Application Security Issues Boise, Idaho ISSA Conference

1
Application Security IssuesBoise, Idaho ISSA
Conference

• Dave Cullinane, CPP, CISSP
• International President
• ISSA

2
Agenda

• What is AppSec and why do I care?
• Security Development Lifecycle
• Threat Modeling
• Going beyond the App layer
• Questions

With all due credit to Michael Howard and
Microsoft, from whom I got many of these ideas.
3
Why do I care?

• Application layer is a core component of your
  architecture
• Apps are creating vulnerabilities that can be
  exploited
• Privacy concerns
• Customer notification laws and regulations
• Regulatory Risk
• Reputational Risk

4
What is Application Security?

• Architecture
• Designing/Buying secure apps
• Secure Coding developer training practices
• Threat Modeling
• Authentication, Authorization, Accountability,
  Auditability
• Logging and Monitoring of distributed
  applications
• User activity
• Malicious activity
• Testing

5
Applicaiton Design

• Architectural fit
• Application design
• Who does it?
• Have you defined the rules?
• SDLC process in place?
• Does it have security gateways?
• Are they effective in assuring you get involved
  early?
• Study showing 80 more expensive to retrofit
  security controls

6
Security Development Lifecycle
Product Development Timeline
Compliments of Microsoft
http//swi/sdl
7
Buying Secure Applications

• Ask questions
• Use SDLC?
• Is security key component? Explain how it works?
• How is authentication and Authorization done?
• Insist on quality testing by vendor
• Test before you buy
• Contract conditions for poor code
• Consider liability for deficiencies

8
Secure Coding

• Developers trained to avoid mistakes
• Buffer overflows, etc.
• Secure Coding practices based on OS
• Good Books
• Tools and Techniques
• Code testers
• Commercial products SPI Dynamics/Ounce Labs

9
Threat Analysis

• Secure software starts with understanding the
  threats
• Threats are not vulnerabilities
• Threats live forever
• How will attackers attempt to compromise the
  system?

Asset
Mitigation
Threat
Vulnerability
10
A Threat Modeling Process

• Use-scenarios
• Bound scope
• Determine dependencies
• Giblets?

• Data flow diagrams
• Identify entry points assets
• Determine threat paths

• Threat type (STRIDE)
• Threat Trees
• Risk

• Fix?
• Work-around?
• Notification?
• Do nothing?

11
Threat Model Checklist

• No design is complete without a threat model!
• Follow anonymous data paths
• Every threat needs a security test plan
• Check all information disclosure threats are
  they privacy issues?
• Be wary of elevated processes
• Use the threat modeling tool (http//msdn.microsof
  t.com)

12
Beyond the Application Layer

• Database
• Where the information is
• Critical information store
• Acess rights and authorization
• DBA as ultimate superuser
• Dont forget the lesson of Choicepoint!
• How can attacker get past your existing controls
• Information in all forms needs to be protected
• Electronic, Hardcopy and Intellectual

13
Testing

• Testing Tools
• Before you buy/deploy ask to run a testing tool
• Vulnerability Assessments
• Pen Testing
• Remember conditions change
• OS versioning, App versions, patches, network
  environment, etc.
• How often is determined by risk

14
Questions?
presidentdc_at_issa.org