"When it comes to software security, the devil is in the details. This book tackles the details."
--Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies
"McGraw's book shows you how to make the 'culture of security' part of your development lifecycle."
--Howard A. Schmidt, Former White House Cyber Security Advisor
"McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall."
--Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security
Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.
Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of
In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs. Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.
The Security Problem 4
Security Problems in Software 14
Solving the Problem: The Three Pillars of Software Security 25
The Rise of Security Engineering 37
Putting Risk Management into Practice 40
How to Use This Chapter 41
The Five Stages of Activity 42
The RMF Is a Multilevel Loop 46
Applying the RMF: KillerAppCo's iWare 1.0 Server 48
The Importance of Measurement 73
The Cigital Workbench 76
Risk Management Is a Framework for Software Security 79
Flyover: Seven Terrific Touchpoints 86
Black and White: Two Threads Inextricably Intertwined 89
Moving Left 91
Touchpoints as Best Practices 94
Who Should Do Software Security? 96
Software Security Is a Multidisciplinary Effort 100
Touchpoints to Success 103
Catching Implementation Bugs Early (with a Tool) 106
Aim for Good, Not Perfect 108
Ancient History 109
Approaches to Static Analysis 110
Tools from Researchland 114
Commercial Tool Vendors 123
Touchpoint Process: Code Review 135
Use a Tool to Find Security Bugs 137
Common Themes among Security Risk Analysis Approaches 140
Traditional Risk Analysis Terminology 144
Knowledge Requirement 147
The Necessity of a Forest-Level View 148
A Traditional Example of a Risk Calculation 152
Limitations of Traditional Approaches 153
Modern Risk Analysis 154
Touchpoint Process: Architectural Risk Analysis 161
Getting Started with Risk Analysis 169
Architectural Risk Analysis Is a Necessity 170
Penetration Testing Today 173
Software Penetration Testing--a Better Approach 178
Incorporating Findings Back into Development 183
Using Penetration Tests to Assess the Application Landscape 184
Proper Penetration Testing Is Good 185
What's So Different about Security? 191
Risk Management and Security Testing 192
How to Approach Security Testing 193
Thinking about (Malicious) Input 201
Getting Over Input 203
Leapfrogging the Penetration Test 204
Security Is Not a Set of Features 209
What You Can't Do 210
Creating Useful Abuse Cases 211
Touchpoint Process: Abuse Case Development 213
An Abuse Case Example 217
Abuse Cases Are Useful 222
Don't Stand So Close to Me 224
Kumbaya (for Software Security) 225
Come Together (Right Now) 232
Future's So Bright, I Gotta Wear Shades 235
The Business Climate 240
Building Blocks of Change 242
Building an Improvement Program 246
Establishing a Metrics Program 247
Continuous Improvement 250
What about COTS (and Existing Software Applications)? 251
Adopting a Secure Development Lifecycle 256
Experience, Expertise, and Security 261
Security Knowledge: A Unified View 262
Security Knowledge and the Touchpoints 268
The Department of Homeland Security Build Security In Portal 269
Knowledge Management Is Ongoing 274
Software Security Now 275
On Simplicity: Seven Plus or Minus Two 279
The Phyla 282
A Complete Example 290
Lists, Piles, and Collections 292
Go Forth (with the Taxonomy) and Prosper 297
Annotated Bibliography: An Emerging Literature 299
Software Security Puzzle Pieces 318
1. Introducing the Audit Workbench 324
2. Auditing Source Code Manually 326
3. Ensuring a Working Build Environment 328
4. Running the Source Code Analysis Engine 329
5. Exploring the Basic SCA Engine Command Line Arguments 332
6. Understanding Raw Analysis Results 333
7. Integrating with an Automated Build Process 335
8. Using the Audit Workbench 339
9. Auditing Open Source Applications 342
SmurfWare SmurfScanner Risk Assessment Case Study 385
SmurfWare SmurfScanner Design for Security 390
After completing Java Security McGraw and Felten 1996 and following it up with Securing Java McGraw and Felten 1999, I began wondering how it was that such excellent designers, engineers, and architects went astray when it came to security. What was it about software that made security such a problem? If you wanted to build secure software, how would you do it? These questions and the perseverance of John Viega led to Building Secure Software.
