fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry 
« Back to blog
Viewed 7659 times
Favorited 0 times
January 22, 2010

The Fallacy of Secure Software

This weeks guest post is by Justin Clarke, an unusual blend of Web Application Security freak and Kiwi.  Justin is the lead author of "SQL Injection Attacks and Defense" - a book that Richard Bejtlich recently voted as his 2009 "Best Book Bejtlich Read" (high praise indeed).  Justin is the man you call when your webapp security program needs to "keep it real" ;-).  Thanks Justin!

By Justin Clarke

So, you've got yourself a security solution for software that your organization develops. Maybe you've just invested in some automated tools, or developer training. Maybe you did hear a bit of FUD in the sales presentation, but it all seemed to make sense? Great! You're going to be producing secure code now aren't you?  Security problem over?

Well, no.

There are a number of problems with solving the problem of insecure software. One of the biggest is that there is no one-size-fits-all solution to the problem, regardless of what some less-than-honest vendors will tell you. All approaches that are parts of solving the insecure software problem have their upsides and downsides. To give a few examples, lets look at some of the popular approaches to assuring software security:

Penetration testing/blackbox testing - probably the most popular and widespread approach to securing software such as web/network applications. For enterprise situations, this would normally be performed near to completion, generally in a user acceptance or pre-production environment. As an approach, it is intended to simulate the risk of an external party (such as an attacker or malicious user of the system) attempting to compromise the system. 

The generally accepted upsides of this approach are that it should give you a good picture of where you are with regards to someone breaking in. Downsides include that it is resource intensive (and therefore expensive), and very dependent on the skill of the people performing the assessment. It is also very late in the development cycle, so in many cases major rework can result in cost and schedule overruns and delays. Very commonly used in environments where the possible loss due to a security issue is high, such as banks and other financial institutions. 

A variation is the use of automation for some or all of the testing. These are generally tools that implement some from of "fuzzing" approach, with the most mature products being those in the web application space from HP and IBM. This provides the ability to cover many more applications in the same amount of time, but seldom with the same level of depth or flexibility that a person performing the same assessment could. Very commonly these are used in conjunction with other assessment approaches in order to provide greater coverage or to find easier to detect issues that would then warrant additional manual attention. 

Code Review - becoming increasingly popular in the United States, and to some extent in Europe, is the review of the source code of an application for security vulnerabilities, either on a manual, automated, or combination of both basis. Manual analysis of source code is extremely resource intensive and as such can be very expensive, however recently a number of static analysis tools (from vendors such as Fortify and IBM) have become effective in allowing the analysis of larger volumes of source code for security issues.

The upside to this approach is that it should provide far greater coverage than black box testing, as all of the code included in the solution and all possible execution paths can be evaluated, potentially allowing a lot more issues to be discovered - including those occurring from edge cases that may not be picked up with other approaches. The downside to this approach is that it can still be resource intensive, even if using automation. Also, the pace of technology change restricts the ability for automated tools to support newer technologies - the wide variety of technologies and frameworks in use means that it is extremely difficult for automated tool vendors to support a wide selection of the technologies that are currently in use. Code review is commonly used in areas where security failure would be especially critical or result in major loss.

Platform Defenses - another area that is seeing increasing use if to have platform (or in some cases, framework) level defenses in place, normally so that some level of protection is afforded to applications running in that environment regardless of whether the application itself is secure. Some widely spaced examples are buffer overflow protections (such as stack canaries and non-executable stacks) and web application firewalls.

The upside to this approach is that, in many cases, the application developer will need to make minimal (if any) changes in order to take advantage of these security features. These can also be a useful approach for providing additional security over applications purchased into an organization. The downside to this approach is that they can only provide a band-aid level of protection if an underlying security issue does exist. Also, for each of the approaches there is generally widely known issues, limitations, and bypasses for getting around that particular control.   

Training - always popular is security training for developers. For enterprise situations this can be customized to be most relevant for the types of issues that are most commonly present in that organization's applications. Upsides to this approach are that a good training program can increase awareness of issues, and change development practices in the short term. Downsides are that training is a point in time activity, and as such must be reinforced or followed up to ensure that new starters are trained and that trained security knowledge is not lost over time.

Architectural/Design Analysis - areas that are increasingly seeing attention are approaches that seek to tackle security issues at the requirements, design and implementation stages. These could take the form of security reviews of the architecture and/or design and threat/risk analysis activities (such as Threat Modeling). 

Upsides to analysis at this level include the ability to detect and correct architectural or design issues that would be extremely difficult (or in some cases, impractical) to address during or after development, potentially leading to significant cost savings over addressing these later in the development process. The main downside of this approach is the difficulty of developing and maintaining these types of analysis with popular development approaches (e.g. agile development approaches), largely due to the velocity of changes to the design during development. 

OK, so those all work then? And other people are using them. OK, I'll pick the best one of these approaches for me and I'll be fine! 

