You are previewing Secure and Resilient Software Development.
O'Reilly logo
Secure and Resilient Software Development

Book Description

Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software development strategies and practices that stress resilience requirements with precise, actionable, and ground-level inputs.

Providing comprehensive coverage, the book illustrates all phases of the secure software development life cycle. It shows developers how to master non-functional requirements including reliability, security, and resilience. The authors provide expert-level guidance through all phases of the process and supply many best practices, principles, testing practices, and design methodologies.

For updates to this book and ongoing activities of interest to the secure and resilient software community, please visit:www.srsdlc.com

"Secure and Resilient Software Development provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues."

—Jeff Williams, Chair, The OWASP Foundation

Table of Contents

    1. How This Book Is Organized
    1. 1.1 Vulnerabilities Abound
      1. 1.1.1 Security Flaws Are Omnipresent
      2. 1.1.2 Cars Have Their Share of Computer Problems Too
    2. 1.2 Tracing the Roots of Defective Software
    3. 1.3 What Are the True Costs of Insecure Software to Global Enterprises?
    4. 1.4 Addressing Security Questions Addresses Resilience
    5. 1.5 References
    1. 2.1 Functional Versus Nonfunctional Requirements
    2. 2.2 Testing Nonfunctional Requirements
    3. 2.3 Families of Nonfunctional Requirements
    4. 2.4 Availability
    5. 2.5 Capacity
    6. 2.6 Efficiency
    7. 2.7 Interoperability
    8. 2.8 Manageability
    9. 2.9 Cohesion
    10. 2.10 Coupling
    11. 2.11 Maintainability
    12. 2.12 Performance
    13. 2.13 Portability
    14. 2.14 Privacy
    15. 2.15 Recoverability
    16. 2.16 Reliability
    17. 2.17 Scalability
    18. 2.18 Security
    19. 2.19 Serviceability/Supportability
    20. 2.20 Characteristics of Good Requirements
    21. 2.21 Eliciting Nonfunctional Requirements
    22. 2.22 Documenting Nonfunctional Requirements
    23. 2.23 References
    1. 3.1 Resilience and Security Begin from Within
    2. 3.2 Requirements Gathering and Analysis
    3. 3.3 Systems Design and Detailed Design
      1. 3.3.1 Functional Decomposition
      2. 3.3.2 Categorizing Threats
      3. 3.3.3 Ranking Threats
      4. 3.3.4 Mitigation Planning
    4. 3.4 Design Reviews
    5. 3.5 Development (Coding) Phase
      1. 3.5.1 Static Analysis
      2. 3.5.2 Peer Review
      3. 3.5.3 Unit Testing
    6. 3.6 Testing
    7. 3.7 Deployment
    8. 3.8 Security Training
    9. 3.9 References
    1. 4.1 Critical Concepts
    2. 4.2 The Security Perimeter
    3. 4.3 Attack Surface
      1. 4.3.1 Mapping the Attack Surface
      2. 4.3.2 Side Channel Attacks
    4. 4.4 Application Security and Resilience Principles
    5. 4.5 Practice 1: Apply Defense in Depth
    6. 4.6 Practice 2: Use a Positive Security Model
    7. 4.7 Practice 3: Fail Securely
    8. 4.8 Practice 4: Run with Least Privilege
    9. 4.9 Practice 5: Avoid Security by Obscurity
    10. 4.10 Practice 6: Keep Security Simple
    11. 4.11 Practice 7: Detect Intrusions
      1. 4.11.1 Log All Security-Relevant Information
      2. 4.11.2 Ensure That the Logs Are Monitored Regularly