Building Secure Software (BSS), the white hat book, seems to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and antivirus mechanisms came to understand and embrace the necessity of better software. BSS provides a coherent and sensible philosophical foundation for the blossoming field of software security.
Exploiting Software (ES), the black hat book, provides a much-needed balance, teaching how to break software and how malicious hackers write exploits. ES is meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. The two books are in some sense mirror images.
Software Security unifies the two sides of software security--attack and defense,
exploiting and designing, breaking and building--into a coherent whole. Like
the yin and the yang, software security requires a careful balance.
Software Security is a "how to" book for software security. In most organizations, software security is nobody's job, when software security really should be everyone's job. Hopefully this book will help explain both why this is so and what to do about it.
The number one audience for the book is software security professionals. If your job is to analyze software for security problems, you will find this book filled to the brim with ideas and processes that you can apply today. Software security professionals should seek to use each of the best practices (which I call touchpoints) throughout the software lifecycle, follow a risk management framework, and call on software security knowledge. If you're a software security person, I'm afraid you'll have to read the whole book.
As computer security evolves, the job of security analysis gets more complicated. Computer security professionals will benefit greatly from Chapters 1, 2, and 9. Chapter 1 provides a discussion of the software security problem and can help justify attention to software security. As philosophy in action, the risk management framework of Chapter 2 is directly applicable to computer security, regardless of software. Chapter 9 in particular was written for computer security professionals who may not necessarily know much about software. Turns out there is plenty for operational security people to do to enhance and support software security. We need your help.
Software developers and architects almost always enjoy learning new things. Hopefully, the lessons of Software Security will find their way into many development shops. Software people will probably benefit most from the description of code review and architectural risk analysis in Chapters 4 and 5, as well as the taxonomy of coding errors described in Chapter 12. Of course, all of the best practices described in this book are designed to be directly applicable by those at the rock face (Part II), so benefit should be derived from each chapter in Part II. If you're a coder and you've ever wondered what to do about software security other than wring your hands, this book will give you some concrete ideas. Also note that each chapter in Part II includes a Coder's Corner feature that was written with developers in mind.
Business people and technical managers may be surprised that we geeks don't have as much of a handle on the security problem as we should. Business leadership will benefit from Part I of the book, though it may make you sleep a little less soundly. Risk management comes naturally to business executives, and putting a risk management framework, as described in Chapter 2, in place is very valuable (and can yield useful metrics to boot). Chapter 10 should also prove valuable, especially to upper-level managers worrying about how to transform an organization so that it produces good, solid, secure software.
Academics and researchers will probably appreciate Chapter 12 the most, though
I am sure to be flamed to a crisp by some professor or other. The annotated
bibliography in Chapter 13 will be useful to new scientists. I would hope that
each of the touchpoints provides enough in the way of open questions to spark
many a research program.
This book presents a coherent and detailed approach for putting software security into practice. Through the unification of proactive design and careful exploit-driven testing built on a foundation of risk management, Software Security explains in detail how to properly address software-induced security risk.
The book is divided into three parts. Part I, Software Security Fundamentals, is an updated introduction to the field of software security. Readers of Building Secure Software and Exploiting Software will find themselves in familiar territory here, though the treatment of the problem has been updated with new numbers.
Chapter 1, Defining a Discipline, begins with an in-depth description of the computer security problem and explains why broken software lies at its heart. This may be old news to some, but the trinity of trouble--connectivity, extensibility, and complexity--deeply impacts software as much as ever. Software is everywhere and is the lifeblood of business and society. Software security is relevant to the kind of software found in your phone, your car, and your washing machine (not to mention your computer and the Web-based applications it makes available to you). For this reason, a critical distinction is drawn between application security and software security. This book is about making all software behave, and how to do this in light of modern security demands. The most important material in Chapter 1 is the introduction of the three pillars of software security: applied risk management, software security best practices (touchpoints), and knowledge. Each of the three pillars is a necessity for software security.
Chapter 2, A Risk Management Framework, describes my philosophy of risk management and how to put it into practice. All too often in computer security, risk management is paid only lip service. We know we're supposed to be doing it, but nobody ever says how. Chapter 2 fixes that. A continuous risk management framework encompasses identifying, synthesizing, ranking, and keeping track of risks throughout software development. Only by practicing risk management and factoring in critical business information about impact will software security begin to enjoy the business relevance it deserves.
Part II of this book, Seven Touchpoints for Software Security, is devoted to software security best practices. The touchpoints are one of the three pillars of software security. Attaining software security may not be easy, but it doesn't have to be a burden. By describing a manageably small set of touchpoints based around the software artifacts you already produce, I avoid religious warfare over process and get on with the business of software security. You don't have to adopt all seven touchpoints to begin to build security in (though doing so is highly recommended). The figure on the inside front cover of the book shows the seven touchpoints ordered according to effectiveness and importance. The touchpoints are designed to fill the gap between the state of the art and the state of the practice--something that can be done only through the common adoption of best practices.
Touchpoints are a mix of destructive and constructive activities. Destructive activities are about attacks, exploits, and breaking software. These kinds of things are represented by the black hat (offense). Constructive activities are about design, defense, and functionality. These are represented by the white hat (defense). Both hats are necessary.
Chapter 3, Introduction to Software Security Touchpoints, provides a flyover of the touchpoints and discusses the critical idea of pushing security as early into the software lifecycle as possible (mostly to save money). I also discuss who should practice software security and how to build a software security group.
Chapter 4, Code Review with a Tool, is about one of the two most important software security best practices. Though not all software projects produce specifications, or even properly document requirements, they all produce code. Bugs (simple implementation errors in code) are responsible for 50% of all software security problems, so finding and fixing security-critical bugs at the code level is essential. Automated code review is a white hat (constructive) activity informed by a black hat history of known defects and exploits. The idea is to avoid implementation problems while we build software to be secure. Code review for security has come a long way in the last few years, and commercial tools are now mature enough to be put in use by all software practitioners. This chapter describes how.
The best practice described in Chapter 5, Architectural Risk Analysis, is just as important as code review. Flaws (architectural and design-level problems) are responsible for the other 50% of all software security problems. Unfortunately, identifying security flaws is more difficult than looking for bugs in code. This is partly because many software projects have only the most rudimentary handle on software architecture, and it's partly because finding software security flaws requires expertise and experience. Architectural risk analysis is a white hat (constructive) activity also informed by a black hat history of known defects and exploits. In this case, we work to avoid design flaws while we build software to be secure. Chapter 5 also describes a mature process for risk analysis developed over the last ten years at Cigital.
Chapter 6, Software Penetration Testing, covers a very common but often misapplied software security best practice. All too often, penetration testing devolves into a feel-good security activity: Security consultants are hired to "hack into" an application, and they almost always find a serious hole (usually in the configuration of the network or the commercial off-the-shelf products the application is built on). The hole gets fixed, and everyone declares security victory and goes home. Usually the developers don't learn anything profound (since the problems found tend to be operational in nature), and worst of all, no real understanding of wholesale software security risk is gained. Penetration testing is a black hat (destructive) activity. The best kind of penetration testing is informed by white hat knowledge of design and risk; but all the penetration testing in the world will not build you secure software. In Chapter 6, I describe an enhanced approach to penetration testing that takes an inside?out approach to testing as opposed to strictly outside?in. This makes penetration testing much more useful.
Chapter 7, Risk-Based Security Testing, is very similar in philosophy to Chapter 6. I discuss an approach to test planning and test execution that is directly aligned to risk analysis results coming out of an architectural risk analysis. I introduce a real-world case study. Risk-based security testing is a mix of constructive and destructive activities that requires a holistic black-and-white approach. Risk-based security testing is driven by abuse cases and risk analysis results.
Chapter 8, Abuse Cases, covers just that. Software security requires the ability to "think like an attacker." Abuse cases help to formalize this activity. Abuse case development is based on understanding and applying known attack patterns and also thinking about anti-requirements. A simple process is introduced to make adoption of abuse cases easier. Abuse cases are tricky. You might guess by the name that abuse cases involve only black hat (destructive) activities. That would be wrong. Abuse cases are themselves driven by the two threads. White hat thinking (constructive) drives security requirements, which are a necessary foundation for a goodly percentage of the abuse cases. Black hat thinking in the form of attack patterns drives the remaining portion. Although abuse cases clearly involve a mix of both black and white hats, the black hat is predominant.
