glissondcs'gla'ac'uk

1
Web Development Evolution The Business
Perspective on Security

• William Bradley Glisson
• L. Milton Glisson
• Ray Welland

2
Why?

• Data, Information, Knowledge
• One mans data can be another mans knowledge,
  and vice versa, depending on context
• (Stewart, T. A., The Wealth of Knowledge. )
• "Information is the world's new currency
  information has value. (Secret Service Director
  Ralph Basham )
• Knowledge is what we buy, sell, and do
• (Stewart, T. A., The Wealth of Knowledge. )

3
Business Incentive

• The 2004 (FBI) Computer Crime and Security Survey
  estimates that losses from internet security
  breaches, in the US, exceeded 141 million within
  the last year.
• PricewaterhouseCoopers 2004 Survey indicates that
  security problems are on the rise in the United
  Kingdom and that malicious attacks are the
  primary culprits.
• The Department of Trade and Industrys (2004)
  survey estimates security breaches continue to
  cost UK businesses several billions of pounds.
• The Deloitte 2005 Global Survey estimates that
  identity theft cost the UK almost a billion
  dollars in 2003.

4
Application Security
One dollar required to resolve an issue during
the design phase grows into 60 to 100 dollars to
resolve the same issue after the application has
shipped. (Secure Business Quarterly
2001) Gartner estimates that the cost to fix a
security vulnerability during testing to be less
than 2 percent of the cost of removing it from a
production system.
5
Truth

• Companies do not want to admit that their systems
  have been compromised
• They do not want to incur the expense necessary
  to rectify the problem
• They do not know how to fix the problem
• They are not even aware that their systems have
  been compromised.

6
Soft and Hard Cost

• Telang and Wattals research indicates that a
  software vendor loses, on average, approximately
  0.6 of their stock price per vulnerability
  announcement.
• Minimize the chance of copy cat attacks on their
  systems until the issue has been resolved and
  patched.

7
Legislative Pressure

• Economic Espionage Act of 1996 (EEA)
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA)
• Graham-Leach-Bliley Act of 1999
• Sarbanes-Oxley Act of 2002 (SOX)
• Recently a ninety-one page bill was introduced in
  the Senate by Senator Patrick Leahy and Senator
  Arlen Specter containing new rules for corporate
  data security and stiff penalties for information
  burglars

8
What is Security?

• Encryption, Secure Socket Layer (SSL), firewalls,
  creating and maintaining secure networks, the use
  of digital certificates, the different
  technologies used for authentication and
  authorization or intrusion detection systems
• A secure system to one organization may not meet
  another organizations definition of security

9
Security

• Confidentiality Proper access is restricted to
  the appropriate individuals.
• Integrity modification of assets by appropriate
  personnel within guidelines.
• Availability - Access is available to the
  appropriate parties at designated times.
• (Commonly known as the CIA Triad)

10
Security

• How much risk is the organization willing to
  accept and at what financial cost?
• Policy, procedures, standards, and technical
  controls (developed implemented) will define
  the systems in terms of the CIA.
• Collaborative approach defines overall security
  of the system within a business.
• As Alan Zeichick, Conference Chairman of the
  Software Security Summit, phrased it, "Software
  is vulnerable! Enterprises have spent millions of
  dollars installing network firewalls and Virtual
  Private Networks, but the real danger is in
  poorly written applications

11
Business Strategy

• Encompasses all of the information about the
  overall business that ranges over defining the
• scope of the business
• establishing the business models
• broad marketing strategies
• establishment of processes and policies
• acquisition and distribution of information
• overall approach to technology within the
  organization.

12
Business Strategy Perspectives

• Corporate -high level strategy that details the
  organizations purpose and scope
• Business - deals with the competition in
  individual markets including market segmentation,
  market positioning, industry analysis, and brand
  value
• Operational - concerns the implementation aspect
  of the business which would include optimising
  web site design, hardware requirements and
  utilization and software requirements

13
Corporate Level

• Chief Executive Officers and Chief Financial
  Officers are potentially being held accountable
  for the security of their applications (SOX)
• Champions - high level champions within the
  organization are more likely to succeed in
  changing and sustaining changes to corporate
  cultures
• Security needs to be viewed as a collective
  organizational problem

14
Business Level

• Businesses need to understand that their web site
  is their front door to the world.
• Businesses need to outline the performance
  standards that they are going to provide and
  follow through with an effective, efficient and
  secure value chain while providing appropriate
  customer service capabilities.
• If customers perceive that their data is not safe
  and secure, this can result in lost customers,
  lost future revenue, lost market advantage and
  possibly monetary compensation.