      3. 4.11.3 Respond to Intrusions
    12. 4.12 Practice 8: Don’t Trust Infrastructure
    13. 4.13 Practice 9: Don’t Trust Services
    14. 4.14 Practice 10: Establish Secure Defaults
    15. 4.15 Mapping Best Practices to Nonfunctional Requirements
    16. 4.16 References
    1. 5.1 Design Phase Recommendations
      1. 5.1.1 Misuse Case Modeling
      2. 5.1.2 Security Design and Architecture Review
      3. 5.1.3 Threat and Risk Modeling
      4. 5.1.4 Risk Analysis and Modeling
      5. 5.1.5 Security Requirements and Test Case Generation
    2. 5.2 Design to Meet Nonfunctional Requirements
    3. 5.3 Design Patterns
    4. 5.4 Architecting for the Web
    5. 5.5 Architecture and Design Review Checklist
    6. 5.6 References
    1. 6.1 The Evolution of Software Attacks
    2. 6.2 The OWASP Top
      1. 6.2.1 A1: Injection
      2. 6.2.2 A2: Cross-Site Scripting
      3. 6.2.3 A3: Broken Authentication and Session Management
      4. 6.2.4 A4: Insecure Direct Object References
      5. 6.2.5 A5: Cross-Site Request Forgery
      6. 6.2.6 A6: Security Misconfiguration
      7. 6.2.7 A7: Failure to Restrict URL Access
      8. 6.2.8 A8: Unvalidated Redirects and Forwards
      9. 6.2.9 A9: Insecure Cryptographic Storage
      10. 6.2.10 A10: Insufficient Transport Layer Protection
    3. 6.3 OWASP Enterprise Security API (ESAPI)
      1. 6.3.1 Input Validation and Handling
      2. 6.3.2 Client-Side Versus Server-Side Validation
      3. 6.3.3 Input Sanitization
      4. 6.3.4 Canonicalization
      5. 6.3.5 Examples of Attacks due to Improper Input Handling
      6. 6.3.6 Approaches to Validating Input Data
      7. 6.3.7 Handling Bad Input
      8. 6.3.8 ESAPI Interfaces
    4. 6.4 Cross-Site Scripting
      1. 6.4.1 Same Origin Policy
      2. 6.4.2 Attacks Through XSS
      3. 6.4.3 Prevention of Cross-Site Scripting
      4. 6.4.4 ESAPI Interfaces
    5. 6.5 Injection Attacks
      1. 6.5.1 SQL Injection
      2. 6.5.2 Stored Procedures
      3. 6.5.3 Identifying SQL Injection and Exploitation
      4. 6.5.4 Defending Against SQL Injection
      5. 6.5.5 Creating SQL Queries
      6. 6.5.6 Additional Controls to Prevent SQL Injection Attacks
      7. 6.5.7 ESAPI Interfaces
    6. 6.6 Authentication and Session Management
      1. 6.6.1 Attacking Log-in Functionality
      2. 6.6.2 Attacking Password Resets
      3. 6.6.3 Attacking Sensitive Transactions
    7. 6.7 Cross-Site Request Forgery
      1. 6.7.1 CSRF Mitigation
    8. 6.8 Session Management
      1. 6.8.1 Attacking Log-out Functionality
      2. 6.8.2 Defenses Against Log-out Attacks
      3. 6.8.3 Defenses Against Cookie Attacks
      4. 6.8.4 Session Identifiers
      5. 6.8.5 ESAPI Interfaces
    9. 6.9 Access Control
      1. 6.9.1 Avoiding Security Through Obscurity
      2. 6.9.2 Access Control Issues
      3. 6.9.3 Testing for Broken Access Control
      4. 6.9.4 Defenses Against Access Control Attacks
      5. 6.9.5 Administrator Interfaces
      6. 6.9.6 Protecting Administrator Interfaces
      7. 6.9.7 ESAPI Interfaces
    10. 6.10 Cryptography
      1. 6.10.1 Hashing and Password Security
      2. 6.10.2 Attacking the Hash
      3. 6.10.3 Precomputed Attacks
      4. 6.10.4 Message Authentication Code (MAC)
      5. 6.10.5 Home-Grown Algorithms
      6. 6.10.6 Randomness and Pseudo-Randomness
      7. 6.10.7 ESAPI Interfaces
