09 March 2010

SDLC

Posts relating to the category tag "SDLC" are listed below.

09 March 2010

Software Insecurity Analysis

The first report on the state of software security has been published by Veracode who provide a cloud-based application risk management service.

Partial image from the cover of Veracode's 'State of Software Security Report, The Intractable Problem of Insecure Software, 1 March 2010'

The data presented in State of Software Security Report - The Intractable Problem of Insecure Software are interesting, it relates to both web application (40%) and non-web application (60%) software but spans in-house developed, commercial, open source and outsourced, developed in .NET, C/C++ and Java. But don't get bogged down in the data. I'd recommend that everyone responsible for web development, or who commissions or operates a web site, read the executive summary. I was quite surprised that backdoors (a method of bypassing normal authentication) are still a significant issue: "Open Source projects have ... fewer potential backdoors than commercial or outsourced software". This is why "V13 Malicious Code Search Verification Requirements" appears in the Application Security Verification Standard.

There are seven recommendations, which are in summary:

  • Implement a comprehensive, risk-based, application security programme.
  • Implement security acceptance criteria for third-party suppliers.
  • Test code from outsourced, commercial and open source suppliers as rigorously as internally developed code.
  • Verification of C/C++ code must not be ignored and it is likely to be present in many applications.
  • Implement specific developer training on security.
  • Learn from organisations in higher-risk sectors such as finance and government.
  • Ensure security requirements are built into outsourced software development.

Some good advice there. The report provides a fuller description and gives the background to these recommendations.

I guess there must be much more detailed data available to Veracode than is presented in this "Volume 1". Perhaps Volume 2 will look at trends over time, but I'd also like to see:

  • Breakdown of root causes (e.g. unvalidated user input).
  • Breakdown of how the vulnerabilities had been fixed when the software was re-tested (e.g. parameterized queries implemented).
  • What proportion of faulty code was identical — found in more than one application (i.e. copied/duplicated from elsewhere).
  • Details of any secure development lifecycle in use by suppliers and their level of maturity with these.

Hopefully this type of aggregated data can be shared under Veracode's terms of service and agreements with individual customers. The software suppliers included in Veracode's analysis are likely to exclude customer organisations who do not have the knowledge or resources to have their code analysed. It would be an interesting research project to test a selection of applications developed by other suppliers to see how they compare.

Posted on: 09 March 2010 at 08:49 hrs

Comments Comments (0) | Permalink | Send Send

03 November 2009

OWASP This Week, Next Week and Next Month

Look out for the busy schedule of upcoming Open Web Application Security Project (OWASP) events.

Photograph of people standing on Primrose Hill, London, looking east towards the City of London

This Thursday 5th November, the next OWASP London meeting is taking place. There will be a presentation about using Selenium to hold state for web application penetration testing, and a discussion of the chapter's activities and plans. Advance registration is required, but there is no charge.

Also on 5th November in Rome, there is Italy OWASP Day E-Gov 09 for public administrators, and the day after on the 6th in Milan the Italy OWASP Day IV.

Then next week, AppSec 09 is taking place in Washington DC, United States, with two days of training courses, an OWASP summit for the OWASP board, project leaders, chapter leaders and global committee members. The main conference has 4 agenda tracks about OWASP, tools, Web 2.0 and software development life cycle, and 4 further tracks on the second day encompassing Attack & Defend, Process, Metrics and Compliance.

In December there is the BeNeLux OWASP day in Leuven, Belgium, at which I am speaking about compliance driven vulnerabilities.

If web application security is an area of interest, try to get along to one or more of these, or download the presentations after the events.

Posted on: 03 November 2009 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send

14 July 2009

How Much Should You Spend on Website Security?

Last week I discussed the business case for web security and how this is necessarily organisation-specific.

If you use common IT investment models, you may want to look at the paper Business Models for Assurance on the US Build Security In (BSI) web site. But what are real organisations spending?

Partial screen capture of a page in the OWASP Security Spending Benchmarks Report, June 2009

Sources of data to compare yourself with are very rare and it's good to see the second quarterly report on Web Application Security Spending Benchmarks. This quarter, the report has a special emphasis on three aspects of cloud computing:

  • Infrastructure-as-a-Service (IaaS)
  • Platform-as-a-Service (PaaS)
  • Software-as-a-Service (SaaS)

This type of benchmarking is really useful. Years ago, I helped with some work on benchmarking water usage across UK industry sectors—without this type of initiative it is difficult to determine whether what you are doing is reasonable.

Posted on: 14 July 2009 at 08:34 hrs

Comments Comments (0) | Permalink | Send Send

10 July 2009

Business Case for Web Security

It can be hard to justify business spending when web sites are often viewed as low-value assets. The fact that so much Internet content and services are free, and you can buy a web site for less than the cost of a colour TV licence in the UK reinforces this idea in many small and medium enterprises (SMEs).

Photograph of a building with a banner offering business web sites from only £99 - complete solutions with email

Much of my work is related to dealing with security incidents, such as web sites which have been hacked, or where an organisation is having security requirements imposed by their own customers and clients. Often these activities are undertaken late in the project and are therefore less effective, and more costly, than they might need to be.

