検索対象: Software security. building security in
TabIe 27 KillerAppCo's Business Risklndicators and LikeIihood of 0ccurrence Business Risk The software fails tO meet the acceptance criteria required f0 「 release. System failures cause unplanned downtime. Security weaknesses cause system failures. Description The acceptance criteria normally include fo 「 m 引 parameters describing the conditions under which the system will be accepted by users and the software development contract will be considered successfully completed. The impact of system failures on the business can be evaluated by studying the costs associated with each failure and the number 0f these failures. The impact of system failures on the business can be evaluated by studying the costs associated with each failure and the number 0f these failures. Business Risk lndicators Decrease in the price Decline in revenue ・ Number of clients lost caused the failures the e 「 「 0 「 s that ・ E 幵 0 「 t required to fix Other remediation execute patching 0 「 ・ Effort required to reported vulnerabilities ・ Number of security shares 0f the company's Decrease in the price Decline in revenue lost ・ Number of clients caused the failures fix the e 「 「 0 「 s that ・ Effort required to recovery procedures execute disaster ・ Effort required to system failure e 「 「 0 「 s related to ・ Number of reported shares 0f the company's Decrease in the price important errors fix critical and ・ E 幵 0 「 t required to level e 「 「 0 「 S ・ Number of critical- project milestones ・ Number of missed shares 0f the company's LikeIihood of Continued
ス 々 々 g the RMF: K 〃 ル 々 々 Co ' 朝 Ⅳ 4 尾 7.0 立 ル TabIe 2 ー 2 GuideIines fo 「 Business Go Rankings (from NIST) 53 Rank Low (L) Medium (M) High (H) De 升 t n not met. A small number of employees may be affected if these goals are These goals affect on ツ a small portion of the company's 「 evenue. tO the company's brand and reputation). may result in a negative affect to high-rank goals (). g. , damage 「 ank business 90 謝 (). g. , to successfully release an important project) affected if these goals are not met. A failure to achieve a medium- possibly the company). A large number of employees may be These goals are very important fo 「 the existence of the project (and project will cease tO exist and the company will be directly impacted. the company). げ these 90a are not met, there is a realrisk that the These 90a are criticalto the existence of the p 「 oject (and possibly Note: New analysts shou 旧 use the business goalranking definitions in this table as guidelines on ldeally, analysts should attempt to define these 「 ankings early in the RMF project p 「 ocess in terms Of the project's unique business context. More senior analysts can draw on p 「 io 「 experience to help define these rankings against previous performance and compa 「 able industry benchmarks. As indicated in Table 2 ー 3 , in our example, the analyst identifies and records four business risks. A similar table should be created as a work product in each application of the RMF. After fully populating business risk tables with data (the tables shown here present a very small amount of example data), the analyst identifies the risk indicators associated with each identified business risk, as well as the like- lihood that each of the identified risks will occur. A 5 た 市 は 0 ⅵ s a sign that the risk is materializing, an objective, measurable event that can be monitored and measured by the analyst tO determine the status of a risk over time. As an example, Table 27 identifies the principle risk indicators for the four business risks shown in TabIe 2 ー 3. For example, one indicator for the risk Of failing tO meet the acceptance criteria is the number of missed pr0Ject milestones. Based experlence, professional consultation, and research, the analyst assigns the likelihood that the server will not meet the final acceptance criteria as high (H) ()s defined in Table 2 ー 5 on page 56 ). The analyst alSO defines indicators for the business risks and assigns the probability of their occurrence as moderate (M). The impact of business risks on business goals should be evaluated. The level of impact and the like- lihood of occurrence will allow the analyst to evaluate the impact of a busi- ness riSk on different business goals.