    11. 6.11 Error Handling
      1. 6.11.1 User Error Messages
      2. 6.11.2 Log-in Error Messages—A Case Study
      3. 6.11.3 Error Message Differentiation
      4. 6.11.4 Developer Error Messages
      5. 6.11.5 Information to Be Kept Private
      6. 6.11.6 Structured Exception Handling
      7. 6.11.7 ESAPI Interfaces
    12. 6.12 Ajax and Flash
      1. 6.12.1 AJAX Application Traffic
      2. 6.12.2 AJAX Client Requests
      3. 6.12.3 Server Responses
      4. 6.12.4 Typical Attacks Against AJAX Applications
      5. 6.12.5 Security Recommendations for AJAX Applications
      6. 6.12.6 Adobe Flash—Sandbox Security Model
      7. 6.12.7 Cross-Domain Policy
      8. 6.12.8 Restrict SWF Files Embedded in HTML
      9. 6.12.9 Attacking Flash Applications
      10. 6.12.10 Securing Flash Applications
    13. 6.13 Additional Best Practices for Software Resilience
      1. 6.13.1 Externalize Variables
      2. 6.13.2 EncryptedProperties—Method Summary
      3. 6.13.3 Initialize Variables Properly
      4. 6.13.4 Do Not Ignore Values Returned by Functions
      5. 6.13.5 Avoid Integer Overflows
    14. 6.14 Top 10 Secure Coding Practices
    15. 6.15 Fifty Questions to Improve Software Security
    16. 6.16 References
    1. 7.1 Embedded Systems
      1. 7.1.1 Bad Assumptions About Embedded Systems Programming
      2. 7.1.2 New Mantras
      3. 7.1.3 The Framework
    2. 7.2 Distributed Applications/Cloud Computing
      1. 7.2.1 Representational State Transfer (REST)
      2. 7.2.2 REST Stateless Authentication
      3. 7.2.3 Attacking Distributed APIs
      4. 7.2.4 Securing Distributed APIs
    3. 7.3 Mobile Applications
      1. 7.3.1 BlackBerry
      2. 7.3.2 Windows Mobile
      3. 7.3.3 iPhone
      4. 7.3.4 Mobile Application Security
    4. 7.4 References
    1. 8.1 Fixing Early Versus Fixing After Release
    2. 8.2 Testing Phases
    3. 8.3 Unit Testing
    4. 8.4 Manual Source Code Review
    5. 8.5 The Code Review Process
    6. 8.6 Automated Source Code Analysis
      1. 8.6.1 Automated Reviews Compared with Manual Reviews
      2. 8.6.2 Commercial and Free Source Code Analyzers
      3. 8.6.3 Fortify
    7. 8.7 Acquiring Commercial or Open-Source Analysis Tools
    8. 8.8 Deployment Strategy
      1. 8.8.1 IDE Integration for Developers
      2. 8.8.2 Build Integration for Governance
    9. 8.9 Regulatory Compliance
    10. 8.10 Benefits of Using Source Code Analyzers
    11. 8.11 Penetration (Pen) Testing
      1. 8.11.1 Penetration Testing Tools
      2. 8.11.2 Automated Black Box Scanning
      3. 8.11.3 Deployment Strategy
      4. 8.11.4 Gray Box Testing
      5. 8.11.5 Limitations and Constraints of Pen Testing Tools
    12. 8.12 References
    1. 9.1 The Problems with Shrink-Wrapped Software
    2. 9.2 The Common Criteria for Information Technology Security Evaluation
      1. 9.2.1 Harmonizing Evaluation Criteria
      2. 9.2.2 Development
      3. 9.2.3 Evaluation
      4. 9.2.4 Operation
      5. 9.2.5 Key Concepts of the Common Criteria
      6. 9.2.6 The Security Framework
      7. 9.2.7 The Common Criteria Approach
      8. 9.2.8 The Security Environment
      9. 9.2.9 The Common Criteria Portal
      10. 9.2.10 Criticisms of the CC
    3. 9.3 The Commercial Community Responds
      1. 9.3.1 The BITS/FSTC Security Assurance Initiative
    4. 9.4 ICSA Labs
