430 likes | 657 Views
Web Development Evolution: The Business Perspective on Security. William Bradley Glisson L. Milton Glisson Ray Welland. Why?. Data, Information, Knowledge “One man’s data can be another man’s knowledge, and vice versa, depending on context” (Stewart, T. A., The Wealth of Knowledge . )
E N D
Web Development Evolution: The Business Perspective on Security William Bradley Glisson L. Milton Glisson Ray Welland glisson@dcs.gla.ac.uk Department of Computing Science
Why? • Data, Information, Knowledge • “One man’s data can be another man’s knowledge, and vice versa, depending on context” (Stewart, T. A., The Wealth of Knowledge. ) • "Information is the world's new currency; information has value.“ (Secret Service Director Ralph Basham ) • “Knowledge is what we buy, sell, and do” (Stewart, T. A., The Wealth of Knowledge. ) glisson@dcs.gla.ac.uk Department of Computing Science
Business Incentive • The 2004 (FBI) Computer Crime and Security Survey estimates that losses from internet security breaches, in the US, exceeded $141 million within the last year. • PricewaterhouseCoopers 2004 Survey indicates that security problems are on the rise in the United Kingdom and that malicious attacks are the primary culprits. • The Department of Trade and Industry’s (2004) survey estimates “security breaches continue to cost” UK businesses “several billions of pounds.” • The Deloitte 2005 Global Survey estimates that identity theft cost the UK almost a billion dollars in 2003. glisson@dcs.gla.ac.uk Department of Computing Science
Application Security “One dollar required to resolve an issue during the design phase grows into 60 to 100 dollars to resolve the same issue after the application has shipped.” (Secure Business Quarterly 2001) Gartner estimates that the cost to fix a “security vulnerability during testing to be less than 2 percent of the cost of removing it from a production system.” glisson@dcs.gla.ac.uk Department of Computing Science
Truth • Companiesdo not want to admit that their systems have beencompromised • They do not want to incur the expense necessary to rectify the problem • They do not know how to fix the problem • They are not even aware that their systems have been compromised. glisson@dcs.gla.ac.uk Department of Computing Science
Soft and Hard Cost • Telang and Wattal’sresearch indicates that a software vendor loses, on average, approximately 0.6% of their stock price per vulnerability announcement. • Minimize the chance of copy cat attacks on their systems until the issue has been resolved and patched. glisson@dcs.gla.ac.uk Department of Computing Science
Legislative Pressure • Economic Espionage Act of 1996 (EEA) • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Graham-Leach-Bliley Act of 1999 • Sarbanes-Oxley Act of 2002 (SOX) • Recently a ninety-one page bill was introduced in the Senate by Senator Patrick Leahy and Senator Arlen Specter containing new rules for corporate data security and stiff penalties for information burglars glisson@dcs.gla.ac.uk Department of Computing Science
What is Security? • Encryption, Secure Socket Layer (SSL), firewalls, creating and maintaining secure networks, the use of digital certificates, the different technologies used for authentication and authorization or intrusion detection systems • A secure system to one organization may not meet another organization’s definition of security glisson@dcs.gla.ac.uk Department of Computing Science
Security • Confidentiality – Proper access is restricted to the appropriate individuals. • Integrity – modification of assets by appropriate personnel & within guidelines. • Availability - Access is available to the appropriate parties at designated times. (Commonly known as the CIA Triad) glisson@dcs.gla.ac.uk Department of Computing Science
Security How much risk is the organization willing to accept and at what financial cost? Policy, procedures, standards, and technical controls (developed & implemented) will define the systems in terms of the CIA. Collaborative approach defines overall security of the system within a business. As Alan Zeichick, Conference Chairman of the Software Security Summit, phrased it, "Software is vulnerable! Enterprises have spent millions of dollars installing network firewalls and Virtual Private Networks, but the real danger is in poorly written applications” glisson@dcs.gla.ac.uk Department of Computing Science
Business Strategy Encompasses all of the information about the overall business that ranges over defining the • scope of the business • establishing the business models • broad marketing strategies • establishment of processes and policies • acquisition and distribution of information • overall approach to technology within the organization. glisson@dcs.gla.ac.uk Department of Computing Science
Business Strategy Perspectives • Corporate -high level strategy that details the organization’s purpose and scope • Business - deals with the competition in individual markets including market segmentation, market positioning, industry analysis, and brand value • Operational - concerns the implementation aspect of the business which would include optimising web site design, hardware requirements and utilization and software requirements glisson@dcs.gla.ac.uk Department of Computing Science
