C S S L P & OWASP 2010 & Web Goat By Surachai.C Publish Presentation

Certified Secure Software Lifecycle Professional

(CSSLP)Master Degree in Management Information Systems (MSMIS)Faculty of Commerce and Accountancy, Thammasat University

05-April-2010

Surachai Chatchalermpun

Speaker Profile

2

, CSSLP, ECSA , LPT

Agenda

Challenges Today…

What is CSSLP?

What is OWASP?

What is WebGoat?

WebGoat Lesson!

• Over 70% of breaches of security vulnerabilities exist at the application level. (Gartner Group, 2005)

• Software is often not developed with security in mind

• Attack targeted, financially motivated attacks continue to rise

• Attacks are moving up the application stack

• New technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments.

Source: Global Information Security & IT Security Personnel Development in USA –trend and hurdles, Prof. Howard A. Schmidt

Challenges Today…

Source: Issue number 9 Info Security Professional Magazine

W. Hord Tipton, CISSP-

ISSEP, CAP, CISA

(ISC)² Executive Director

What is the CSSLP?

• Certified Secure Software Lifecycle Professional (CSSLP)

• Base credential

• Professional certification program

• Takes a holistic approach to security in the software

lifecycle

• Tests candidates competency (KSAs) to significantly

mitigate the security concerns

• Global leaders in certifying and educating information security professionals with the CISSP® and related concentrations, CAP® and SSCP®.

• Established in 1989 – not-for-profit consortium of industry leaders.

• More than 60,000 certified professionals in over 135 countries.

• Board of Directors - top information security professionals worldwide.

• All of our information security credentials are accredited ANSI/ISO/IEC Standard 17024 and were the first technology-related credentials to receive this accreditation.

Over 70% of breaches of security vulnerabilities exist

at the application level.*

* Gartner Group, 2005

Purpose

• Provide a credential that speaks to the individual’s

understanding of and ability to deliver secure

software through the use of best practices.

• The target professionals for this Certification would

be anyone who is directly and in some cases

indirectly, involved in the Software Lifecycle.

Software Lifecycle Stakeholder Chart

Top Management

IT Manager

Business Unit Heads

Developers/

Coders

Client Side PM

Industry Group

Delivery Heads

Business

Analysts

Quality

Assurance

ManagersTechnical

Architects

Project Managers/

Team Leads

Software

Lifecycle

Stakeholders

Secondary Target

Primary Target

Influencers

Application Owners

Security Specialists

Auditors

Market Drivers

• Security is everyone’s responsibility

• Software vulnerabilities have emerged

as a major concern

• Off shoring of software development

• Software is often not developed with

security in mind

• Desire to meet growing industry needs

Certified Secure Software

Lifecycle Professional

(ISC)² CSSLP CBK 7 Domains:

• Secure Software Concepts

• Secure Software Requirements

• Secure Software Design

• Secure Software Implementation/Coding

• Secure Software Testing

• Software Acceptance

• Software Deployment, Operations, Maintenance,

and Disposal

CSSLP Certification Requirements

By Experience Assessment:• Experience Assessment will be open until March 31, 2009

• Candidate will be required to submit:– Experience Assessment Application

– Signed candidate agreement and adherence to (ISC)² Code of Ethics

– Detailed resume of experience

– Four essay responses (Between 250-500 words) detailing experience in four of the following knowledge areas

• Applying Security concepts to Software Development

• Software Design

• Software Implementation/Coding

• Software Testing

• Software Acceptance

• Software Deployment, Operations, Maintenance, and Disposal

– Fee of $650

By Examination:• The first public exam will be held at the end of June 2009

• Candidate will be required to submit:– Completed examination registration form

– Signed candidate agreement and adherence to the (ISC)² Code of ethics

– Proof of 4 years of FTE experience in the Software Development Lifecycle (SDLC) Process or 3 years plus 1 year waiver of experience for degree in an IT related field

– Fee of $549 early-bird and $599 standard

• Candidate will be required to – Pass the official (ISC)² CSSLP certification examination

– Complete the endorsement process

• The Associate of (ISC)² Program will apply to those who have passed the exam but still need to acquire the necessary minimum experience requirements

CSSLP Certification Requirements

CSSLP

(ISC)²

Professional Certification

Program

CSSLP CBK Overlap between

other Certifications/Programs

CSDA

(IEEE)

Associate Level

Status

CSDP

(IEEE)

Professional

Certification Program

GSSP-C

(SANS)

Software Coder

Certification Program

GSSP-J

(SANS)

Software Coder

Certification Program

Software

Assurance

Initiative(DHS)

Awareness Effort

CSSE(ISSECO)

Entry-level

Education

Program

Certificate of

Completion

Vendor-

Specific

Credentials

Future of CSSLP

• International Marketing Efforts

• ANSI/ISO/IEC17024 accreditation

• Maintenance activities

• Cert Education Program

Hear what Anthony Lim, from IBM,

has to say about CSSLP

CSSLP CertificationMy CSSLP Certification

Why is Web Application Security Important?

• Easiest way to compromise hosts, networks and users.