      1. 9.4.1 Evaluation Methodology
      2. 9.4.2 Certification Criteria
      3. 9.4.3 ICSA Labs Testing and Certification Process
    5. 9.5 Veracode’s VerAfied Software Assurance
      1. 9.5.1 Ratings Methodology
      2. 9.5.2 Assessing Software for the VerAfied Mark
    6. 9.6 References
    1. 10.1 Comprehensive, Lightweight Application Security Process (CLASP)
    2. 10.2 CLASP Concepts
    3. 10.3 Overview of the CLASP Process
    4. 10.4 CLASP Key Best Practices
      1. 10.4.1 Best Practice 1: Institute Awareness Programs
      2. 10.4.2 Best Practice 2: Perform Application Assessments
      3. 10.4.3 Best Practice 3: Capture Security Requirements
      4. 10.4.4 Best Practice 4: Implement Secure Development Practices
      5. 10.4.5 Best Practice 5: Build Vulnerability Remediation Procedures
      6. 10.4.6 Best Practice 6: Define and Monitor Metrics
      7. 10.4.7 Best Practice 7: Publish Operational Security Guidelines
    5. 10.5 CLASP Security Activities to Augment Software Development Processes
    6. 10.6 Applying CLASP Security Activities to Roles
    7. 10.7 Re-engineering Your SDLC for CLASP
      1. 10.7.1 Business Objectives
      2. 10.7.2 Process Milestones
      3. 10.7.3 Process Evaluation Criteria
      4. 10.7.4 Forming the Process Re-engineering Team
    8. 10.8 Sample CLASP Implementation Roadmaps
      1. 10.8.1 Green-Field Roadmap
      2. 10.8.2 Legacy Roadmap
    9. 10.9 References
    1. 11.1 Maturity Models for Security and Resilience
    2. 11.2 Software Assurance Maturity Model—OpenSAMM
      1. 11.2.1 Core Practice Areas
      2. 11.2.2 Levels of Maturity
      3. 11.2.3 Assurance
    3. 11.3 The Building Security In Maturity Model (BSIMM)
      1. 11.3.1 BSIMM Software Security Framework
    4. 11.4 BSIMM Activities
      1. 11.4.1 Governance: Strategy and Metrics
      2. 11.4.2 Governance: Compliance and Policy
      3. 11.4.3 Governance: Training
      4. 11.4.4 Intelligence: Attack Models
      5. 11.4.5 Intelligence: Security Features and Design
      6. 11.4.6 Intelligence: Standards and Requirements
      7. 11.4.7 SSDL Touchpoints : Architecture Analysis
      8. 11.4.8 SSDL Touchpoints: Code Review
      9. 11.4.9 SSDL Touchpoints: Security Testing
      10. 11.4.10 Deployment: Penetration Testing
      11. 11.4.11 Deployment: Software Environment
      12. 11.4.12 Deployment: Configuration Management and Vulnerability Management
    5. 11.5 Measuring Results with BSIMM
    6. 11.6 Helpful Resources For Implementing BSIMM
    7. 11.7 Applying BSIMM to the Financial Services Domain
      1. 11.7.1 Working Group Methodology
    8. 11.8 References
    1. 12.1 Getting Educated
      1. 12.1.1 DEVELOPER 522: Defending Web Applications
      2. 12.1.2 DEVELOPER 530: Essential Secure Coding in Java/JEE
      3. 12.1.3 DEVELOPER 541: Secure Coding in Java/JEE: Developing Defensible Applications
      4. 12.1.4 DEVELOPER 542: Web App Penetration Testing and Ethical Hacking
      5. 12.1.5 DEVELOPER 544: Secure Coding in .NET: Developing Defensible Applications
      6. 12.1.6 DEVELOPER 545: Secure Coding in PHP: Developing Defensible Applications
      7. 12.1.7 DEVELOPER 534: Secure Code Review for Java Web Apps
      8. 12.1.8 DEVELOPER 543: Secure Coding in C/C++: Developing Defensible Applications
      9. 12.1.9 Aspect Security Inc.