15
Operational Level

• There appears to be a lack of understanding on
  how to protect application code as it is
  developed.
• BZ Survey 55.9 percent blamed poor programming
  practices for the number of vulnerabilities in
  software applications.
• How does a business protect itself and capitalize
  on software application development in order to
  gain a competitive advantage for their business.

16
WES Solution

• My PhD research has produced a possible solution,
  A Web Engineering Security (WES) Methodology.
• An independent flexible Web Engineering
  development methodology that is specific to
  security.
• The process needs to be compatible with existing
  application development processes so that they
  are complementary, hence
• Deliverables between phases will vary on the size
  of the organizational and the methodology they
  are implementing, and
• Flexible enough to be tailored to individual
  companies of varying size.

17
Web Engineering Security (WES)

• Methodology Principles
• Good Communication
• Within the development team
• With the end user (Requirements / Feedback
  perspective)
• Employee Education
• Importance of security potential organizational
  impact
• Technical attacks social engineering attacks
• Cultural Support
• Needs to originate from upper management
• Needs to continually be fostered by upper
  management

18
Web Engineering Security (WES) Process
19
Project Development Risk Assessment

• This step provides an opportunity for the
  organizations development team to understand the
  application from a risk point of view and helps
  to generate applicable questions to address the
  application security requirements phase
• Formal (Document /Board Approval)
• Advantage for management is that it presents a
  clear understanding of the risks before a
  substantial investment is made in the development
  of the web application
• Disadvantage of a highly formalized process is
  that it can slow down the development process.
• Informal (Expert Opinion)
• Advantage faster in nature
• Disadvantage introduces more risk

20
Web Engineering Security (WES) Process
21
Organizational Compatibility

• Security Policy Compatibility
• Policies, standards, baselines, procedures, and
  guidelines can assist in large organizations to
  provide cohesiveness within the organization.
• The goal of an information security policy is to
  maintain the integrity, confidentiality and
  availability of information resources. (Hare,
  C., Policy Development, )
• In smaller organizations, policies can be
  implicit to the organization.

22
Organizational Compatibility

• Corporate Culture Compatibility
• Employee security awareness programs, employee
  education on social engineering attacks,
  recognition of organizational norms.
• Remind employees periodically about security
  policies, standards, baselines, procedures, and
  guidelines (Integrating security into their
  annual evaluation )
• Technological acceptance of corporate norms is
  when a solution has been implemented in the
  environment, becomes accepted and then becomes
  expected.

23
Organizational Compatibility

• Technological Compatibility
• Infrastructure compatibility
• Does the technical expertise to create new
  applications exist in the company?
• Is the current code repository compatible with
  the proposed development?
• Does the hardware infrastructure support the new
  applications?
• Value Added
• value configuration(s) one of the goals of the
  organization should be to provide added value
  regardless of the product or service that is
  being offered. Technology is a major contributor
  to this goal in todays market place.
• How will this help add value to their
  organization?

24
Web Engineering Security (WES) Process
25
Security Design / Coding

• Previously generated information allows the
  technical architect to pick the most appropriate
  technical controls from a design, risk and cost
  perspective.
• Encouraging programmers to adhere to coding
  standards and to pursue good coding practices,
  and participate in code reviews will increase the
  code readability which will inherently improve
  software enhancement maintenance and patch
  maintenance.
• Better software engineering development leads to
  more maintenance, not less
• (Glass, R. L., Facts and Fallacies of Software
  Engineering)

26
Web Engineering Security (WES) Process
27
Controlled Environment Implementation

• Implement in an environment that mirrors
  production testing compatibility
• Operating System
• Software Configurations
• Interfacing Programs
• Goal - Minimise Surprises!

28
Web Engineering Security (WES) Process
29
Testing

• Programmers should be running their own battery
  of tests when the code is conceived
• Allotment of Appropriate time
• Augment the testing process
• Automated Tools
• Test Script (Developers, Testers, End-users)
• Outside Auditors Conducting Penetration Tests
• White Box / Black Box

30
Evidence

• The National Institute of Standards and
  Technology (NIST) estimates that 93 of reported
  vulnerabilities are software vulnerabilities.
• Organization for Internet Safety (OIS) publishes
  Guidelines for Security Vulnerabilities Reporting
  and Response
• A flaw within a software system that can cause
  it to work contrary to its documented design and
  could be exploited to cause the system to violate
  its documented security policy.

