069-may2007-talk

Software Security Testing The Next Frontier

Software Confidence. Achieved.

Scott Matsumoto Principal Consultant [email protected]

www.cigital.com [email protected] +1.703.404.9293

Tuesday, May 01, 2007

1

About Cigital






A leading consulting firm specializing in helping organizations improve their software security and software quality posture Recognized experts in “Building Security In” Extensive Industry Standards, Best Practices, and Regulatory Compliance Experience

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

2

1

Software Security Is A Challenge

…is this complex program

The Trinity of Trouble Connectivity
The Internet is everywhere and most software is on it
Complexity
Networked, distributed, mobile code is hard
Extensibility
Systems evolve in unexpected ways and are changed on the fly

The network is the computer.




© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

This simple interface… .NET

Tuesday, May 01, 2007

3

Software Vulnerability Growth Reported Software Vulnerabilities 9000 8000 7000 6000 5000 4000 3000 2000 1000 0

8064 5690 4129 3784 3780 2437 1090

2000 2001 2002 2003 2004 2005 2006 Source: CERT © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

4

2

Web-based Application Vulnerability

Software Security problems are in the application software © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

5

Top 4 Vulnerabilities in CVE

Percentage distribution of top 4 vulnerabilities 25.00% 20.00% XSS

15.00%

buf sql-inject

10.00%

dot 5.00% 0.00% 2000 2001 2002 2003 2004 2005 2006 2007

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

6

3

Software Security Touchpoints

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

7

SQL Injection


Insert SQL commands into data fields to alter behavior of server
Return different data
Overwork server with unbounded queries and joins (denial of service)
Alter data
Execute blocks of arbitrary SQL statements

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

8

4

Example SQL Injection Vulnerability







Compose a dynamic query based on user input: SELECT cc_type, cc_num FROM cc_data WHERE id=‘%s’ AND cc_type=‘%s’ Normal cc_type = ‘Visa’: SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type=‘Visa Visa’ Visa

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

9

JRM2

SQL Injection



Insert SQL commands into data fields to alter behavior of application Example: Enter x’ OR ‘a’=‘a instead of “Visa” to produce SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type =‘x’ OR ‘a’ = ‘a’




Results in all credit card data being returned

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

10

5

Slide 10 JRM2

Brook: Explain why this is important to morgan. rmills, 11/6/2006

Software Security Testing – Call to Action








Types of problems (vulnerabilities)
Weaknesses, Vulnerability and Attack Patterns Tools and Techniques for Testing
Penetration and Fuzzing tools
Think like a bad guy
Know your application Resources
CWE/CVE – mitre.org
OWASP – owasp.org
Verify 2007 – verifyconference.com

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

11

Thank you for your time.

© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.

Tuesday, May 01, 2007

12

6