Title: glissondcs.gla.ac.uk
1Web Development Evolution The Business
Perspective on Security
- William Bradley Glisson
-
- L. Milton Glisson
- Ray Welland
-
2Why?
- Data, Information, Knowledge
- One mans data can be another mans knowledge,
and vice versa, depending on context - (Stewart, T. A., The Wealth of Knowledge. )
- "Information is the world's new currency
information has value. (Secret Service Director
Ralph Basham ) - Knowledge is what we buy, sell, and do
- (Stewart, T. A., The Wealth of Knowledge. )
3Business Incentive
- The 2004 (FBI) Computer Crime and Security Survey
estimates that losses from internet security
breaches, in the US, exceeded 141 million within
the last year. - PricewaterhouseCoopers 2004 Survey indicates that
security problems are on the rise in the United
Kingdom and that malicious attacks are the
primary culprits. - The Department of Trade and Industrys (2004)
survey estimates security breaches continue to
cost UK businesses several billions of pounds. - The Deloitte 2005 Global Survey estimates that
identity theft cost the UK almost a billion
dollars in 2003.
4Application Security
One dollar required to resolve an issue during
the design phase grows into 60 to 100 dollars to
resolve the same issue after the application has
shipped. (Secure Business Quarterly
2001) Gartner estimates that the cost to fix a
security vulnerability during testing to be less
than 2 percent of the cost of removing it from a
production system.
5Truth
- Companies do not want to admit that their systems
have been compromised - They do not want to incur the expense necessary
to rectify the problem - They do not know how to fix the problem
- They are not even aware that their systems have
been compromised.
6Soft and Hard Cost
- Telang and Wattals research indicates that a
software vendor loses, on average, approximately
0.6 of their stock price per vulnerability
announcement. - Minimize the chance of copy cat attacks on their
systems until the issue has been resolved and
patched.
7Legislative Pressure
- Economic Espionage Act of 1996 (EEA)
- Health Insurance Portability and Accountability
Act of 1996 (HIPAA) - Graham-Leach-Bliley Act of 1999
- Sarbanes-Oxley Act of 2002 (SOX)
- Recently a ninety-one page bill was introduced in
the Senate by Senator Patrick Leahy and Senator
Arlen Specter containing new rules for corporate
data security and stiff penalties for information
burglars
8What is Security?
- Encryption, Secure Socket Layer (SSL), firewalls,
creating and maintaining secure networks, the use
of digital certificates, the different
technologies used for authentication and
authorization or intrusion detection systems - A secure system to one organization may not meet
another organizations definition of security
9Security
- Confidentiality Proper access is restricted to
the appropriate individuals. - Integrity modification of assets by appropriate
personnel within guidelines. - Availability - Access is available to the
appropriate parties at designated times. - (Commonly known as the CIA Triad)
10Security
- How much risk is the organization willing to
accept and at what financial cost? - Policy, procedures, standards, and technical
controls (developed implemented) will define
the systems in terms of the CIA. - Collaborative approach defines overall security
of the system within a business. - As Alan Zeichick, Conference Chairman of the
Software Security Summit, phrased it, "Software
is vulnerable! Enterprises have spent millions of
dollars installing network firewalls and Virtual
Private Networks, but the real danger is in
poorly written applications
11Business Strategy
- Encompasses all of the information about the
overall business that ranges over defining the - scope of the business
- establishing the business models
- broad marketing strategies
- establishment of processes and policies
- acquisition and distribution of information
- overall approach to technology within the
organization.
12Business Strategy Perspectives
- Corporate -high level strategy that details the
organizations purpose and scope - Business - deals with the competition in
individual markets including market segmentation,
market positioning, industry analysis, and brand
value - Operational - concerns the implementation aspect
of the business which would include optimising
web site design, hardware requirements and
utilization and software requirements
13Corporate Level
- Chief Executive Officers and Chief Financial
Officers are potentially being held accountable
for the security of their applications (SOX) - Champions - high level champions within the
organization are more likely to succeed in
changing and sustaining changes to corporate
cultures - Security needs to be viewed as a collective
organizational problem
14Business Level
- Businesses need to understand that their web site
is their front door to the world. - Businesses need to outline the performance
standards that they are going to provide and
follow through with an effective, efficient and
secure value chain while providing appropriate
customer service capabilities. - If customers perceive that their data is not safe
and secure, this can result in lost customers,
lost future revenue, lost market advantage and
possibly monetary compensation.