      10. 12.1.10 CERT Software Engineering Institute (SEI)
      11. 12.1.11 SEI Secure Coding in C and C++ Course
    2. 12.2 Getting Certified
      1. 12.2.1 Certified Secure Software Lifecycle Professional (CSSLP)
      2. 12.2.2 Why Obtain the CSSLP?
      3. 12.2.3 Benefits of Certification to the Professional
      4. 12.2.4 Benefits of Certification to the Enterprise
    3. 12.3 Getting Involved
      1. 12.3.1 Web Application Security Consortium
    4. 12.4 Reaching Out for Research
      1. 12.4.1 DHS Research Program Areas
      2. 12.4.2 The U.S. Treasury and the FSSCC
    5. 12.5 Last Call
    6. 12.6 Conclusion
    7. 12.7 References
    1. A.1 Brief Listing of the Top 25
      1. A.1.1 Insecure Interaction Between Components
      2. A.1.2 Risky Resource Management
      3. A.1.3 Porous Defenses
    2. A.2 Detailed CWE Descriptions
      1. A.2.1 CWE-79: Failure to Preserve Web Page Structure (“Cross-Site Scripting”)
      2. A.2.2 CWE-89: Improper Sanitization of Special Elements Used in an SQL Command (“SQL Injection”)
      3. A.2.3 CWE-120: Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”)
      4. A.2.4 CWE-352: Cross-Site Request Forgery (CSRF)
      5. A.2.5 CWE-285: Improper Access Control (Authorization)
      6. A.2.6 CWE-807: Reliance on Un-trusted Inputs in a Security Decision
      7. A.2.7 CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
      8. A.2.8 CWE-434: Unrestricted Upload of File with Dangerous Type
      9. A.2.9 CWE-78: Improper Sanitization of Special Elements Used in an OS Command (“OS Command Injection”)
      10. A.2.10 CWE-311: Missing Encryption of Sensitive Data
      11. A.2.11 CWE-798: Use of Hard-Coded Credentials
      12. A.2.12 CWE-805: Buffer Access with Incorrect Length Value
      13. A.2.13 CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (“PHP File Inclusion”)
      14. A.2.14 CWE-129: Improper Validation of Array Index
      15. A.2.15 CWE-754: Improper Check for Unusual or Exceptional Conditions
      16. A.2.16 CWE-209: Information Exposure Through an Error Message
      17. A.2.17 CWE-190: Integer Overflow or Wraparound
      18. A.2.18 CWE-131: Incorrect Calculation of Buffer Size
      19. A.2.19 CWE-306: Missing Authentication for Critical Function
      20. A.2.20 CWE-494: Download of Code Without Integrity Check
      21. A.2.21 CWE-732: Incorrect Permission Assignment for Critical Resource
      22. A.2.22 CWE-770: Allocation of Resources Without Limits or Throttling
      23. A.2.23 CWE-601: URL Redirection to Site (“Open Redirect”)
      24. A.2.24 CWE-327: Use of a Broken or Risky Cryptographic Algorithm
      25. A.2.25 CWE-362: Race Condition
    1. B.1 Interface Encoder
    2. B.2 Interface User
    3. B.3 Interface Authenticator
    4. B.4 Interface AccessController
    5. B.5 Interface AccessReferenceMap
    6. B.6 Interface Encryptor
    7. B.7 Interface HTTPUtilities
    8. B.8 Interface Logger