Well, no. Anyone who tells you that, or uses that approach while selling you something is selling you a load of FUD... there is no silver bullet. First of all, there isn't any real amount of scientific research available which would give you any guidance as to what approach would be the best, or the best for you. Also, generally held belief if you have a look at what is available, especially if you look at what information is available on what other organizations (such as Microsoft) are doing would seem to imply that you need to be doing all of these approaches and more. Which would be both far too expensive, and far too much change for most organizations to even consider implementing.

So, is there anything out there that would tell me what I should be doing if I want secure software? Something useful, and FUD-free?

Well, yes and no.

Recently a couple of closely related frameworks have been released that at provide some structure to this question though. Although a number of approaches to the Secure SDLC have been publicly available in the past (notably Microsoft's SDL), these take a different approach of looking at the maturity of security considerations in the development process. These are the Open Software Assurance Maturity Model (OpenSAMM) and Building Security In Maturity Model (BSIMM) models. These two models both look at the processes you would normally expect to see within a "Secure SDLC" at various levels of maturity in a similar way to a Capability Maturity Model. The main difference between the models is that the research that has gone into BSIMM captures actual secure development practice at large organizations with initiatives in place (such as Microsoft, Google, and Wells Fargo) whereas OpenSAMM presents a more academic model of leading practice.

These models are very useful for answering questions about what you could do - especially BSIMM. They are even pretty good at giving you information and materials that would help justify why you would want to introduce certain activities. What they're not good at is providing you with the vision of secure development you'll need for your organization. They are good at providing a framework for tying together disparate efforts into a consistent picture, but you'll have to provide the driving force behind how you will get from where you are now to where you want to be. They are also pretty good for having in your back pocket for after you've got a couple of secure development activities in place (through guerilla means or otherwise) to be able to relate gaps in the organizational processes and skillsets to activities that should be looked at next.

Does this answer the question of what your organization should do? Well, no - what it may do is help you figure out for yourself what would work for the organization. After all, its you who has the knowledge of how the business works that is critical in the success of getting any business change in place.

And after all that, what is the activity that both OpenSAMM and BSIMM both consider to be the most important things with developing secure software? 

Pentesting? 

Code review? 

Nope - its having someone who is championing and driving software security within the organization. Having a group of folks who are ready and willing to shepherd and drive through all of the various changes to how the organization works over time. These are sometimes (in BSIMM in particular) referred to as the Software Security Group (SSG), and in many cases can be make or break in getting adoption and use of security initiatives within the organization.

After all of that, it turns out the best thing for software security in your organization may well be you...

Loading mentions Retweet

Comments (7)

Jan 22, 2010
joshcorman said...
Great Post. I agree. As with most of what we do, Software Security is not simply a Technology issue. An untapped resource is the people and culture of the organization.

Often overlooked, key ingredients to the effective selection/use of these technologies:
1) People need to recognize the security context of the code they write.
2) People and organizations need to value writing more secure code...

Where there's a will, there's a way.
"Reason is the slave of the passions." - David Hume

I (and 2 colleagues) will be addressing this missing culture, value-set, philosophy in the very near future.

If you agree, I'd be eager to speak with you.

Joshua Corman - @joshcorman - jcorman@the451group.com

Jan 22, 2010
atdre said...
I agree that Threat-Modeling, Code Review, and VAPT need to stop at all costs (literally, because of costs!).

However, I don't agree that OpenSAMM/BSI-MM are the answers or even the questions.

You also appear to dislike Training??? You didn't give much attention to it.

Orgs need an OWASP ASVS L2B, L3, or L4 (depending on regulations/compliance and/or data classifications as mapped to risk) verification ONE-TIME-ONLY against a set of ESAPIs. These can be the OWASP ESAPIs. Let the experts from around the world at every organization put the framework components under their own Threat-Modeling, Code Review, and VAPT testing.

Also, Orgs don't need ANY person. They need at least one FTE that is dedicated (full-time job description) to security bug-fixes.

The training orgs need is simple: teach everyone who cares and has time how to read code and look for software weaknesses -- NOT vulnerabilities. Looking for vulnerabilities and producing "findings reports" is a waste of time and money. There are probably over 200k CVEs, but there are only 700 CWEs. Teach people how to read code and look for CWEs. Then fix the root-cause of those CWEs.

There's more, but in summary, I strongly believe you are scratching the surface and have missed a lot of critical pieces of the secure software puzzle.

Jan 24, 2010
AhmedMasud said...
Interesting post, while #clarke shows an appreciation of application-layer security, however he's missed the mark.

This post seems to advocate OpenSIMM and BSI-MM as the methodologies to follow and suggests that these are Development Life Cycle methodologies. Seems that the author forgot to read the documents he is advocating. OpenSIMM is a score-card and is not academic by any stretch of the word as Clarke would suggest. There is not formal model there, no algorithm, no algebra, nothing one can perform analysis on. BSI-MM, again it's a guide, it's not a formal methodology by any stretch. Neither documents claim to be! Yet Clarke would have you believe otherwise.

Following standards is a STARTING point not the end point.