Software security can benefit greatly from experience gained by practicing network security. Chapter 9, Software Security Meets Security Operations, describes how network security professionals can get involved in carrying out the touchpoints, providing experience and security wisdom that might otherwise be missing from the development team. Operations is a white hat activity, but it is only very weakly constructive. Operations is essential to security, of course, but in terms of building security in, the day-to-day tactics carried out by ops people are largely defensive.
Part III, Software Security Grows Up, contains a far-ranging treatment of essential software security knowledge and of large-scale software security programs.
Chapter 10, An Enterprise Software Security Program, describes an approach to the kind of cultural change required to adopt software security in a large organization. Because of this, Chapter 10 is the most business-oriented of the chapters in Software Security. There is little doubt that adopting software security touchpoints in a development organization that is running 100 miles an hour is like fixing your engine while your car is zooming down the highway, but it is possible. This chapter draws on years of experience at Cigital, helping large companies implement software security programs. A completely integrated Secure Development Lifecycle (SDL) is the result of combining your existing approach to software development with the software security touchpoints.
Chapter 11, Knowledge for Software Security, describes one of the three pillars. This chapter presents a taxonomy of seven knowledge catalogs useful to practitioners: principles, guidelines, rules, vulnerabilities, exploits, attack patterns, and historical risks. These knowledge catalogs are directly applicable throughout the software development lifecycle when you put the security touchpoints into action.
Chapter 12, A Taxonomy of Coding Errors, introduces a classification of common software security bugs. My goal is to make the taxonomy as simple as possible, but still fundamentally useful. Though there are literally hundreds of potential coding problems that can lead to security problems, I find that they fit very nicely into seven "kingdoms." This work hints at the coming maturity of software security, where science and technology begins to dominate over intuition and raw intelligence.
Finally, Chapter 13, Annotated Bibliography and References, has three parts: a list of the top five readings in software security, a complete list of references from this book, and a list of other important references. Each entry includes a sentence or two describing what I find valuable or useful about the reference.
Four appendices round out Software Security. Appendix A is a tutorial
accompanying the CD that comes with this book. The CD introduces Fortify Software's
Source Code Analysis Suite. Appendix B is a very basic list of coding rules
from the early source code analysis tool, ITS4. This list serves two purposes.
First, a glance through the list will expose you to the somewhat large pile
of things that can go wrong in C (at the code level). Second, all source code
analysis tools for security must make sure to cover this list. Publishing the
list widely makes it more likely they will. Appendix C is an exercise in architectural
risk analysis featuring the Smurfs. What more could you want? Finally, Appendix
D is a very small glossary of terms.
The three icons used throughout this book are meant to help you navigate the waters of software security. The icons demarcate material in large sections of the book (chapters and parts).
Fundamental material is covered under the yin yang icon (which also adorns the cover of the book). The yin/yang design is the classic Eastern symbol used to describe the inextricable mixing of standard Western polemics (black/white, good/evil, heaven/hell, create/destroy, and so on). Eastern philosophies are described as holistic because they teach that reality combines polemics in such a way that one pole cannot be sundered from the other. In the case of software security, two distinct threads--black hat activities and white hat activities (offense/defense, construction/destruction)--intertwine to make up software security. A holistic approach, combining yin and yang (mixing black hat and white hat approaches), is required.
The three pillars of software security are applied risk management (Chapter 2), software security touchpoints (Part II), and knowledge (Chapter 11). Each of these major sections is marked with the pillar icon.
Seven best practices, the software security touchpoints, are introduced and discussed at length in the heart of Software Security. The touchpoints collectively make up one of the three pillars. Each touchpoint chapter is branded with the touchpoint icon.
This book is part of the Addison-Wesley Software Security Series of software security books for professional software developers. The series includes:
More books in this series are planned for the future. Contact Addison-Wesley
or Gary McGraw for more information (see also http://www.buildingsecurityin.com).
I welcome e-mail from anyone with comments, suggestions, bug fixes, and/or questions. Please contact me through the book's Web site: http://www.swsec.com.