S “〃 ~ ro わ川 s So ″ル 4 尾 27 Although there is some real value in stopping buffer overflow attacks by observing HTTP traffic as it arrlves over port 80 , a superlor approach is to fix the broken code in order to avoid the buffer overflow completely. Another problem I have with the term 4 々々〃 ca 〃 0 〃 sec 〃り is that it unnecessarily limits the purvlew Of software security. sure, applications have security problems, with Web-based applications leading the pack. But if you step back a moment, you'll see that we have a much bigger problem at hand than simply errant Web applications. Ask yourself, what do wireless devices, cell phones, PDAS, browsers, operatlng systems, routers, servers, personal computers, public key infrastructure systems, and firewalls have in com- 1 れ on ~ The answer IS "software. '' What an interesting and wide-ranging list. lt encompasses everything from consumer devices t0 infrastructure items t0 security apparatus itself. We should not be surprised that real attackers go after bad software—no matter where it lives. A myopic focus on "applica- tion" code ignores the bigger picture. That's why I like to call the field 50 ″ - lt is important tO think about the impact of simple vocabulary choices in large enterprises. 、Ⅳ・ hen a large organization sets an application develop- ment prOJect in 1 れ Otion , it involves lOtS Of diverse groups: systems people, network people, the architecture group, and a whole bevy of application developers. If the security group buys into application security thinking, they'll likely end up pushing some vendor or product at their applications people (the VB. NET implementers at the bottom of the software food chain). By contrast, software security thinking focuses lts scrutiny on both the applications people and those middleware architects responsible for all Of the hard-core "servlces" code that is extremely susceptible to design flaws. ()f course, both application code and the middleware services it relies on can possess bugs. ) Suborganizations like application development and the architecture group are very territorial, and even if the vendor or product chosen as an application security solution does end up finding defects in the application, the people in the cross hairs are likely to pass the buck: "Oh, you need to talk to the architects. " The security ball has a big chance of being dropped in this situation—especially since the architecture and "real " code is usually set in stone and the architects redispatched tO other pr0Jects before the VB. NET application implementers are even contracted.

22 C わ 4 々右 1 Defining 4 D な c ゆ〃れ e AppIication Security Testing T001s: ( 00d or Bad?* Application secu 「 ity testing p 「 Oducts are being SO 旧 as a solution tO the problem Of inse- cure 50 れ wa 「 e. Unfortunately, these first-generation solutions are not all they a 「 e cracked up t0 be. They may help us diagnose, describe, and demonstrate the problem, but they d0 little t0 help us fix it. T0day's application security products treat software applications as "black boxes" that a 「 e prone tO misbehave and must be probed and prodded t0 prevent security dis- aster. Unfortunately, this approach is t00 simple. Software testing requires planning and should be based on 50 れ wa 「 e 「 equirements and the architecture 0f the code under test. You can't "test quality in" by painstakingly finding and removing bugs once the COde is done. The same goes fO 「 security; running a handful 0f canned tests that "simulate malicious hackers" by sending malformed input streams tO a program will not WO 「 k. Real attackers don't simply "fuzz" a prog 「 am with input tO find problems. Attackers take software apart, determine hOW it works, and make it misbehave by dOing what users are not supposed t0 d0. The essence Of the disconnect is that black bOX testing approaches, including application security testing t00 on ツ scratch the surface Of software in an outside → in fashion instead Of digging intO the guts Of software and securing things from the inside. Badness-ometers That said, application security testing t00 can tell you something about secu 「 ity— namely, that you're in very deep t 「 oub 厄 . That is, if your software fails any 0f the canned tests, you have some serious security work tO dO. The t00 区 can help uncover known issues. But if you pass 訓 the tests with flying c 0 「 s , you know nothing more than that you passed a handful 0f tests with flying ( 010 「 s. put in more basic terms, application security testing t00 ト are "badness-ometers ′ ' as shown in Figure 1 ー 7. They provide a 「 eading in a range from "deep trouble" tO "whO knows," but they dO not provide a 「 eading intO the "security" 「 ange at all. MOSt vulner- abilities that exist in the architecture and the code are beyond the reach Of simple canned tests, SO passing all the tests is not that 「 eassuring. ()f course, knowing you're in deep trouble can be helpful!) The other m 可 0 「 weakness with application security testing t00 区 is that they focus 0 司 y on input t0 an application provided over port 80. Understanding and testing a complex program by relying on ツ on the p 「 0t0 ( 0 ⅱ t uses tO communicate provides a *A version Of this example first appeared in my "[ln]security" column in Network magazine, November 2004. Network magazine is now called A て h / ( t.