I adhere to the principle "prevention is better than cure", and encourage the early consideration of security and privacy matters—just like any other business process requirement. It was encouraging to read the useful guidance and pointers on Business Cases For Software Security Initiatives but for many organisations, the issues are too complex and they don't have any supporting data. For those I recommend, as a starting point, concentrating on four types of issue:

  1. mandatory compliance issues (e.g. legislative and contractual)
  2. problems which can assist theft or fraud
  3. security events which would be severely disruptive and possibly put the organisation out of business
  4. issues for customer trust and ongoing reputation

It's always organisation specific though. As organisations mature, they can be encouraged to look at wider security issues—but, let's get the basics right first.

Posted on: 10 July 2009 at 09:15 hrs

Comments Comments (0) | Permalink | Send Send

07 April 2009

Safety Hazards and Security Threats

Blind adherence to methods without using professional judgment is commonplace across all work sectors.

Just because a system is out-of-date, not supported by the supplier or contains known security weaknesses, doesn't mean it has to be rebuilt or replaced.

An article in The Chemical Engineer April 2009, by Harvey Dearden, discusses professional judgement and reproduces the following statements from the UK Engineering Council's Code for Professional Conduct regarding risk issues:

Judgement is required to match the approach to the nature of the hazard and the level of risk. This might vary from a simple assessment to a formal safety case.

and:

Uncertainty is a feature of many aspects of risk management. Be aware of this, and use risk assessment methods as an aid to judgement, and not as a substitute for it.

The first statement could easily be re-written replacing "hazard" and "safety" with "threat" and "security" respectively. The second is equally true for assessing application security risks. However, in security engineering we do need to be aware of the lack of good statistical data to help form valid judgements.

Posted on: 07 April 2009 at 09:02 hrs

Comments Comments (0) | Permalink | Send Send

19 December 2008

New OWASP Testing Guide

Version 3 of the Open Web Application Security Project (OWASP) Testing Guide has been released after a 6-month period of addition, enhancement and review.

The OWASP Testing Guide is an ideal reference for both developers and testers—version 2 was fantastic, and this new version is even better. The testing framework now covers 66 controls and, like in the previous version, each control has a brief summary and is described in detail followed by black box (no additional knowledge) and grey/gray box (partial knowledge) testing methods and examples where appropriate.

Partial view of a page from the OWASP Testing Guide V3.0 showing 'Brief summary', 'Description of issue' and 'Black box testing and examples' headings for a control.

The controls and testing methods are fully referenced to provide additional guidance and explanation.

Partial view of a page from the OWASP Testing Guide V3.0 showing 'References - whitepapers' and 'References - tools' headings for a control.

The controls are grouped into ten categories, including new separate categories "Authorization" and "Configuration Management". I'm especially pleased to see the latter broken out on its own, since even a perfectly coded application can have vulnerabilities introduced during deployment and changes to the application.

The OWASP Testing Guide now also includes a "best practice" penetration testing framework and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. More information is available on the Testing Project pages.

Posted on: 19 December 2008 at 09:43 hrs

Comments Comments (0) | Permalink | Send Send

05 December 2008

Information Architecture, Trust and Web Application Security

Two articles in particular caught my attention this week relating to designers and developers engaging clients in the development process. Both are worth a read and, I think, consideration in your own web projects.

The first was a great outline of Educating the Client on Information Architecture on A List Apart. The discussion seemed to focus a little too much on static content (data) and probably needs to address data flows and where security boundaries occur in the information architecture. But by using the suggested approach, it makes consideration of security controls much easier.

Secondly, the business case for web application security was discussed on Securosis.com - this was Part 2 of a series of posts about building a web application security program - Part 1 which I had missed was an introduction. The post lists six typical drivers used to justify web application security investments - but I think "User Trust" should be an additional one. Increased trust helps overcome perceptions of risk and insecurity and leads to a greater likelihood of users undertaking, completing and repeating web site processes.

If you are interested in the effect of trust, the multidimensional nature of trust is discussed in detail in McKnight, Choudhury and Kacmar's papers on Developing and Validating Trust Measures for e-Commerce: An Integrative Typology, Information Systems Research, Vol 13, No 3, September 2002, pp 334–359 and Distrust and Trust in B2C E-Commerce: Do They Differ?, Proceedings of the 8th International Conference on Electronic Commerce, 2006, pp 482-491. The reference lists included in these papers provide additional and alternative views on trust.

Posted on: 05 December 2008 at 06:38 hrs

Comments Comments (0) | Permalink | Send Send

28 October 2008

Security Implementation is Also About Humanity

People are at the centre of implementing information technology (IT) projects securely. At last week's British Computer Society (BCS) North London Branch event, the problems were explored and ideas discussed about methods to improve the process.

Jules Gascoigne from Barclays Wealth and Justin Clarke from Gotham Digital Science delivered an engaging talk and led the discussion on what ensures security requirements are built into projects successfully.

Hopefully the presentation slides will appear on the branch web site soon, but I don't think I'm giving too much away by saying that taking care of project staff and suppliers are both properties found in projects that sucessfully implemented security requirements into the final developed systems.

These ideas aren't often seen in project management methodologies.

Posted on: 28 October 2008 at 09:39 hrs

Comments Comments (0) | Permalink | Send Send

SDLC : Web Security, Usability and Design
http://www.clerkendweller.com/sdlc
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/sdlc
Requested by 38.107.191.119 on Friday, 12 March 2010 at 15:00 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2010 clerkendweller.com