This is going to require a new approach to application development, shifting the focus away from the business-focused requirements. In essence, we must build security into these applications. There are many schools of thought on how to build better software. There are numerous development frameworks, programming standards, and best practices; and a variety of tools used to evaluate code during development, as well as testing the finished product after its been built.
Change in Attitude
I think many would argue that we need to change our attitudes about application development. We need to build secure software, not put walls around it after we build it. This change in mindset is one driving force behind the Rugged Software movement. "Rugged" is not a framework or a development methodology. It's about developing a culture of security.
It strives to bring secure thinking into the development process—whatever framework or methodology you use. The goal is to create "available, survivable, defensible, secure, and resilient software." To this end, they have produced the Rugged Handbook and the Rugged Implementation Guide. Both documents detail steps to help change your software development culture. You can read more at their website and take a moment to read the Rugged Manifesto.
How Did Microsoft Do it?
Changing our mindset and getting us all to focus on security an excellent goal, but we still need to implement secure code. How do we go about that?
Microsoft was criticized for many years about the poor quality of software they produced. Since the platform was widely deployed, it became a primary focus of attack. Yet today Microsoft has successfully changed its process so it's no longer at the top of the list of exploits.
How did Microsoft accomplish this? Part of the answer definitely lies in its Secure Development Lifecycle (SDL). Microsoft has enhanced its development lifecycle, bringing new thinking and tools to bear in an effort to produce more secure applications. I won't go into this in great detail here, but I will highlight what I feel are some key points.
Most experts agree that it's more cost-effective to design and develop secure code than it is to fix broken or unsecure applications after they've been deployed. One way to start thinking about this during the design phase is to use threat modeling, which is a process used to understand security threats to a system, quantify the risks, and try to mitigate those risks in the overall system design.
While historically this has been a white-board exercise, Microsoft has developed the SDL Threat Modeling Tool. This tool focuses on a data-flow diagram representing the basic system design. Then, each component of the system is assigned "threats." The tool constructs threats based on the idea that software comes under a predictable set of threats for each element. These threats are based on the STRIDE Threat Model, and are broken into the following categories:
- Spoofing identity. An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password.
- Tampering with data. Data tampering involves the malicious modification of data.
- Repudiation. Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise. Nonrepudiation refers to the capability of a system to counter repudiation threats.
- Information disclosure. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it.
- Denial of Service. Denial of Service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable.
- Elevation of privilege. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.
This tool provides developers with a consistent repeatable process that can be applied to almost any development situation and can be used even in other development environments or frameworks. It doesn't have to be tied to the Microsoft SDL.
Other Frameworks and Methodologies
Clearly, secure application development has a lot of inertia right now. There are many best practice approaches and frameworks available to choose from. While I don't have the space here to cover them all, some examples include these:
- Building Security In Maturity Model (BSIMM)
- OpenSAMM Software Assurance Maturity Model
- US-CERT Build Security in and the DHS Software Assurance community
- OWASP (Open Web Application Security Project)
Mitre has a number of security efforts, all tied together under their Making Security Measurable website. This is broken down into a number of different interrelated categories, one of which is Software Assurance.
Secure Coding and Code Testing
While we all attempt to write good code, how do we ensure this is happening? First, we need to make sure our developers are properly trained in secure coding techniques. We also need to ensure they understand the capabilities and weaknesses of the coding language or tools they are using. And finally, we need an easy way to review code as it's developed to ensure it is well-formed and avoids common security vulnerabilities and weaknesses.
Training and awareness are the foundation of secure coding, and code review and testing is one way to evaluate the code that is developed. Many integrated development environments (IDEs) provide inline assistance, hints, and context sensitive help while you're writing code.
There are also third-party products that provide for static code analysis, such as HP Fortify Static Code Analyzer, JetBRAINS ReSharper, some products from Veracode and Black Duck Software, to name just a few. Each of these tools has its own strengths and weaknesses, and can be prone to "false positives," but they can be another tool in your kit.
What about Scans?
Let's face it; we've become accustomed to performing ongoing security scans of our environments to provide us with a snapshot of known vulnerabilities and weaknesses. Many of these tools (such as Tenable Nessus or Rapid7's Nexpose) are focused on looking for existing configuration problems and missing patches. They don't look at home-grown applications, but instead focus on known problems with our operating systems and web or database servers.
There are many products now available to perform web-based application vulnerability scans as well. Examples include HP WebInspect and AppDetective, from Application Security; as well as numerous open-source tools. One tool that takes a slightly different approach is the Microsoft Attack Surface Analyzer. The focus of this tool is to examine your environment before deploying your application (as a baseline) and then again after deployment. This then highlights the changes introduced into the environment by the newly installed application.
This footprint is the "Attack Surface" introduced by your application. It shows what new files have been installed and highlights changes to registry keys, services, listening ports and access control lists. The tool enables the following:
Again, each of these tools has its own strengths and weaknesses, but they are yet another tool to go in your security arsenal.
Blend into a "Best of the Best" Approach
This is a lot of information, and I've barely scratched the surface of what's available. I'm not proposal any single solution—instead I'm attempting to provide a list of resources to get you thinking about how you can improve your development efforts.
I don't think any one of these approaches will solve all our problems. In fact, many of them won't make sense for your situation. I suggest reviewing the information, looking at the pros and cons; then blending the "best of the best" of each of these approaches into your existing process. If you're already using Agile Development, then I'm not proposing you change everything and switch to the Microsoft SDL approach.
But perhaps you can employ Threat Models throughout your development process. Maybe one of these code analysis tools can provide you some insight into the capabilities of your development team and the security of the code they're producing. Maybe you have applications already built and deployed but you have no idea what threats they've introduced into your environment. Implementing scans of your web application can provide you with some perspective.
If you're about to deploy a newly developed application, the Attack Surface Analyzer might show you just how your environment will be affected by this deployment.
We have a large arsenal of tools available to us that can assist us in providing more secure applications almost immediately. The pressure is on us as application developers, security professionals, and consultants to start providing secure solutions to protect these critical corporate resources.
I hope you find this information useful in that endeavor.