Mo 川 R なた A れ 4 s な Client Tier Web Tier 157 Client Computer Client Computer Web Server 0 「 de 「 Processing Application Ⅵ u Directory Application Server Application Server Remoting Service 0 「 de 「 Processing Application AppIication Tier Database Server Data Tier 0 「 de 「 Database 日 9 「 e 5 ー 3 A f0 「 est-level view of a standard-issue fou 「 -tier Web application. specified mathematical model) makes risk analysis at the architecturallevel possible. Although one could contemplate using modeling languages, such as UNlLsec, t0 attempt t0 model risks, even the most rudimentary analysis approaches can yield meaningful results. Consider Figure 5 ー 3 , which shows a simple four-tier deployment design pattern for a standard-issue Web-based application. If we apply risk analysis principles to this level of design, we can rmmediately draw some useful conclusions about the security design 0f the application. During the risk analysis process we should consider the following: ・ The threats who are likely to want to attack our system ・ risks present in each tier's envlronment ・ The kinds of vulnerabilities that might exist in each component, as well as the data flOW ・ The business impact 0f such technical risks, were they to be realized ・ The probability of such a risk being realized

7 84 C わ 4 邵 6 SO ″ル 4 ~ ra 〃 0 れ計 g implemented tO address such vulnerabilities proactively in the future. (See Chapter 10 for a discussion 0f how this idea relates t0 a large-scale software security program. ) G0ing back t0 the buffer overflow exampl% an organization may decide tO train its developers and eliminate the use Of potentially dangerous func- tions, such as strcpy( ) , in favor Of safer string-handling libraries such as those found in the C + + Standard Templates Library (STL). Perhaps a static analysis t001 can be used tO enforce this decision. A good last step involves using test result information tO measure progress against a goal. Where possible' tests for a mitigated vulnerability should be added tO automated test suites (which can be used in regression testing). If the vulnerability resurfaces in the COde base at some point in the future, any measures taken tO prevent the vulnerability should be revisited and improved. AS time passes, iterative penetratlon tests should reveal fewer and less severe defects in the system. If a penetratlon test reveals serl()us severe problems, the "representative sample" view Of the results should give the development organizatlon real reservations about deploying the system. Us ⅲ 9 Penetration Tests tO Asse the AppIication Landscape One Of the maJOr problems facing large organizations that have been creat- ing software for years is the unmanageable pile 0f software they have cre- ated. How d0 you get started when you have over 1000 applications and nobody thought about software security until just recently? penetration testing can help. One idea is tO run a uniform' fixed-length' standardized penetration test against all Of the apps and then rank them according t0 results. This would best be enhanced bY a very basic risk analy- sis tO pin down the business context (see Chapter 5 ). ln this way' a very rough cut at ranking the application pile bY security posture is possible. An approach like this results in a plan Of attack that makes sense. 、・ 0 reason tO work on the most secure application first. ThiS idea can be expanded tO cover setS Of C0n11 on components and libraries and their intersection with the application pile. The move toward Web Services and service Oriented Architecture (SOA) means that much more attentlon must be paid tO shared services. put bluntlY' shared seruces are alSO potential shared vulnerabilities and/or on points Of failure. Getting things like state, messaglng' and authentication right in the brave new world of SOA is a realchallenge.