• Widely deployed.

• No Logs! (POST Request payload)

• Incredibly hard to defend against or detect.

• Most don’t think of locking down web applications.

• Intrusion detection is a joke.

• Firewall? What firewall? I don’t see no firewall…

• SSL Encrypted transport layer does nothing.

Source: White Hat Security

Web Application Hacking

Outer

Inner

DMZ Zone

Server farm Zone

Source: White Hat Security

Ou

ter Firewall

Hardened OS

Web Server

App Server

Inn

er Firew

all

Dat

abas

es

Lega

cy S

yste

ms

We

b S

erv

ice

s

Dir

ect

ori

es

Hu

man

Res

ou

rce

Bill

ingCustom Developed

Application Code

APPLICATIONATTACK

You can’t use network layer protection (Firewall, SSL, IDS, hardening)to stop or detect application layer attacks

Net

wo

rk L

ayer

Ap

plic

atio

n L

aye

r Your security “perimeter” has huge holes at the “Application layer”

Your “Code” is Part of Your Security Perimeter

Source: White Hat Security

• Web Applications are vulnerable:– exposing its own vulnerabilities.

– Change frequently, requiring constant tuning of application security.

– Complex and feature rich with the advent of AJAX, Web Services and Web 2.0. (and Social Network)

• Web Applications are threatened:– New business models drive “for profit” hacking.– Performed by Black hat professionals enabling complex

attacks.

• Potential impact may be severe:– Web applications are used for sensitive information and

important transactions.

The Web Application Security Risk

Source: White Hat Security

• Web Attacks are Stealth:– Victims hide breaches.– Incidents are not

detected.

• Statistics are Skewed:– Number of incident

reported is statistically insignificant.

Threat is Difficult to Assess

Source: Breach Security

Source: Web Hacking Incidents Database

Source: Web Hacking Incidents Database

• Zone-H (The Hacker Community)– http://www.zone-h.org– The most comprehensive attack repository, very

important for public awareness.– Reported by hackers and focus on defacements.

• WASC Statistics Project – http://www.webappsec.org

• OWASP top 10– http://www.owasp.org

Available Sources Attacks

Hacking Incidents (Defacement)

Hacking Incidents (Defacement)

Hacking Incidents (Defacement)

31

People

Technology

(Tool)

Process

Confidentiality

AvailabilityIntegrity

3 Pillars of ICT 3 Pillars of SecurityDisclosure

Alteration Disruption

Key Principle

PPT CIA

Root Causes of Application Insecurity : PPT

• People and Organization Examples– Lack of Application Security training– Roles & Responsibilities not clear– No budget allocated

• Process Examples– Underestimated risks– Missed requirements– Inadequate testing and reviews– Lack of metrics– Lack of implementing Best Practices or

Standards– No detection of attacks

• Technology Examples– Lack of appropriate tools– Lack of common infrastructure– Configuration errors

Custom Code

Acc

ou

nts

Fin

ance

Ad

min

istr

atio

n

Tran

sact

ion

s

Co

mm

un

icat

ion

Kn

ow

led

ge M

gmt

E-C

om

mer

ce

Bu

s. F

un

ctio

ns

Untrained People and

Organizational Structure Issues

Missing or Inadequate Processes

Missing or Inadequate

Tools, Libraries, or

Infrastructure

Source: OWASP

33

People / Processes / Technology

Awareness

Training

Guidelines

Secure Development

Secure Configuration

Security Testing

Secure Code Review

AutomatedTesting

ApplicationFirewalls

34

SDLC & OWASP Guidelines

Source: OWASP

Source: OWASP

Source: OWASP

Source: OWASP

Source: Microsoft

CSSLP CertificationWhat is OWASP?

The Open Web Application Security Project (OWASP) is:

A not-for-profit worldwide charitable organization focused on improving the security of application software.

Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.

Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Source: http://www.owasp.org

OWASP Foundation has over 130 Local Chapters

41

CSSLP CertificationWhat is WebGoat?

WebGoat is a deliberately insecure J2EE web application maintained by OWASP TOP 10 designed to teach web application security lessons.

In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.

CSSLP CertificationWhat is WebGoat?

Windows - (Download, Extract, Double Click Release)

1. To start Tomcat, browse to the WebGoat directory unzipped above and double click "webgoat.bat“

2. start your browser and browse to... (Notice the capital 'W' and 'G')http://localhost/WebGoat/attack

3. login in as: user = guest, password = guest

4. To stop WebGoat, simply close the window you launched it from.

CSSLP CertificationWebGoat Installation

tionWebGoat Lesson 1

tionWebGoat Lesson 2

tionWebGoat Lesson 3

tionSolution: WebGoat Lesson 3

tionSolution: WebGoat Lesson 3

True OR ? = True

tionWebGoat Lesson 4

tionSolution: WebGoat Lesson 4

tionWebGoat Lesson 5

tionSolution: WebGoat Lesson 5 Use Tamper data (Firefox Plug-in)for edit variable value:AccessControlMatrix.help" | net user"

Question & AnswerThank You

Surachai Chatchalermpunsurachai.c@pttict.com