Corporate Level • Chief Executive Officers and Chief Financial Officers are potentially being held accountable for the security of their applications (SOX) • Champions - high level champions within the organization are more likely to succeed in changing and sustaining changes to corporate cultures • Security needs to be viewed as a collective organizational problem glisson@dcs.gla.ac.uk Department of Computing Science
Business Level • Businesses need to understand that their web site is their front door to the world. • Businesses need to outline the performance standards that they are going to provide and follow through with an effective, efficient and secure value chain while providing appropriate customer service capabilities. • If customers perceive that their data is not safe and secure, this can result in lost customers, lost future revenue, lost market advantage and possibly monetary compensation. glisson@dcs.gla.ac.uk Department of Computing Science
Operational Level • There appears to be a lack of understanding on how to protect application code as it is developed. • BZ Survey “55.9 percent blamed poor programming practices” for the number of vulnerabilities in software applications. • How does a business protect itself and capitalize on software application development in order to gain a competitive advantage for their business. glisson@dcs.gla.ac.uk Department of Computing Science
WES Solution My PhD research has produced a possible solution, A Web Engineering Security (WES) Methodology. An independent flexible Web Engineering development methodology that is specific to security. • The process needs to be compatible with existing application development processes so that they are complementary, hence • Deliverables between phases will vary on the size of the organizational and the methodology they are implementing, and • Flexible enough to be tailored to individual companies of varying size. glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Methodology Principles • Good Communication • Within the development team • With the end user (Requirements / Feedback perspective) • Employee Education • Importance of security & potential organizational impact • Technical attacks & social engineering attacks • Cultural Support • Needs to originate from upper management • Needs to continually be fostered by upper management glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
Project Development Risk Assessment • This step provides an opportunity for the organization’s development team to understand the application from a risk point of view and helps to generate applicable questions to address the application security requirements phase • Formal (Document /Board Approval) • Advantage for management is that it presents a clear understanding of the risks before a substantial investment is made in the development of the web application • Disadvantage of a highly formalized process is that it can slow down the development process. • Informal (Expert Opinion) • Advantage faster in nature • Disadvantage introduces more risk glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
Organizational Compatibility • Security Policy Compatibility • Policies, standards, baselines, procedures, and guidelines can assist in large organizations to provide cohesiveness within the organization. • “The goal of an information security policy is to maintain the integrity, confidentiality and availability of information resources.” (Hare, C., Policy Development, ) • In smaller organizations, policies can be implicit to the organization. glisson@dcs.gla.ac.uk Department of Computing Science
Organizational Compatibility • Corporate Culture Compatibility • Employee security awareness programs, employee education on social engineering attacks, recognition of organizational norms. • Remind employees periodically about security policies, standards, baselines, procedures, and guidelines (Integrating security into their annual evaluation ) • Technological acceptance of corporate norms is when a solution has been implemented in the environment, becomes accepted and then becomes expected. glisson@dcs.gla.ac.uk Department of Computing Science
Organizational Compatibility • Technological Compatibility • Infrastructure compatibility • Does the technical expertise to create new applications exist in the company? • Is the current code repository compatible with the proposed development? • Does the hardware infrastructure support the new applications? • Value Added • “value configuration(s)” one of the goals of the organization should be to provide added value regardless of the product or service that is being offered. Technology is a major contributor to this goal in today’s market place. • How will this help add value to their organization? glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