A 々 が 〃 g the RMF: K 〃 / A 々 々 Co ' 5 / Wa 7.0 S ビ ル TabIe 2 Businesslmpacts of KillerAppCo's Business Risks 57 lmpact Business Risk The software fails tO meet the accep- tance criteria required fo 「 release. System failures cause unplanned downtime. Security weaknesses cause system failures. Th e softwa re fails to perform critical operational functions ( 0 「 「 e ( 目 y. Business Risk lndicators Numberof missed project milestones Clients reporting downtime due tO sys- tem failures Need tO exe- cute disaster recovery plans Clients reporting system failures due tO security breeches Need tO create software patches Clients reporting inaccurate transaction data processlng Liability case filed LikeIi- h00d lmpact M M M KillerAppC0 will be unable tO release the product tO the market. KillerAppC0 will be unable to meet its clients' SLA availability requirements. KillerAppC0 will be unable tO meet its clients ′ SLA availability requirements. KillerAppC0 will be noncompli- ant with federal regulations. Lawsuits Will ensue. Estimated ( 05t Revenue loss: $ 10 million Market share loss: 1 5 % Brand and reputation damage: limited Revenue IOSS.• $ 3 million Market share loss: 5 % Brand and reputation damage: extreme Revenue loss: $ 3 million Market share loss: 5 % Brand and reputation damage: extreme Regulatory violation Legalrisk Revenue loss: $ 2 million Market share loss: 2 % Brand and reputation damage: extreme Regulatory violation Legalrisk
肪 〃 訪 々 厩 Process: Abuse C D ℃ / 0 々 川 夜 な 275 the things that you don't want your system tO do are very closely related to the reqtllrements. I call them 〃 行 イ e i イ 耘 〃 夜 7 な . Anti-requirements are gen- erated by security analysts, in conJunction with reqtllrements analysts (busi- ness and technical), through a process Of analyzing requirements and use cases with reference tO the list Of threats in order tO identify and document attacks that will cause requirements tO fail. The object is explicitly to under- 1 れ lne reqmrements. Anti-reqL11rements provide insight intO hOW a malicious user, attacker, thrill seeker, competitor ()n other words, a threat) can abuse your system. Just as security requirements result in functionality that is built intO a system tO establish accepted behavior, anti-requirements are established to deter- mme what happens when this functionality goes away. When created early in the software development lifecycle and revisited throughout, these anti- requirements provide valuable input tO developers and testers. Because securlty requirements are usually about security functl()ns and/or security features, anti-requrrements are Often tied up in the lack of or failure Of a security function. For example, if your system has a security reqmrement calling for use Of cryptO tO protect essential movie data wrltten on disk during serialization, an anti-requrrement related tO this requrrement involves determining what happens in the absence of that crypto. Just to flesh things out, assume in this case that the threat in question is a group Of aca- demics. Academic security analysts are unusually well positioned to crack crypto relative t0 thrill-seeking script kiddies. Grad students have a toolset, lots of background knowledge, and way t00 much time on their hands. If the crypto system fails in this case ()r better yet, is made to fail), giving the attacker access tO serialized information on disk, what kind Of impact will that have on the system's security? HOW can we test for this condition? Abuse cases based on anti-requirements lead to stories about what hap- pens in the case Of failure, especially security apparatus failure. ( Ode ビ 5 ( 0 「 ne ′ Here is a systematlc approach tO anti-requirements suggested by Fabi0 Arciniegas. This approach formalizes the idea of anti-requirements by focusing on the three key aspects Of requirements: 1. lnput 2. Output 3. lmportance Continued
352 Kingdom API Abuse Time and State Time and State Time and State Time and State A 々 々 d ⅸ B De $ ( p 0 れ cuseri d( ) generates a character-string representation Of the username corresponding tO the effective userID Of the process. げ s is a NULL pointer, this representation is generated in an internalstatic area ′ the address Of which is returned. Otherwise ′ s is assumed tO point tO an array Of at least L—cuserid characters; the representation isleft in this array. The constant L cuserid is defined in the <stdi 0 . h> headerfile. cuseri d( ) should be considered obsolete. This function has been 0 「 will be deprecated in severalsystems ( e. g. ′ HPUnix,lSO POSIX-I ). Additionally this function has changed capability within a given OS (HP). Therefore ′ in all cases ′ convert tO getpwui d (getuid()) ′ getpwuid (geteuid()) ′ 0 「 getlogin(), depending on which username is desired. Watch out when files are passed in as pathnames. Can be involved in a race condition if you open things after a P00 「 check. FO 「 example, don't check to see if something is not a symboliclink before opening it. Open it, then check by querying the resulting Object. Don't run tests on symbolic filenames. TOCTOU problems when opening a file. NOte: di rname ′ basename functions should be analyzed together. The di rname( ) function takes a pointer to a character string that contains a pathname, and returns a pointer tO a string that is a pathname Of the parent directory Of that file. Trailing ' / ' characters in the path are not counted as part Of the path. げ path does not contain a '/', then di rname() returns a pointer tO the string . げ path is a null pointer 0 「 points tO an empty string ′ di rname( ) returns a pointer tO the ' " string . A call t0 di rname() should be flagged if the argument (the directory name) is used previously in a "check" category ( 訓 .