31
Web Engineering Security (WES) Process
32
Web Engineering Security (WES) Process
33
End User Evaluation

• All systems must be evaluated with a sample of
  end-users, not surrogates!
• Critical to the success of the solution
• End user avoidance by working around security
• Compromised due to a flaw in the design / code
• Possibility that the application will be abused,
  corporate credibility lost, and financial
  consequences incurred.

34
Conclusions

• Technical solutions alone will not solve current
  security issues in the global web environment.
• Increasing business, legislative, societal
  pressures will force organizations to
  strategically address application security from a
  development perspective
• The most effective way to handle security, in the
  application design, is to incorporate security
  upfront into the development methodology.
• Not following a web application development
  methodology that specifically addresses security
  is an expensive and dangerous strategy for any
  business.

35
Further Work

• Fortune 500 Financial Organization Case Study
• Industry Survey (ICWE)
• Process Observation
• Recommendations
• Recommendation Implementation
• Data Gathering

36
Contact Details
Brad Glisson, Department of Computing
Science, University of Glasgow E-mail
glisson_at_dcs.gla.ac.uk. Web www.dcs.gla.ac.uk/gli
sson/
Prof. Milton Glisson, E-mail glissonm_at_ncat.edu
Prof. Ray Welland, E-mail ray_at_dcs.gla.ac.uk. Web
www.dcs.gla.ac.uk/ray/
37
Extra Slides

• Extra Slides

38
Common Application Security Problems

• Un-validated parameters
• Cross-site scripting
• Buffer overflows
• Command injection flaws
• Error-handling problems
• Insecure use of cryptography
• Broken Access Controls

39
Project Development Risk Assessment

• NIST - National Institute of Standards and
  Technology - agency of the U.S. Commerce
  Department's Technology Administration.
• COBRA - Security risk analysis application
• OCTAVE - Operationally Critical Threat, Asset,
  and Vulnerability Evaluation - Focuses on
  organizational risk and strategic,
  practice-related issues, balancing operational
  risk, security practices, and technology.
• FRAP - Facilitated Risk Analysis Process

40
Agile Web Engineering (AWE)
41
AWE WES Comparison
42
Secure Value Chain

• Overall, the business environment continues to
  become more interconnected, hence, traditional
  boundaries between organizations are eroding.
• This tight integration, from a security view
  point, opens the door to a multitude of problems,
  if an attack is successful, in compromising one
  of the linked systems.

43
Definitions

• Unvalidated Input Information from web requests
  is not validated before being used by a web
  application. Attackers can use these flaws to
  attack backend components through a web
  application.
• Broken Access Control Restrictions on what
  authenticated users are allowed to do are not
  properly enforced. Attackers can exploit these
  flaws to access other users accounts, view
  sensitive files, or use unauthorized functions.
• Broken Authentication and Session Management
  Account credentials and session tokens are not
  properly protected. Attackers that can compromise
  passwords, keys, session cookies, or other tokens
  can defeat authentication restrictions and assume
  other users identities.
• Cross Site Scripting (XSS) Flaws The web
  application can be used as a mechanism to
  transport an attack to an end users browser. A
  successful attack can disclose the end users
  session token, attack the local machine, or spoof
  content to fool the user.
• Buffer Overflows Web application components in
  some languages that do not properly validate
  input can be crashed and, in some cases, used to
  take control of a process. These components can
  include CGI, libraries, drivers, and web
  application server components.
• Injection Flaws Web applications pass parameters
  when they access external systems or the local
  operating system. If an attacker can embed
  malicious commands in these parameters, the
  external system may execute those commands on
  behalf of the web application.
• Improper Error Handling Error conditions that
  occur during normal operation are not handled
  properly. If an attacker can cause errors to
  occur that the web application does not handle,
  they can gain detailed system information, deny
  service, cause security mechanisms to fail, or
  crash the server.
• Insecure Storage Web applications frequently use
  cryptographic functions to protect information
  and credentials. These functions and the code to
  integrate them have proven difficult to code
  properly, frequently resulting in weak
  protection.
• Denial of Service Attackers can consume web
  application resources to a point where other
  legitimate users can no longer access or use the
  application. Attackers can also lock users out of
  their accounts or even cause the entire
  application to fail.
• Insecure Configuration Management Having a strong
  server configuration standard is critical to a
  secure web application. These servers have many
  configuration options that affect security and
  are not secure out of the box. The Open Web
  Application Security Project (OWASP). The Ten
  Most Critical Web Application Security
  Vulnerabilities. c2004
• http//www.owasp.org/index.jsp