252 C わ 4 々 r 7 0 An E 〃ゆ So ″曜 4 尾立行り Program SO on. By referring tO these artifacts along with the running system itself, you can assess the security posture Of an existing application and begin working toward making it 1 れ ore secure. I am assuming that the existing application will be found lacking in its security. ThiS iS not a necessary condition, but it iS one SO C01 れ monly encountered that I treat it as a default. Getting a handle on a large pile of software applications (say, on the order of 1000 or (o) is always an essential part of the baselining program described earlier. By measuring all of the applications with the same measuring stick (say, some kind Of outside—in penetration testing or application security testing), we can get a rough esti- mate Of which applications need the most help. ln my experience, a cursory architectural risk analysis and a quick COde revrew with a t001 (the top tWO touchpoints) provide the most actionable data. Don't forget that business impact is a critical factor here. Assessing the state Of existing software applications IS a critical soft 、 vare security practice. The best approach is to perform a very high-level holistic analysis mIXing bOth COde revlew with a tOOl and architectural risk analysis tO determine security posture (see Chapter 5 ). This can be done as part of routlne mamtenance schedules in order tO be less disruptive in a large orgamzatlon. The COTS problem is more of a challenge. Because COTS vendors are Often reluctant tO provide the necessary software artifacts needed to deter- nune security posture, using the touchpoints against COTS is not as effec- tive. 3 One approach is to attempt to bind the vendor legally (see Chapter 1 ). The Reagan-esque "trust but verify" idea applies in spades though, so tak- ing a 100k yourself is almost always a good idea. You'll always have exe- cutables, SO that starting point exists. The hacker techniques discussed in E 工が 0 〃 g SO ″ル 4 are also extremely useful when confronted with the COTS analysis problem [HogIund and McGraw 200 引 . A closely related issue involves the kind Of modern enterprise software most C01 れ monly encountered in large businesses tOday: software that has both COTS components and middleware glue. ln this common situation, it 31t never hurts to ask, though. some vendors will provide source code and other artifacts if pressed (especially if the organization asking for artifacts is a key customer). Believe it or not, you can force a "go/no go" decision through your organization by using the 、。市 0 cares? " question-answering tactics from Chapter 2.

T わビ立行 Pro わル川 7 modern J2EE and . NET apps), COBOL, and other ancient mainframe plat- forms. Many of these applications and legacy systems don't support com- mon tOOlkits like SSL, standard plug-ins for authentication/authorization in a connected situation, or even simple cipher use. They don't have the built- in capability tO hOOk intO directory services, which most large shops use for authentication and authorization. Middleware vendors pledge they can completely carve out the complexity of integration and provide seamless connectivity, but even though they provide connectivity (through JCA, WBI, or whatever), the authentication and application-level protocols don't align. Thus, middleware integration in reality reduces tO something ad hoc like cross-enterprise FTP between applications. What's worse is that lines Of business Often fear tight integration with better tools ( because they lack skills, project budget, or faith in their infrastructure team), so they end up using middleware to FTP and drop data globs that have to be mopped up and transmogrified into load files or other application input. Because of this issue, legacy product integrations often suffer from two huge security problems: 1. Exclusive reliance on host-to-host authenticatlon with weak pass- words 2. Looming data compliance implications having tO dO with user privacy (because unencrypted transport of data over middleware and the middleware's implementation for failover and load balancing means that queue cache files get stashed all over the place in plain text) Current trends in enterprise architecture make connectivity problems more problematic than ever before. Extensibility. A second trend negatively affecting software security is the degree tO which systems have become extensible. An extensible system accepts updates or extensions, sometimes referred to as 川 0 わ〃ビ code so that the functionality 0f the system can be evolved in an incremental fashion [McGraw and Felten 1999 ]. For example, the plug-in architecture of web browsers makes it easy t0 install vie 、 extensions for document types as needed. Today's operating systems support extensibility through dynami- cally loadable device drivers and modules. Today's applications, such as word processors, e-mail clients, spreadsheets, and Web browsers, support extensibility through scripting, controls, components, and applets. The advent of Web Services and SOA, which are built entirely from extensible systems such as J2EE and . NET, brings explicit extensibility to the forefront.

S “〃り P 0 わん川 s So 〃Ⅲ 4 尾 D E E p TROUBLE 23 WHO KNOWS 日 gu 「 e 1 ー 7 A badness-ometer can be usefulin some cases but is not the same thing as a security-ometer. shallow analysis. Though many attacks do arrive via HTTP, this is on ツ one category of secu 「 ity p 「 Ob 厄 m. Fi 「 st Of all, input arrives to modern applications in many forms other than HTTP: consider SSL, envi 「 onment variables, outside libraries, distributed compo- nents that communicate using other p 「 0t0C0 , and so on. Beyond program input, soft- ware security must consider architectural soundness, data security, access contro し 50 代 wa 「 e environment, and any number of other aspects, all of which are dependent on the application itself. There is no set Of prefab tests that will probe every possible appli- cation in a meaningful way. The on ツ good use fo 「 application security t00 区 is testing commercial off-the-shelf software. Simple dynamic checks set a reasonably low bar to ho 旧 vendors to. げ soft- ware that is delivered tO you fails to pass simple tests, you can either reject it out of hand 0 「 take steps tO monitor its behavior. 旧 the final analysis, application security testing t00 do provide a modicum of value. Organizations that are just beginning to think through software security issues can use them as badness-ometers tO help determine how much trouble they are in. ResuIts can a 厄 all the interested parties to the presence of the problem and motivate some mitigation activity. However, you won't get anything more than a rudimentary analysis with these t00 区 . Fixing the problems they expose requires building bette 「 soft- ware tO begin with—whether you created the software 0 「 not. S0ftware Security and Operations One reason that application security technologies, such as application fire- walls, have evolved the way they have is because operations people dreamed them up. ln most corporations and large organizatlons, security is the domain Of the infrastructure people whO set up and maintain firewalls,

20 The ProbIem with Ap 貶 0 れ Security C わ 4 7 Defining 4 D なじゅ〃〃ビ Because the idea that SOft 、 vare is a major problem in computer security is fairly new, many diverse sets 0f people are working on the problem. One set Of net 、 vork security practitioners, led by a number Of security t001S vendors, has worked hard and spent lOts Of marketing money t0 coin "application security" as the moniker Of ChOice tO describe the software security space. There are a number Of reasons tO be wary when confronted with application security. personally, I am a proponent Of the term 50 〃ル 4 尾 sec 〃り over the term 4 々々〃〃 0 〃 5 〃 especially when discussing the idea 0f building security in. Here'S why. One problem is that the term 4 々々〃 ca 〃 0 〃 se じ〃り means different things tO different people. ln many circles, it has come tO mean the protection Of software 4 ″ it's 4 レわ″市 . Although the notion 0f protecting software IS an lmportant one, JLISt plain easier tO protect something that is defect- free than something riddled with vulnerabilities. pondering the question, "What is the most effective way tO protect soft 、 vare? " can help untangle software security and application security. On one hand, software security is about building secure software: designing SOft 、 tO be secure; making sure that software iS secure; and educating software developers, architects, and users about hOW tO build security in. On the other hand, application security is about protecting software and the systems that software runs in a post factO way, only after development IS complete. lssues critical to this subfield include sandboxing code ()s the Java Virtual Machine does), protecting against malicious code, obfuscating code, locking down executables, monitoring programs as they run (especially their input), enforcing the software-use policy with technology, and dealing with extensible systems. Application security follows naturally from a network-centric approach tO security by embracing standard approaches, such as 'penetrate and patch" and input filtering (trying t0 block malicious input), and by generally providing value in a reactive way. ( See the next box—A. pplication Security Testing T001s: G00d or Bad? ) Put succinctly, application security is based primarily on finding and fixing known security problems after they've been exploited in fielded systems, usually by filtering dangerous input on its way to broken software. S0ftware security—the process 0f designing, building, and testing software for security—identifies and expunges problems in the soft 、 vare itself. ln this way, software security practitioners attempt tO build SO 丘ー ware that can 、 vithstand attack proactively. Let me give you a specific example:

8 C わ 4 7 Defining 4 D な c ゆ〃〃ビ FrOI れ an economic standpoint' extensible systems are attractive they provide flexible interfaces that can be adapted through new compo- nents. ln today's marketplace, it is crucial tha€software be deployed as rapidly as possible in order t0 gain market share. Yet the marketplace also demands that applications provide new features with each release. An extensible architecture makes it easy t0 satisfy b0th demands bY allowing the base application code tO be shipped earlY' with later feature extensions shipped as needed. Unfortunately, the very nature Of extensible systems makes it hard tO prevent SOft 、 vulnerabilities slipping as extenslons. Advanced languages and platforms including Sun Microsystems' Java and Microsoft's . NET Framework are making extensibility commonplace. Complexity. A third trend impacting software security is the unbridled growth in the size and complexity Of modern information systems espe- cially software systems. A desktop system running Windows XP and assocl- ated applications depends on the proper functioning 0f the kernel as well as the applications tO ensure that vulnerabilities cannot compromise the sys- tem. However, Windows xp itself consists Of at least forty million lines Of code, and end-user applications are becoming equallY' if not more' complex. When systems become this large, bugs cannot be avoided. Figure 1 ー 2 shows how the complexity 0f Windows (measured in lines 0f code) has grown over the years. The P0int 0f the graph is not t0 emphasize the numbers themselves, but rather the growth rate over t11 れ e. ln practice' the defect rate tends tO go up as the square Of COde size. 6 Other factors that significantly affect complexity include whether the code is tightly integrated' the overlay 0f patches and other post-deployment fixes' and critical architec- tural issues. The complexity problem is exacerbated by the use 0f unsafe program- ming languages (). g. , and c + + ) that d0 not protect against simple kinds Of attacks, such as buffer overflows. ln theory' we could analyze and prove that a small program was free 0f problems' but this task is impossible for even the simplest desktop systems tOday' much less the enterprise-wide systems used by businesses governments. Of course, Windows is not alone. Almost all COde bases tend tO grow over time. During the last three years I have made an informal survey of 6See the article "Encapsulation and OPtimal M0dule Size" at <http://www.faqs.orWdocs/ artu/ch04s01. htm 憘 ftn. id2894437 >.

230 C あ 4 9 So ″曜 4 S “〃り M な S “″り〇々 4 〃 0 〃 5 division. Even though the idea Of security enforcement is SOlid, making enforcement at the COde level successful When it comes tO COde revlew reqmres real hands-on experlence with COde (see the bOX Know When Enough ls T00 Much). ・ S ア s 川 Testing: ~ ビ〃〃 0 〃 TI お〃れ g System penetration testing, when used appropriately, focuses on people failures and procedure failures made during the configuration and deployment 0f software. The best kinds 0f penetration testing are driven by previously identified risks and are engmeered t0 probe risks directly in order t0 ascertain their exploitability (see Chapter 6 ). ・み hile testing software to functional specifications has traditionally been the domain 0f QA, penetration testing has traditionally been the domain Of information security and incident-handling organizations. AS such, the fit here for information security participation is a very natural and intuitive one. Of course, there are a number Of subtleties that should not be ignored. As I describe in Chapter 6 , a majority of penetration testing tOday focuses its attention on network topology, firewall place- ment, communications protocols, and the like. lt is therefore very much an outside → in approach that barely begins tO scratch the surface Of applications. Penetrat10n testing needs tO encompass a 1 れ ore inside—out approach that takes intO account risk analyses and Other software secu- rlty results as it iS carried out. ThiS distinctlon IS sometlmes described as the difference between network penetration testing and application pen- etration testing. Software security IS much more interested in the latter. AISO worth noting is the use Of various black bOX penetration tools.N ・ et- work security scanners like Nessus, nmap, and Other SATAN deriva- tives, are extremely useful since there are countless ways tO configure (and misconfigure) complex networks and their var10us services. Appli- cation security scanners (which I lambaste in Chapter 1 ) are nowhere near as useful. If by an 'application penetration test" you mean the process Of running an application security testing t001 and gathering results, you have a long way t0 go t0 make your approach hold water. 51t'S worth noting here for non-software people hOW amusing the idea of a canned set of secu- rity tests (hacker in a ト ox , so to speak) for 4 〃ア々 055 ル 4 々々〃行 0 れ is to software profession- als. Software testing is not something that can be handled by a set Of canned tests, no matter how large the can. The idea of testing any arbitrary program with, say, a few thousand tests determined in advance before the software was even conceived iS ridiculous. I ' 1 れ afraid that the idea Of testing any arbitrary program with a few hundred application security tests is just as silly! 5