270 C わ 4 8 ス わ ビ C お Sometimes this involves making explicit tradeoffs when specifying sys- tem reqmrements. For example, ease Of use may be paramount in a medical system meant tO be used by secretaries in a doctor's Office. Complex authen- tication procedures, such as obtaining and using a cryptographic identity, can be hard to use [Gutmann 200 引 . But regulatory pressures from HIPAA and California's privacy regulations ()B 1386 ) force designers to negotiate a reasonable tradeoff. TO extend this example, consider that authenticatlon and authorizatlon can't stop at the "front door" 0f a program. Technical approaches must go far beyond the obvious features, deep into the many-tiered heart of a soft- 、 system tO be secure enough. The best, most cost-effective approach to software security incorporates thinking beyond white hat normative features by donning a black hat and thinking like a bad guy, and doing this throughout the development process. Every time a ne 、 reqmrement, feature, use case IS created, someone should spend some time thinking about how that feature might be uninten- tionally misused or intentionally abused. Professionals who know how fea- tures are attacked and hOW tO protect software should play an active role in this kind of analysis (see Chapter 9 ). What You Can ′ t 00 Attackers are not standard-issue customers. They are bad people with mali- CIOLIS lntent WhO want your software tO act ln S01 れ e unanticipated way—to their benefit. An attacker's goal is to think of something you didn't think of and exploit it in a way you didn't expect—to the gain Of the attacker and probably to your detriment. If the development process doesn't address unexpected or abnormal behavior, then an attacker usually has plenty of raw material tO work with. Attackers are creative. Despite this creativity, we can be sure that some well-known locations will always be probed in the course of attacks: bound- ary conditions, edges, lntersystem commumcatl()n, and system assumptlons. Clever attackers always try tO undermine the assumptlons a system is built on. For example, if a design assumes that connections from the Web server tO the database server are always valid, an attacker will try to make the ・ Web server send inappropriate requests in order tO access valuable data. If soft- ware design assum. es that Web browser COOkies are never modified by the client before they are sent back tO the requesting server ()n an attempt to
7 84 C わ 叩 オ 6 SO ″ ル 4 ~ ビ れ 〃 0 れ ぉ 〃 〃 g implemented tO address such vulnerabilities proactively in the future. (See Chapter 10 for a discussion 0f how this idea relates t0 a large-scale software security program. ) GOing back tO the buffer overflow exampl% an organization may decide tO train its developers and eliminate the use Of potentially dangerous func- tions, such as strcpy( ) , in favor Of safer string-handling libraries such as those found in the C + + Standard Templates Library (STL). Perhaps a static analysis t001 can be used tO enforce this decision. A good last step involves using test result information tO measure progress against a goal. where possibl% tests for a mitigated vulnerability should be added tO automated test suites (which can be used in regression testing). If the vulnerability resurfaces in the code base at some point in the future, any measures taken tO prevent the vulnerability should be revisited and improved. AS time passes, lteratlve penetration tests should reveal fewer and less severe defects in the system. If a penetration test reveals severe problems, the "representative view Of the results should give the development organization real reservatlons about deploying the system. Us 9 Penetration Tests tO Asse the AppIication Landscape One Of the maJOr problems facing large organizations that have been creat- ing software for years is the unmanageable pile 0f software they have cre- ated. How d0 you get started when you have over 1000 applications and nobody thought about software security until J11St recently? penetratlon testmg can help. One idea is tO run a uniform' fixed-length' standardized penetration test against all Of the apps and then rank them according t0 results. This would best be enhanced bY a very basic risk analy- sis tO pin down the business context (see Chapter 5 ). ln this way' a very rough cut at ranking the application pile bY security posture is possible. An approach like this results in a plan Of attack that makes sense. 、 ・ 0 reason tO work on the most secure application first. ThiS idea can be expanded tO cover setS Of C01 1 れ components and libraries and their intersection with the application pile. The move toward Web Services and service Oriented Architecture ( SOA) means that much more attention must be paid tO shared services. put bluntlY' shared seruces are alSO potential shared vulnerabilities and/or common points Of failure. Getting things like state, messag111B and authentication right in the brave new world of SOA is a realchallenge.