As Fallacies go – It is a gross fallacy to suggest that any organization that doesn't have software production as their primary business should be expected to have the expertise at the management level to assess the competency of a proposed software security group for their organization, let alone figure out whether what's being presented is actually going to work in real life.

Moreover what are these organizations doing taking ownership of software production in the first place? Do we build the cars that we drive? Or smash them in a wall to assess their crash safety?

This post gives organizations the false thinking that they can build secure applications by following starting guidelines that have NOTHING to do with software development life-cycle.

Jan 25, 2010
Matt said...
@AhmedMasud - Actually, I think you have missed the point of Justin's post! He does not mention the word 'methology' or 'standard' once in his post but rather refers to OpenSAMM and BSIMM as frameworks! Go look up the definition of framework, re-read his post, read the OpenSAMM and BSIMM documents before you are quick to judge.

Any company that develops their own software which process / manages sensitive data must ensure such software is developed in a secure manner ... period! To use your phrasing... it is a gross fallacy to think that organisations will simply outsource all of their development activities because someone like you says they shouldn't do it themselves .. with no research, data or cost benefit information to support. So stick to your formal models and equations and leave real-world security to the professionals!

In short, Justin is correct, these frameworks are useful in helping organisations in determining what activities they 'could do' to help ensure software is developed and released in a secure manner.

Jan 25, 2010
Justin Clarke said...
I'm amused by some of the comments to my @fudsec post, as discussing this with Craig before we posted this post, this is exactly the response I'd expect... in fact, its precisely why the post is written the way it is.

Firstly - if you're a software security professional, this post has probably hit all of your buttons, as you've got your preconceptions about what would be the best approach for an organization to tackle the task of "securing" its software. I have my own preconceptions as well - we all do. Personally, I think all of the approaches are good ones, and an appropriate mix of these would be a good start in most cases.

Secondly - if you're reading anything more than "there is some handy stuff out there for organizations just getting serious about this" into this post, you're over thinking it. This post is solely intended to pre-arm folks who aren't software security people (or vendors) with some resources that can help them frame a question - "where would I even start with a secure software initiative?". We security folks like far too much to dictate from our high horses the "best" way to do things - but this is one of the cases where getting off the horse and talking to an organization is the best first step - it needs to be something they _can_ do in a _reasonable_ timeframe.

Thirdly - the SSG point is an interesting one. One of the key differences between BSIMM and OpenSAMM is the question of an SSG. BSIMM explicitly says you need one. OpenSAMM doesn't - it has the role of the SSG split across the activities. My inner security person says that a virtual team of folks working in a cooperative manner can do this. My inner consultant knows this doesn't work in practice.

Jan 26, 2010
Ari Takanen said...
Well, to comment on your concluding question on "what is the activity that both OpenSAMM and BSIMM both consider to be the most important things with developing secure software?":

The original BSIMM quite explicitly pointed all nine fingers at Fuzzing. The note on SSG importance is a bit funny in regards to BSIMM, because the studied organizations were basically selected based on the maturity of the SSG in the target group.

In fact, you managed to revisit probably every misunderstanding in relation to fuzzing. Because not everyone is necessarily into web-apps, I thought I would quickly review those.

Many people seem to think, especially in the web application domain, that code review provides better coverage over fuzzing. It definitely depends on what type of fuzzing you are comparing with. Similarly, it depends on what type of code auditing tool (or person) you are comparing with. There probably is a good reason why e.g. based on the BSIMM study everyone was using fuzzing, but only few had incorporated static analysis (i.e. code analysis). You can stare at a line of code for days, and not catch a bug. A fuzzer will detect it in a fraction of a second, with no false positives.

Even commenting that a fuzzer (tool) does not reach the level of completeness against a person conducting penetration tests is very far from truth. Actually, most skilled penetration testers use fuzzers to get better coverage. Manual testing almost never reaches any level of confidence in tests, except maybe in the simple space of _web_ application security analysis. A typical web application might process HTTP GET/POST messages with a small range of 10-20 parameters, and a few steps in the message dialogues. But immediately if you e.g. look at SOAP/XML-based applications, the complexity is exponentially higher even with simple interfaces. Auditing web applications could be somewhat similar to VoIP applications or Mobile applications, but again the threat scenarios are completely different.

In real product security practices you need to also look at other things than SQL injection flaws and other simple web-based attacks. Someone commented that SSG (Software Security Group, or product security team) might not be always needed, which could be true in a company only focused in developing simple web applications. But SSG definitely is a must in companies building complex network devices, game consoles/servers, mobile devices, telecommunication systems, and so on. Even in web applications when you are working with something more complex than a simple web shop, you need to look at so many other things than just application code review and test.

A side-note: Threat Modeling integrates perfectly with agile processes. And with that, so does fuzzing. In fact, I believe there are more programmers using fuzzing tools than there are security auditors using them. And as far as I know, the best threat models out there are also built by programmers, not by security experts.

Feb 06, 2010
joshcorman said...
I can post this now that we've launched it.

Please check out "Rugged"
http://www.ruggedsoftware.org

Joshua Corman - @joshcorman - jcorman@the451group.com

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter