Integración de políticas de seguridad en el ciclo de vida del software

Integración de políticas de seguridad en el ciclo de vida del software Gabriela Zornoza Preventa, Rational (Client Technical Professional) Gabriela.zornoza@es.ibm.com

Agenda Nueva división de seguridad en IBM Tendencias en seguridad según el Mid-year Trend and Risk Report X-Force 2011 Seguridad en el ciclo de vida del software (entornos ágiles) Novedades en la suite de Appscan v8.5 y su integración en el ciclo de vida del sw. 2

Nueva división de Seguridad en IBM 4 OCT 2011 3

La buena noticia El número de vulnerabilidades en aplicaciones web reveladas ha disminuido del 55% de 2010 al 37% en 2011 4

La mala noticia El principal evento sobre innovación en software El número de estas vulnerabilidades que son críticas han aumentado. * Críticas son las que tienen una puntuación de 10 según el CVSS (Common Vulnerability Scoring System) 5

An infinite number of monkeys with an infinite number of typewriters and an infinite amount of time could eventually write the works of Shakespeare The Infinite Monkey Theorem An infinite number of hackers with an infinite number of keyboards, an infinite amount of caffeine, and an infinite amount of time could eventually compromise a network. Stone s Corollary to the Infinite Monkey Theorem 6

Agile Software Development Life Cycle Un enfoque ligero, iterativo y adaptable al Ciclo de vida del Software Los requisitos son User Stories y se almacenan en un Product Backlog Análisis y diseño en secciones pequeñas del Product Backlog (Sprint Backlog) Implement Sprint Backlog User Stories Las Condiciones de Satisfacción sirven para verificar los requisitos en las User Stories Despliegue, mantenimiento e incrementos en el siguiente Sprint. 7

Agile Security Software Development Life Cycle La seguridad se puede implementar en un entorno de desarrollo ágil. Coste frente al valor de la seguridad en el SDLC Un entorno ágil permite pequeñas iteraciones para reevaluar y clasificar las amenazas. Descubrir y priorizar faltas de seguridad pronto y con frecuencia Desarrollar con la seguridad en mente en vez de tener un gran aluvión de problemas cuando haya una brecha en la seguridad Es muy bueno comenzar un proyecto con la seguridad desde un principio pero también puede ser introducida en proyectos existentes. Identificar responsabilidades de seguridad en el equipo Nombrar a un líder Introducir en pasos pequeños y fácilmente comprensibles Comenzar por el final en el SDLC 8

Construyendo un ciclo de vida del SW ágil: Aplicación desplegada Lanzar un escaneo de seguridad (AppScan) contra una aplicación web existente y desplegada Familiarizar a los equipos de seguridad y QA con la ejecución y configuración de la herramienta Revisar estilos de informes y maneras para comunicar con el equipo y los managers Establecer líneas base, plantillas, políticas Siguientes pasos Revisar y documentar posibles defectos en el Product Backlog, involucrar al equipo de pruebas First runs of AppScan on deployed app 9

Construyendo un ciclo de vida del SW ágil : Verificación y Pruebas Introducir la herramienta de escaneo a los equipos de pruebas (Testers) Configuración inicial con las líneas base y los patrones establecidos Distribuir informes al equipo Empezar a pensar en términos de Condiciones de Satisfacción Siguientes pasos Remediar y asignar posibles defectos de seguridad a User Stories Testers using AppScan on Sprint review 10

Construyendo un ciclo de vida del SW ágil : Implementación Permitir que los desarrolladores revisen los informes obtenidos en el escaneo Analizar una user story y entender el problema de seguridad Revisar las reparaciones o remedios sugeridos Incorporar prácticas de seguridad para desarrollos futuros Siguientes pasos Ajustar buenas prácticas; Análisis y diseño incluyendo seguridad Developers recognize security patterns 11

Construyendo un ciclo de vida del SW ágil : Análisis y Diseño Desarrolladores y analistas tienen un buen enfoque en seguridad Construyen User Stories con la seguridad en mente desde un principio Las Condiciones de Satisfacción son conscientes de la seguridad Demostración con los informes de escaneo que las condiciones de satisfacción son cumplidas Continuar con un ciclo de vida ágil y seguro Escaneo, filtrado y asignación durante cada Sprint Best practices include security concerns 12

Ubicación de la Suite de Rational 13

Solución actual suite IBM Rational Appscan Dynamic Analysis/Blackbox Static Analysis/Whitebox - SECURITY REQUIREMENTS CODE BUILD QA PRE-PROD PRODUCTION AppScan Enterprise AppScan Reporting Console AppScan ondemand Security Requirements Definition Security requirements defined before design & implementation AppScan Source AppScan Build Build security testing into the IDE Automate Security / Compliance testing in the Build Process AppScan Tester Security / compliance testing incorporated into testing & remediation workflows AppScan Standard Security & Compliance Testing, oversight, control, policy, audits AppScan Standard Outsourced testing for security audits & production site monitoring Application Security Best Practices Secure Engineering Framework 14

Nueva visión del portfolio AppScan según grupos de usuarios Penetration Testing Vulnerability Management AppScan Standard Desktop solution for security consultants and in-house security testers Combines advanced security testing with ease of use Primarily DAST but advanced hybrid technology included (JavaScript Analyzer & new Glass box) AppScan Enterprise Application Development Governance & Collaboration Required server-based component for central control & aggregation Measure-monitor-report Integrate into Rational ALM suite SAST (Source) Modular solutions specific to the needs of various teams: Security (thick client) Developers (IDE plug-in with & w/out scanning) Build Automation DAST New server-based DAST scanners sold separate for Enterprise server Dynamic Analysis users (web UI) 15

AppScan Standard: Desktop solution combines advanced security testing, broad technology coverage and ease of use Web Application Assessments for Pen-Testers and Security Practitioners 16 Covers all relevant OWASP & WASC TCv2 threat classes SQL Injection Cross-Site Scripting HTTP Response Splitting OS Commanding LDAP Injection XPath Injection Buffer Overflows 1000s more Configure & test Scan Expert provides recommended settings based on your apps Details & guidance to correct the vulnerability Explanation of threat and recommended fix Ease of Use Dynamic Analysis (black box) Web 2.0 and Rich Internet Applications JavaScript & Ajax Adobe Flash & Flex Malware analysis Scan site with malware analysis from IBM X-Force Security Research Integrate with Defect Tracking Systems Rational ClearQuest HP Quality Center Compliance & Reporting 40+ compliance reports Executive-level summaries Guidance for development Web Services/ SOA SOAP/XML parser issues (External entities, XML blowup, etc.) Application-layer issues Infrastructure issues Hybrid Technology JavaScript Security Analyzer Static taint analysis of client-side JavaScript Runtime Analysis (glass box testing) Expanded threat coverage with less configuration Precise results (line of code) assist remediation

AppScan Standard: Advanced security testing with JavaScript Security Analyzer (white box testing of client-side JavaScript) Security challenges of modern web applications Technologies like AJAX, JS Frameworks and HTML5 rely on client-side JavaScript code Traditional static/ white box cannot scan code dynamically produced in production applications Traditional dynamic/black box scans cannot analyze JavaScript that user downloads from application AppScan Standard with JavaScript Security Analyzer: Executes static taint analysis of JavaScript, detects client-side security issues: DOM-based XSS Code Injection Open Redirect CSRF Bypass Dual Session Port Manipulation Protocol Manipulation Websites with Client-side JavaScript Vulnerabilities 17

AppScan Standard: Advanced security testing with Runtime Analysis (Glass Box) How it works Benefits Remotely deployed server-side agents collect vital information during dynamic scans Agent reports back to AppScan Standard with SAST-style rich vulnerability details Vulnerable line of code Vulnerable file, class, method (sink) Expanded threat coverage with less configuration Identifies unreferenced parameters, so users don t have to define every page/file to be scanned AppScan Standard now covers complete OWASP Top 10 Precise results assist remediation Provides developers with both proof of exploit and line of vulnerable code AppScan Standard v8.5 HTTP(S) Target web application HTTP(S) Glass box Engine Glass box Component Control & Reporting Agent(s) Agent Rules 18