Security Design / Coding • Previously generated information allows the technical architect to pick the most appropriate technical controls from a design, risk and cost perspective. • Encouraging programmers to adhere to coding standards and to pursue good coding practices, and participate in code reviews will increase the code readability which will inherently improve software enhancement maintenance and patch maintenance. • “Better software engineering development leads to more maintenance, not less” (Glass, R. L., Facts and Fallacies of Software Engineering) glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
Controlled Environment Implementation • Implement in an environment that mirrors production testing compatibility • Operating System • Software Configurations • Interfacing Programs • Goal - Minimise Surprises! glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
Testing • Programmers should be running their own battery of tests when the code is conceived • Allotment of Appropriate time • Augment the testing process • Automated Tools • Test Script (Developers, Testers, End-users) • Outside Auditors Conducting Penetration Tests • White Box / Black Box glisson@dcs.gla.ac.uk Department of Computing Science
Evidence • The National Institute of Standards and Technology (NIST) estimates that “93% of reported vulnerabilities are software vulnerabilities.” • Organization for Internet Safety (OIS) publishes Guidelines for Security Vulnerabilities Reporting and Response • “A flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy.” glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
Web Engineering Security (WES) Process glisson@dcs.gla.ac.uk Department of Computing Science
End User Evaluation • All systems must be evaluated with a sample of end-users, not surrogates! • Critical to the success of the solution • End user avoidance by working around security • Compromised due to a flaw in the design / code • Possibility that the application will be abused, corporate credibility lost, and financial consequences incurred. glisson@dcs.gla.ac.uk Department of Computing Science
Conclusions • Technical solutions alone will not solve current security issues in the global web environment. • Increasing business, legislative, societal pressures will force organizations to strategically address application security from a development perspective • The most effective way to handle security, in the application design, is to incorporate security upfront into the development methodology. • Not following a web application development methodology that specifically addresses security is an expensive and dangerous strategy for any business. glisson@dcs.gla.ac.uk Department of Computing Science
Further Work • Fortune 500 Financial Organization Case Study • Industry Survey (ICWE) • Process Observation • Recommendations • Recommendation Implementation • Data Gathering glisson@dcs.gla.ac.uk Department of Computing Science
Contact Details Brad Glisson, Department of Computing Science, University of Glasgow E-mail: glisson@dcs.gla.ac.uk. Web: www.dcs.gla.ac.uk/~glisson/ Prof. Milton Glisson, School of Business and Economics, North Carolina A & T State University, E-mail: glissonm@ncat.edu Prof. Ray Welland, Department of Computing Science, University of Glasgow E-mail: ray@dcs.gla.ac.uk. Web: www.dcs.gla.ac.uk/~ray/ glisson@dcs.gla.ac.uk Department of Computing Science
Extra Slides Extra Slides glisson@dcs.gla.ac.uk Department of Computing Science
Common Application Security Problems • Un-validated parameters • Cross-site scripting • Buffer overflows • Command injection flaws • Error-handling problems • Insecure use of cryptography • Broken Access Controls glisson@dcs.gla.ac.uk Department of Computing Science
Project Development Risk Assessment • NIST - National Institute of Standards and Technology - agency of the U.S. Commerce Department'sTechnology Administration. • COBRA - Security risk analysis application • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation - Focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology. • FRAP - Facilitated Risk Analysis Process glisson@dcs.gla.ac.uk Department of Computing Science
Agile Web Engineering (AWE) glisson@dcs.gla.ac.uk Department of Computing Science
AWE & WES Comparison glisson@dcs.gla.ac.uk Department of Computing Science
Secure Value Chain • Overall, the business environment continues to become more interconnected, hence, traditional boundaries between organizations are eroding. • This tight integration, from a security view point, opens the door to a multitude of problems, if an attack is successful, in compromising one of the linked systems. glisson@dcs.gla.ac.uk Department of Computing Science
Definitions • Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. • Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions. • Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities. • Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. • Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. • Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. • Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. • Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. • Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. • Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. The Open Web Application Security Project (OWASP). The Ten Most Critical Web Application Security Vulnerabilities. c2004 • http://www.owasp.org/index.jsp glisson@dcs.gla.ac.uk Department of Computing Science