15Operational Level
- There appears to be a lack of understanding on
how to protect application code as it is
developed. - BZ Survey 55.9 percent blamed poor programming
practices for the number of vulnerabilities in
software applications. - How does a business protect itself and capitalize
on software application development in order to
gain a competitive advantage for their business.
16WES Solution
- My PhD research has produced a possible solution,
A Web Engineering Security (WES) Methodology. -
- An independent flexible Web Engineering
development methodology that is specific to
security. - The process needs to be compatible with existing
application development processes so that they
are complementary, hence - Deliverables between phases will vary on the size
of the organizational and the methodology they
are implementing, and - Flexible enough to be tailored to individual
companies of varying size.
17Web Engineering Security (WES)
- Methodology Principles
- Good Communication
- Within the development team
- With the end user (Requirements / Feedback
perspective) - Employee Education
- Importance of security potential organizational
impact - Technical attacks social engineering attacks
- Cultural Support
- Needs to originate from upper management
- Needs to continually be fostered by upper
management
18Web Engineering Security (WES) Process
19Project Development Risk Assessment
- This step provides an opportunity for the
organizations development team to understand the
application from a risk point of view and helps
to generate applicable questions to address the
application security requirements phase - Formal (Document /Board Approval)
- Advantage for management is that it presents a
clear understanding of the risks before a
substantial investment is made in the development
of the web application - Disadvantage of a highly formalized process is
that it can slow down the development process. - Informal (Expert Opinion)
- Advantage faster in nature
- Disadvantage introduces more risk
20Web Engineering Security (WES) Process
21Organizational Compatibility
- Security Policy Compatibility
- Policies, standards, baselines, procedures, and
guidelines can assist in large organizations to
provide cohesiveness within the organization. - The goal of an information security policy is to
maintain the integrity, confidentiality and
availability of information resources. (Hare,
C., Policy Development, ) - In smaller organizations, policies can be
implicit to the organization.
22Organizational Compatibility
- Corporate Culture Compatibility
- Employee security awareness programs, employee
education on social engineering attacks,
recognition of organizational norms. - Remind employees periodically about security
policies, standards, baselines, procedures, and
guidelines (Integrating security into their
annual evaluation ) - Technological acceptance of corporate norms is
when a solution has been implemented in the
environment, becomes accepted and then becomes
expected.
23Organizational Compatibility
- Technological Compatibility
- Infrastructure compatibility
- Does the technical expertise to create new
applications exist in the company? - Is the current code repository compatible with
the proposed development? - Does the hardware infrastructure support the new
applications? - Value Added
- value configuration(s) one of the goals of the
organization should be to provide added value
regardless of the product or service that is
being offered. Technology is a major contributor
to this goal in todays market place. - How will this help add value to their
organization?
24Web Engineering Security (WES) Process
25Security Design / Coding
- Previously generated information allows the
technical architect to pick the most appropriate
technical controls from a design, risk and cost
perspective. - Encouraging programmers to adhere to coding
standards and to pursue good coding practices,
and participate in code reviews will increase the
code readability which will inherently improve
software enhancement maintenance and patch
maintenance. - Better software engineering development leads to
more maintenance, not less - (Glass, R. L., Facts and Fallacies of Software
Engineering)
26Web Engineering Security (WES) Process
27Controlled Environment Implementation
- Implement in an environment that mirrors
production testing compatibility - Operating System
- Software Configurations
- Interfacing Programs
- Goal - Minimise Surprises!
28Web Engineering Security (WES) Process
29Testing
- Programmers should be running their own battery
of tests when the code is conceived - Allotment of Appropriate time
- Augment the testing process
- Automated Tools
- Test Script (Developers, Testers, End-users)
- Outside Auditors Conducting Penetration Tests
- White Box / Black Box
30Evidence
- The National Institute of Standards and
Technology (NIST) estimates that 93 of reported
vulnerabilities are software vulnerabilities. - Organization for Internet Safety (OIS) publishes
Guidelines for Security Vulnerabilities Reporting
and Response - A flaw within a software system that can cause
it to work contrary to its documented design and
could be exploited to cause the system to violate
its documented security policy.
