
PenetraGon TesGng for Security
• Verify that security policy is being met • Outside-‐in tesGng CapabiliGes
• Validates against known aNack scenarios Benefits
• Not a complete system • Late stage technology • ReacGve
Drawbacks
Paraso& Copyright © 2014 10 10
ConGnuous Regression TesGng
• Runs all exisGng test on a conGnuous basis • Alerts team of failures CapabiliGes
• Ensures that the applicaGon remains secure • Ensures stability during change Benefits
• Must keep test cases in sync Drawbacks
Paraso& Copyright © 2014 11 11
StaGc Analysis for Security
• Find real security bugs • Low cost method CapabiliGes
• Detects problems early • Trains developers by idenGfying problemaGc code
Benefits
• Requires proper configuraGon • Flow-‐analysis alone cannot prevent Drawbacks
Paraso& Copyright © 2014 12 12
Peer Code Review
• Facilitates high-‐level analysis of security and design CapabiliGes
• IdenGfies complex vulnerabiliGes • Keeps team in sync Benefits
• Peer code review is mostly talked about and easily delayed Drawbacks
Paraso& Copyright © 2014 13 13
Unit TesGng
• Starts tesGng validaGon methods and verifying security funcGonality before the system is complete
CapabiliGes
• Reduces the Gme required for validaGon • Can expose potenGal vulnerabiliGes earlier than pre-‐producGon
Benefits
• Test cases must be kept in sync with evolving applicaGon Drawbacks
Paraso& Copyright © 2014 14 14
ApplicaGon Tracing for Unit Tests
Record internal method calls inside
the running applicaGon as the problem occurs
Replicate the problem in a JUnit
test
Alter the JUnit test to assert the
correct behavior
Possible soluGons can be tested quickly without redeploying the web applicaGon
Paraso& Copyright © 2014 15 15
RunGme Error DetecGon
Check anG-‐paNerns at runGme
ViolaGons in context of real-‐world data values
RunGme error categories include: • Threads and SynchronizaGon • Performance and OpGmizaGon • ApplicaGon Crashes • FuncGonal Errors • Security
Paraso& Copyright © 2014 16 16
Divide & Conquer
Separate criGcal
components
Move tesGng earlier
Isolate aNack surfaces
Run funcGonal tests vs. security scenarios
Paraso& Copyright © 2014 17 17
Virtualize to Divide and Conquer
Capture
Initiated from the system under test, the user has the ability to capture detail from a live monitor that analyzes system traffic, from analyzing transaction logs or by modeling virtual behavior within the Parasoft Virtualized interface.
Provision
After the virtualized artifact has been captured, users can now instruct the details of the virtualized asset behavior. This includes: performance, data sources and conditional response criteria. The virtualized asset is then provisioned for simplified uniform access across teams and business partners.
Test
The virtualized asset can now be called for unit, functional and performance tests. The virtualized asset can be leveraged by any test suite – including Parasoft Test.
Leveraging application behavior virtualization the team can reduce the complexity and the costs of managing multiple environments while providing
ubiquitous access for development, test and training
Paraso& Copyright © 2014 18 18
Database
Service
Mainframe
ERP
Application
Web
Service VirtualizaGon Example
Application Under Test
1 Define
4 Provision
Testing Application Cloud Resource
Partner
Partner
Bus
Bus
Bus
Dependent Architecture
2 Capture
3 Instruct
5 Consume
Paraso& Copyright © 2014 19 19
Service VirtualizaGon Examples
Mobile ApplicaGon development and extension
Agile/Parallel development limited by system dependencies
Capacity Constrained staged environments
Limited access to mainframes, ERPs, or 3rd party systems
Test data management for complex transacGons
Service Virtualization delivers a simulated dev / test environment allowing an organization to test anytime or anywhere
Paraso& Copyright © 2014 20 20
Security prevenGon criteria
• Naming/Formalng • Quality ImplementaGon Best-‐PracGces (Java, C++, HTML, XML, WSI, etc.) • DocumentaGon
Coding Standards
• Language Security (“cloning”, private member classes, etc.) • PenetraGon VulnerabiliGes (SQL injecGons, cross-‐site scripGng, XML bombs, etc.) • SecGon 508
Policies
• Code Coverage (>80%) • Performance (<100ms) • Memory Issues (leaks, overwrites, etc.)
RunGme Analysis
• Load CapabiliGes (how many users?) • ConnecGon CapabiliGes (how many db connecGons?) System RunGme
Others ..
Paraso& Copyright © 2014 21 21
Web applicaGon prevenGon example
Detect the error • Load tesGng shows leaking connecGons to the database
Find the cause • Open connecGons aren’t being closed, causing resource leaks
Locate the point in producGon that caused the error • Developer has forgoNen to close db connecGons upon client terminaGon
Implement preventaGve process • Use a coding standard to ensure each open connecGon is closed before exit
Monitor the process • Use staGc analysis to enforce the standard
Add regression test • Add a test to see the problem was fixed and doesn’t return
Paraso& Copyright © 2014 22 22
MisconcepGons…
§ Security can be tested into the applicaGon at the end of the cycle § Checks only common known exploits § Requires coverage of all paths and possible inputs § End of cycle penetraGon tesGng may overlook:
§ Backdoor access § A difficult to reach secGon of code in the error handling rouGne that performs an unsafe database query
§ The lack of an effecGve audit trail for monitoring security funcGons
§ End of cycle staGc analysis does not consider nuances of actual operaGon, reports false posiGves
Paraso& Copyright © 2014 23 23
Security Policy Development
Make security-‐relevant decisions so individuals don’t have to
Centralize and reuse security mechanisms
Coordinate security efforts
Paraso& Copyright © 2014 24 24
Securing An ApplicaGon
§ Determine risks/threats § Develop countermeasures
§ Security policy development
§ Implement security policy process at code level § Eliminate security vulnerabiliGes in code
§ StaGc analysis
§ Test applicaGon from outside § PenetraGon tesGng
§ Fix code to address problems found § Prevent recurring problems
§ Regression tesGng
Paraso& Copyright © 2014 25 25
Current Standards
OWASP
CWE/SANS
Cigital
HIPAA
SAMATE
Oracle CERT
Microso& Secure Coding
Paraso& Copyright © 2014 26 26
Security Resources
CWE – Common Weakness EnumeraGon • hNp://cwe.mitre.org
OWASP -‐ Open Web ApplicaGon Security Project • hNp://www.owasp.org
PCI – Payment Card Industry Security Standards • hNps://www.pcisecuritystandards.org
Hack.me – Community based security learning project • hNps://hack.me
SAMATE -‐ So&ware Assurance Metrics And Tool EvaluaGon • hNp://samate.nist.gov
Build Security In – CollaboraGve security effort • hNps://buildsecurityin.us-‐cert.gov
Paraso& Copyright © 2014 27 27
§ Web § hNp://www.paraso&.com/jsp/resources
§ Blog § hNp://alm.paraso&.com
§ Social § Facebook: hNps://www.facebook.com/paraso&corporaGon
§ TwiNer: @Paraso& @MustRead4Dev @CodeCurmudgeon
§ LinkedIn: hNp://www.linkedin.com/company/paraso&
§ Google+ Community: StaGc Analysis for Fun and Profit