工 X レ Of the three pillars is a necessity for software security. ment, software security best practices (touchpoints), and knowledge. Each introduction of the three pillars of software security: applied risk manage- modern security demands. The most important material in Chapter 1 is the book is about making 4 〃 software behave, and how to do this in light of tinctlon is drawn between application security and software security. This based applications it makes available to you). For this reason, a critical dis- and your washing machine (not to mention your computer and the Web- security is relevant tO the kind of software found in your phone, your car, Software is everywhere and is the lifeblood of business and society. Software ity, extensibility, and complexity—deeply impacts soft 、 vare as much as ever,. heart. This may be 01d news to some, but the trinity of trouble—connectiv- the computer security problem and explains why broken software lies at its Chapter 1 , Defining a Discipline, begins with an in-depth description of updated with new numbers. in familiar territory here, though the treatment of the problem has been of B 〃 〃 市 〃 g S 〃 So ″ ル 4 and E ズ が 0 〃 g So ″ ル 4 尾 will find themselves mentals, is an updated introduction to the field of software security. Readers The book is divided into three parts. part I, Software security Funda- security risk. ル 4 S 〃 行 explains in detail how to properly address software-induced ful exploit-driven testing built on a foundation of risk management, SO ″ - security intO practice. Through the unification of proactive design and care- This book presents a coherent and detailed approach for putting software What This Book ls About open questions tO spark many a research program. would hope that each of the touchpoints provides enough in the way of The annotated bibliography in Chapter 13 will be usefulto new scientists. 1 most, though I am sure tO be flamed to a crisp by some professor or other. A 川 た s 4 〃 d s 尾 わ s will probably appreciate Chapter 12 the SOlid, secure software. worrymg about hOW tO transform an organizatlon so that it produces good, Chapter 10 should also prove valuable, especially to upper-level managers Chapter 2 , in place is very valuable (and can yield useful metrics to boot ). executlves, and puttlng a riSk management framework, as described in you sleep a little less soundly. Risk management comes naturally to business Business leadership will benefit from part I of the book, though it may make
7. な od 〃 g 舫 ビ Audit Wo 黻 わ ビ 〃 訪 325 3. Examine the information displayed in the navigation tree in the Navigator panel. ・ Expand the items in the tree tO see the individual issues. Click on the issues to see how the panels are populated for each issue. For example, notice that the Analyzer Trace panel shOWS data flOW information when the issue iS related tO issues identified by the Data Flow Analyzer. ・ Examine the Summary and Detail panels for information about the lssues. Click the HotIist, Warnings, and lnfo buttons to see how the issues are grouped by severity level. ・ SeIect different options in the "Group by" drop-down list to see the lssues in the navigation tree grouped by 61e name, sink, source, taint flag, or category and analyzer (the default). ・ Locate and select the following issue: ftpd. c : 5290 ( FO rmat String). 4. an 1SSue. ・ Read the auditor's comments concerning the issue in the Summary panel and note the settings for the analysis, status, impact, and severity buckets that the auditor has selected for the issue. ln this case, the auditor considers the issue tO be a remotely exploitable problem that could lead tO a root compromise. Click on the four code lines displayed in the Analysis Trace panel to see how the SCA Engine traced the malicious data through the program ・ ・ Examine the DetailS panel tO read more about auditing format string problems. 5. Explore other issues. CIick the Hotlist, Warning, and lnfo buttons to explore some of the other buckets. ・ Explore some Of the Other categorles and the issues they contain for an overview of the types 0f problems that Fortify S0ftware finds in C and C + + programs. 6. Generate an audit report. ・ Select Generate Report from the T001S menu tO generate a report. ・ SeIect Formatted Text from the "Export As" drop-down list. ・ Read the summary sections at the top Of the report and some Of the detailed findings that fo Ⅱ ow. CliCk Cancel tO return tO the maln audit view.
肪 〃 訪 々 0 / 厩 Process: A 尾 ん c ル / R な た A れ 4 s な TabIe 5 ー 1 A Partial Exp10it Graph TabIe t0 Accompany Figure 5 ー 5 165 Delive 「 y 1 .1 Step # Delivery 1 DeIivery 1 .2 DetaiI: How/What DeIiver attack: get attack COde ontO machine with Jewel. Trick user tO point browse 「 t0 P,. Send victim e-mail containing malicious P. ( ondit れ 5 Client must have lnternet access. Browser must have ″ 「 un P ″ enabled. User ′ S mail 「 eade 「 must interpretJSP,. P 「 ot ・ ( on in mail reade 「 . DisabIe JSP execution from working. prevents Othe 「 sites NOTE: doing 50 DisabIe JSSP in b 「 owser. Note: JSP 「 efers to Java Server Page. points Of view afforded by the art that is software architecture to create a nitude. The ambiguity analysis subprocess takes advantage of the multiple . catfight—often a catfight of world-bending mag- put in a r001 れ together . We all know what happens when two or more software architects are the "unify understanding" step shown in Figure 5 ー 4. after these separate analyses are complete does the team come together in each team member tO carry out separate analysis actrvltres in parallel. Only lysts (the more the merrier) and some amount 0f experrence. The idea is for tO discover 〃 ル risks. ThiS process, by definition, requrres at least two ana- Ambiguity analysis is the subprocess capturing the creative activity required Ambiguity A れ a ツ $ that the 「 e is a serious problem that needs to be fixed. times you will find that exploit development is 「 equired tO convince skeptical observers many) is the best t0 develop in the case thatsome kind Of " p 「 00f " is required. Some- having a set Of exploit graphs on hand can help determine which one exploit (usually of the level 0f e 幵 0 「 t 「 equired t0 exploit a flaw. When it comes to exploit development, a risk analysis. Their most important contribution lies in allowing an analyst to estimate Though attack graphs are not yet a mechanism in widespread use, they do help in Figu 「 e 5 ー 5. Table 5 ー 1 is a partialview (attack delivery on め of the table meant to accompany Exp10it g 「 aphs a ト 0 「 equire some explanation in text as briefly described earlier.