31Web Engineering Security (WES) Process
32Web Engineering Security (WES) Process
33End User Evaluation
- All systems must be evaluated with a sample of
end-users, not surrogates! - Critical to the success of the solution
- End user avoidance by working around security
- Compromised due to a flaw in the design / code
- Possibility that the application will be abused,
corporate credibility lost, and financial
consequences incurred.
34Conclusions
- Technical solutions alone will not solve current
security issues in the global web environment. - Increasing business, legislative, societal
pressures will force organizations to
strategically address application security from a
development perspective - The most effective way to handle security, in the
application design, is to incorporate security
upfront into the development methodology. - Not following a web application development
methodology that specifically addresses security
is an expensive and dangerous strategy for any
business.
35Further Work
- Fortune 500 Financial Organization Case Study
- Industry Survey (ICWE)
- Process Observation
- Recommendations
- Recommendation Implementation
- Data Gathering
36Contact Details
Brad Glisson, Department of Computing
Science, University of Glasgow E-mail
glisson_at_dcs.gla.ac.uk. Web www.dcs.gla.ac.uk/gli
sson/
Prof. Milton Glisson, School of Business and
Economics, North Carolina A T State
University, E-mail glissonm_at_ncat.edu
Prof. Ray Welland, Department of Computing
Science, University of Glasgow E-mail
ray_at_dcs.gla.ac.uk. Web www.dcs.gla.ac.uk/ray/
37Extra Slides
38Common Application Security Problems
- Un-validated parameters
- Cross-site scripting
- Buffer overflows
- Command injection flaws
- Error-handling problems
- Insecure use of cryptography
- Broken Access Controls
-
39Project Development Risk Assessment
- NIST - National Institute of Standards and
Technology - agency of the U.S. Commerce
Department's Technology Administration. - COBRA - Security risk analysis application
- OCTAVE - Operationally Critical Threat, Asset,
and Vulnerability Evaluation - Focuses on
organizational risk and strategic,
practice-related issues, balancing operational
risk, security practices, and technology. - FRAP - Facilitated Risk Analysis Process
40Agile Web Engineering (AWE)
41AWE WES Comparison
42Secure Value Chain
- Overall, the business environment continues to
become more interconnected, hence, traditional
boundaries between organizations are eroding. - This tight integration, from a security view
point, opens the door to a multitude of problems,
if an attack is successful, in compromising one
of the linked systems.
43Definitions
- Unvalidated Input Information from web requests
is not validated before being used by a web
application. Attackers can use these flaws to
attack backend components through a web
application. - Broken Access Control Restrictions on what
authenticated users are allowed to do are not
properly enforced. Attackers can exploit these
flaws to access other users accounts, view
sensitive files, or use unauthorized functions. - Broken Authentication and Session Management
Account credentials and session tokens are not
properly protected. Attackers that can compromise
passwords, keys, session cookies, or other tokens
can defeat authentication restrictions and assume
other users identities. - Cross Site Scripting (XSS) Flaws The web
application can be used as a mechanism to
transport an attack to an end users browser. A
successful attack can disclose the end users
session token, attack the local machine, or spoof
content to fool the user. - Buffer Overflows Web application components in
some languages that do not properly validate
input can be crashed and, in some cases, used to
take control of a process. These components can
include CGI, libraries, drivers, and web
application server components. - Injection Flaws Web applications pass parameters
when they access external systems or the local
operating system. If an attacker can embed
malicious commands in these parameters, the
external system may execute those commands on
behalf of the web application. - Improper Error Handling Error conditions that
occur during normal operation are not handled
properly. If an attacker can cause errors to
occur that the web application does not handle,
they can gain detailed system information, deny
service, cause security mechanisms to fail, or
crash the server. - Insecure Storage Web applications frequently use
cryptographic functions to protect information
and credentials. These functions and the code to
integrate them have proven difficult to code
properly, frequently resulting in weak
protection. - Denial of Service Attackers can consume web
application resources to a point where other
legitimate users can no longer access or use the
application. Attackers can also lock users out of
their accounts or even cause the entire
application to fail. - Insecure Configuration Management Having a strong
server configuration standard is critical to a
secure web application. These servers have many
configuration options that affect security and
are not secure out of the box. The Open Web
Application Security Project (OWASP). The Ten
Most Critical Web Application Security
Vulnerabilities. c2004 - http//www.owasp.org/index.jsp