Secure Development Lifecycle

Secure Coding Practices & Development

Penetration Testing — January 8, 2017

Penetration Testing

Week 4

Penetration testing refers to the security evaluation of a IT system by exploiting its vulnerabilities. It is important to understand the difference between vulnerability scanning and penetration testing. Unfortunately in the industry today these two terms are used interchangeably which has caused a fair bit of confusion. Vulnerability scanning goal is to identify and report on the known vulnerabilities that are found in the system. Penetration testing goes a step further and tries to exploit all known and unknown vulnerabilities that may exist in a system. It’s important to note that the penetration testing isn’t just limited to only the application. As part of the tests it also aims to identify vulnerabilities in operating system, the network and any controls or processes that are deployed with it.

Penetrating testing can be performed either with automated tools or manually. Both approaches are conducted with the same purpose i.e. to exploit vulnerabilities. The main difference between the two is how they’re performed. Automated tests as the name suggests are performed without any user intervention whereas manual tests are performed by users who are experts in the field.

Automated tools are used to improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone. Automated tools make use of two testing techniques known as static and dynamic scans. Static scans are focused primarily on binaries of the application which consists of the compiled code. The static scan determines all the available entry points and functions within each binary and executes automated tests to find vulnerabilities. Depending on the sophistication of the product used ,the static scan may also report absence of functionality that may lead to security breaches for example missing encryption or hard coded usernames/passwords in the source code. Dynamic scans are used to perform real time automated testing for web application such as web sites and web services. The main focus of dynamic scans is to focus on form input validation, cross site scripting, and security of the HTTP traffic between the source and destination.

Manual penetration testing is used on top of the automated tests. It overlays human expertise on top of testing performed by the automated tools. The main benefit of manual testing is that the security experts can look into the design, architecture and business rules of the application and identify security flaws.

References:

https://www.coresecurity.com/penetration-testing-overview
https://www.veracode.com/security/penetration-testing

Advertisements
Source Code Analysis — December 17, 2016

Source Code Analysis

Week 3

Security in any industry today is a major competitive advantage. Any attack on organization can reduce its credibility, decrease profits, reduce productivity and cost a lot of money. Source code analysis means to analyze the application code for security flaws and vulnerabilities. The purpose of analyzing source code for security flaws is to find backdoor in the application that may be used by the attackers to inject malicious code.

Until few years back majority of the applications were desktop based which would mean for an attacker to get access to the application they will need to first get access to the workstation. However with the web applications taking over as a norm and most application exposing web based APIs the importance of analyzing source code for security flaws is more important than ever. The web opens up the application to a wider audience making it a prime target for attacks.

Over the years a number of tools have existed in analyzing source code but most have been inadequate. The main challenge for these tools remain detecting real problems rather than false positives that developers may spend a lot of time diagnosing. Another challenge for such tools is to support a wide variety of development languages. Java, C#, C++, Python, Ruby, VB, iOS, PHP, JavaScript are only some of the languages the tools must support. Traditionally speaking the software development group will finish up their coding, release the application to QA which will run security tests as part of their process. However the real benefit of source analysis tools is when it is used during the software development process. Some tools are starting to integrate right into the integrated development environment (IDE) which will run code analysis in real time providing feedback to the developer right away.

There are quite a few source code analysis tools out there and the following two in my opinion are the best of them.

Klocwork
Veracode

References:

https://www.veracode.com/
http://www.klocwork.com/
https://www.owasp.org/index.php/Source_Code_Analysis_Tools

What is Secure Development Life Cycle? — December 10, 2016

What is Secure Development Life Cycle?

Week 2

Most software organizations have well defined processes in place that ensure software is released with quality and on schedule. In recent years due to security threats and hacks a lot of emphasis is being placed in incorporating security in the software development life cycle. Introducing security during software development life cycle can result in cost reduction and reduction of business risks.

Generally speaking SDLC (Software Development Life Cycle) is a framework that defines a number of processes that are taken by an organization to build applications. There are number of proposed models such as Waterfall, Spiral, Agile etc.. but it’s same to assume the following steps generally are followed in any model:

  1. Requirements gathering
  2. Design
  3. Implementation
  4. Testing
  5. Release
  6. Maintenance

In the past there usual practice would be to focus on security as part of the “Testing” phase by executing methods such as penetration testing or code reviews. However in most cases it has resulted in high number of flaws getting discovered too late or worse not discovered at all. Also the because of the nature of security issues these would require re-coding or redesigning the application resulting in cost and schedule issues.

So how do we change this? The goal of secure software development life cycle is to incorporate security in the early stages. This means starting at the requirements phase where security of the application should be thought out along side the functional requirements. As a developer it becomes your responsibility to educate yourself and your peers to think about security first when coding and define a metrics of success. The senior management should invest in hiring and training employees with appropriate tool and reach out for outside help if required.

References:

Secure Software Development Practices retrieved from http://www.veracode.com/security/secure-development

What Is the Secure Software Development Life Cycle? retrieved from https://www.cigital.com/blog/what-is-the-secure-software-development-lifecycle/

What’s the Blog About? — December 3, 2016

What’s the Blog About?

Week 1

Hello,

In the coming weeks I will be blogging about Secure Development Life Cycle process. I feel that in many organizations a lot of focus is placed on Software Development Life Cycle without taking into consideration the security and the possible hacks that may occur because of poorly written insecure code. Most of the security flaws are discovered during audits or penetration testing performed by an outside organization. Even worse, in many organizations the security flaws are discovered due to a hacking attempt.

The goal of the blog series would be to understand the importance of Secure Development Life Cycle and look into how this can be embedded into the Software Development Life Cycle. In many cases it’s simply a matter of following polices, agreed upon coding standards and understanding that the application may be hacked by an intruder. As we go along understanding the Secure Development Life Cycle, we will also look at some of the common techniques how code can be hacked and possible remedies. Following are some of the topics we will be discussing:

  • What is Secure Development Life Cycle?
  • Code Security Analysis
  • Manual Penetration Testing Vs. Automated Testing
  • Ethical Hacking
  • Code Security Analysis and Continuous Integration
  • XSS (Cross Site Scripting)
  • SQL Injection
  • JavaScript Security
  • Flash Security
  • Veracode – Application Security Solution

With this series I hope to improve my understanding of Secure Development Life Cycle and in the process I hope you find it useful as well.