SHIELDS: metrics, tools and Internet services to improve security in application developments

Copyright © 2009 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP-Day III

Centro di Competenza ICT-Puglia - Dipartimento di Informatica Università degli Studi di Bari

23rd February 2009 - Bari (Italy)

http://www.owasp.org

SHIELDS: metrics, tools and Internet services to improve security in

application developmentsDr. Domenico RotondiTXT e-solutions SpAItaly

OWASP Day III – 23rd , February 2009 OWASP-Italy

SummarySoftware Development & Security

Why SHIELDS

SHIELDS Approach

SHIELDS Expected Impacts & Outcomes

SHIELDS Consortium

TXT interest in SHIELDS

SHIELDS and OWASP

SHIELDS Summary Data


Software Development & SecuritySoftware vulnerabilities becoming critical due to:Law/regulation (Sarbanes-Oxley Act, Health Insurance

Portability and Accountability Act, Online Privacy Protection Act, Privacy Protection, …)

Direct economic losses (data breach recovery $140/record - source : Ponemon Institute survey)

Business reputation damageCustomers productivity losses (downtime, recovery, …)

Certification Programmes (e.g. Microsoft Dynamics Industry Solutions Initiative)

…


Software Development & Security

Continuous growth in software vulnerabilities: Jan-Jun 2007 vulnerabilities > 3400 Jan-Dec 2001 vulnerabilities ≈ 1528

source : Microsoft Security Intelligence Report

02000400060008000

10000

2001 2002 2003 2004 2005 2006

NVDCERT

OSVDB



Security industry is becoming more efficient:Security-enhanced SW Development Life Cycle

(Microsoft SDL-SD3 Framework, OWASP CLASP, …)

Improved code scanning toolsFuzz testing techniques & tools…


Software Development & SecuritySW development industry objectives: Improved SW qualityOverall (development+maintenance) costs

reduction

Current tools coverage

Tools coverage

trend



First results:Security-enhanced SW Development Life CycleGuidelines (OWASP: Guide to Building Secure Web

Applications, Testing Guide, Code Review Guide, …) Checklists (e.g.: Microsoft ASP.NET 2.0 Security

Checklist, OWASP Top Ten Project, …)Security training/awarenessSpecific/improved toolsMore secure code libraries (e.g.: OWASP Enterprise

Security API, Microsoft security-enhanced versions of CRT functions, …)



First quantitative results:Microsoft: 50% vulnerabilities reduction with

SDLMicrosoft Windows Server 2003 vs Windows 2000 Server



First quantitative results:Microsoft Windows Vista vs Windows XP


Why SHIELDS?


Why SHIELDS?Security information is unsuitable for

developers

No information on solutions or tools that help developers discover or eliminate vulnerability

Risk assessment info for users and system administrators

• Very general overview targeted at users and system administrators• Nothing concerning how it is manifested in the software or what causes it


Why SHIELDS?

Islands of security tools and methods


Why SHIELDS?

Other factors:Lack of security expertiseCosts of security expertiseReuse of security vulnerabilities knowledge:

Across development phases Across tools Among designers/developers/testers/…

…


SHIELDS ApproachSharing security knowledge


SHIELDS Approach

A new approach:Security models:

vulnerabilities countermeasures Misuse and abuse

Methods that use security modelsTools that use security modelsSame model used in many ways


SHIELDS Approach

A model based approach (ex of a Vulnerability Cause

Graph):

Derived inspection ruleVerify that there is a range check associated with every data copy

Derived static analysis rule'memcpy($d,_,$l)' verify(len(d) <= l)

Derived testing rulememcpy(d,s,_) inject(len(s) > len(d))


SHIELDS ApproachSHIELDS and Software development phases:


Security Activities Related To Development Phases

Requirement ImplementationDesign Test

Selecting mitigation strategies

Goal driven inspection

Vulnerability driven inspection

Secu

rity ed

ucati

on

on vu

lnerab

ility

caus

es

Security goal and vulnrability class

identification

Vulnerability Cause Presence Testing


SHIELDS Tools to support the Developmet phases

Scenario based inspection Goat (modelling)

Misuse Case SeaMonster (modelling) (see http://seamonster.wiki.sourceforge.net/)

Under Construction!Please see http://www.shields-project.eu/For updates

Graphical User Interface to access and Search SVRS SHIELDS repository


SHIELDS Approach

SHIELDS advantages:Reduced/no duplication of effort:

Every update can potentially affect all tools SHIELDS reported vulnerabilities can impact all phases

Higher assurance: Tools can quickly acquire knowledge to face new

vulnerabilities Improved software quality:

Developers get more and better security information Developers improve their security expertise

…


SHIELDS Expected ImpactsIncreasing security to enhance trust

Supporting

Justifying

For

For

Helping them create

Better security information

Better security tools

Developers

More secure software

Lower risk

More trust

Provides

Leading to

More robust

Which is

Trusted computing infrastructures ensuring interoperability and end-to-end security of data and services; increased security and dependability in the engineering of software systems to ensure the design and development of trustworthy applications and services

Supporting

Supporting

Provides


SHIELDS Expected Outcomes

SHIELDS Repository Service:A network accessible service providing:

guidelines Models (vulnerabilities, countermeasures, Misuse and

abuse) Tools

Security tools: Partners provided (Search-Lab, Montimage, Fraunhofer)

…


SHIELDS Expected Outcomes

Certification programmes:


SHIELDS Consortium



TXT e-solutions Spa:TXT (www.txtgroup.com) is specialized in

modular software products and solutions for: Demand & Supply Chain Management Content Management

TXT presence:



Demand & SC Mgm: TXTPERFORM Suite



MM-Multichannel Content Mgm: TXTPolymedia



TXT Software Development activities: Internal:

TXTPerform: whole Software Development Lifecycle TXTPolymedia: whole Software Development

Lifecycle

External: SW Quality Assurance (not security related): mainly for

M&T customers Ad-hoc development

ISO 9001/2000 certified processes!


TXT interest in SHIELDSLanguages & platforms:

TXTPerform:

C++, C# and Microsoft .Net Framework 3.0

Microsoft SQL Server, Oracle

TXTPolymedia:

Java

Open Source platforms (Apache, JBOSS, …)

Microsoft SQL Server, Oracle, …

TXT Typical SW company with all dvp problems


TXT interest in SHIELDSDevelopment lifecycles revised since 2005:

to address security issues:

Based on Microsoft Trustworthy Computing Security Development Lifecycle

Adopted for all products’ major releases

to certify TXT products:

Microsoft Industry Builder Initiative (IBI): TXTDemand certified since 2006

Microsoft Dynamics Industry Solutions program (MDIS): TXTPerform 2008 certified in January 2009

…


SHIELDS - OWASP

SHIELDS contributions: SHIELDS is in line with OWASP goals

SHIELDS can contribute to the OWASP projects

OWASP contributions to SHIELDS: SHIELDS needs input from the OWASP specialized

community

SHIELDS needs feedbacks from the OWASP community

SHIELDS needs support to improve its work

SHIELDS needs support to validate its work


SHIELDS Project Relevant Data

Project data: EU FP7 Theme:

ICT-2007.1.4: Secure dependable and trusted infrastructures

Type: Collaborative Project (STREP) Duration: 30 months Start: January 1, 2008

SHIELDS contacts: Coordinator: Professor Nahid Shahmehri (Linköpings

universitet, [email protected]) Dissemination Manager: Alessandra Bagnato (TXT e-

solutions Spa, [email protected]) Project Web site: http://www.shields-project.eu


Thanks for your attention!

SHIELDS: metrics, tools and Internet services to improve security in application developments

Documents