Software Security Testing The Next Frontier
Software Confidence. Achieved.
Scott Matsumoto Principal Consultant
[email protected]
www.cigital.com
[email protected] +1.703.404.9293
Tuesday, May 01, 2007
1
About Cigital
A leading consulting firm specializing in helping organizations improve their software security and software quality posture Recognized experts in “Building Security In” Extensive Industry Standards, Best Practices, and Regulatory Compliance Experience
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
2
1
Software Security Is A Challenge
…is this complex program
The Trinity of Trouble Connectivity The Internet is everywhere and most software is on it Complexity Networked, distributed, mobile code is hard Extensibility Systems evolve in unexpected ways and are changed on the fly
The network is the computer.
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
This simple interface… .NET
Tuesday, May 01, 2007
3
Software Vulnerability Growth Reported Software Vulnerabilities 9000 8000 7000 6000 5000 4000 3000 2000 1000 0
8064 5690 4129 3784 3780 2437 1090
2000 2001 2002 2003 2004 2005 2006 Source: CERT © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
4
2
Web-based Application Vulnerability
Software Security problems are in the application software © 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
5
Top 4 Vulnerabilities in CVE
Percentage distribution of top 4 vulnerabilities 25.00% 20.00% XSS
15.00%
buf sql-inject
10.00%
dot 5.00% 0.00% 2000 2001 2002 2003 2004 2005 2006 2007
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
6
3
Software Security Touchpoints
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
7
SQL Injection
Insert SQL commands into data fields to alter behavior of server Return different data Overwork server with unbounded queries and joins (denial of service) Alter data Execute blocks of arbitrary SQL statements
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
8
4
Example SQL Injection Vulnerability
Compose a dynamic query based on user input: SELECT cc_type, cc_num FROM cc_data WHERE id=‘%s’ AND cc_type=‘%s’ Normal cc_type = ‘Visa’: SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type=‘Visa Visa’ Visa
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
9
JRM2
SQL Injection
Insert SQL commands into data fields to alter behavior of application Example: Enter x’ OR ‘a’=‘a instead of “Visa” to produce SELECT cc_type, cc_num FROM cc_data WHERE id=‘123456789’ AND cc_type =‘x’ OR ‘a’ = ‘a’
Results in all credit card data being returned
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
10
5
Slide 10 JRM2
Brook: Explain why this is important to morgan. rmills, 11/6/2006
Software Security Testing – Call to Action
Types of problems (vulnerabilities) Weaknesses, Vulnerability and Attack Patterns Tools and Techniques for Testing Penetration and Fuzzing tools Think like a bad guy Know your application Resources CWE/CVE – mitre.org OWASP – owasp.org Verify 2007 – verifyconference.com
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
11
Thank you for your time.
© 2007 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Tuesday, May 01, 2007
12
6