Solution requirements: advanced security testing + collaboration & governance through application lifecycle Advanced Security Assessments Static Analysis Scanning source code for security issues Key requirements Application/language support Ease of use for non-security users (developers and build managers) Runtime & Hybrid Analysis Glass box testing with runtime analysis Automated correlation of static & dynamic results Key requirements Precise & Actionable results Broad threat coverage Dynamic Analysis Analysis of a running/ deployed application Key requirements Threat coverage: WASC, OWASP Top 10, etc Web Services/ SOA Web 2.0 & Rich Internet Applications Collaboration & Governance in Application Lifecycle Security testing, shared results, assign ownership Track corrections and integrate with development systems 19

Solution Requirements: Static, Dynamic and Runtime Analysis Static Analysis (White Box testing) Dynamic Analysis (Black Box testing) Runtime Analysis (Glass Box testing) Scan input Scans source code and bytecode for security and quality issues. Requires access to source or bytecode Scans running web applications. Requires starting point URL, and login credentials where relevant Similar to black box to scan running web applications with an agent installed on the application Assessment techniques Uses taint analysis and pattern matching techniques to locate issues Tampering of HTTP messages to locate application and infrastructure layer issues Agent monitors application performance during a black box scan for expanding threat coverage and greater detail Role in application development lifecycle Development: Scan code and work remediation from IDE Build: Scan nightly or weekly build to highlight defects for developers to correct Security: Define & customize security best practices for developers; Execute preproduction scans and audits Build: Scan as part of build acceptance tests before releasing build to testing team Test: Execute security test scripts as part of quality plan Security: Define test scripts for quality plan; Execute preproduction scans and audits Build: Provides added layer of vulnerability detail that assists developers with security debugging Security: Expands threat coverage for hard-to-identify vulnerabilities (including all OWASP Top 10) Results & Output Results are presented by line of code, source to sink functions flow Results are presented as HTTP messages (exploit requests) Results are presented as a combination of HTTP messages (exploit requests) and the line of code 20

AppScan Enterprise: Application security and risk management Governance Control Manage your enterprisewide application security program Drive security best practices into existing development processes Visibility & Compliance Prove compliance with regulation-specific reports Executive view of risk Measure & Improve Trending, KPIs & more Collaboration Security requirements linked to development tasks and test cases Rational Collaborative Lifecycle Management Centralized issue management Share results Triage/prioritize results Create & track security work items Document comments Security Intelligence Testing correlation Analyze DAST and SAST results to identify proven exploits & line-of-code details Build custom protection* WAF integration Application Security Analysis, Testing & Assessments Dynamic Static Runtime** * Requires IBM Security SiteProtector and Network IPS ** Requires IBM Rational AppScan Standard 21

Governance: Central control, scalability & visibility for enterprise-wide application security programs Control Security teams empower non-security experts to implement security best practices Execute and manage scans for applications in development & production Build secure applications by defining assessment policies for developers, testers & build managers to execute Schedule & execute assessments of production applications for new risks and vulnerabilities Visibility & Compliance Dashboard of application risk Compliance (40+ compliance reports) Measure & Improve Track decrease/increase of vulnerabilities and risk over time Trending of app risk, timing/cost of remediation 22

Collaboration: Link security requirements to development tasks and QA test cases Analyst Rational Requirements Composer Developer Rational Team Concert AppScan Developers link to security requirements from work-items and perform security tasks Tester Rational Quality Manager AppScan Testers link to security requirements from test plans and execute security test cases Security requirements with links to development and test plans 23

Collaboration: Remediate security vulnerabilities Analyst Rational Requirements Composer Developer Rational Team Concert AppScan Tester Rational Quality Manager AppScan Security Test Execution Results link to security defects Defects can link to security requirements Security defects link to Test Execution results 24

Security Intelligence: Hybrid Analysis with Automated Correlation of Static and Dynamic analysis results Correlation links proof of exploit (black box) with line of code (white box) Triage and prioritize issues for remediation A Dynamic analysis assessment conducted with AppScan Standard or AppScan Enterprise Edition Aggregated and correlated results A Static analysis assessment conducted with AppScan Source Edition Issues discovered using both dynamic and static analysis (URL, element, source file, API, etc.) 25

Security Intelligence: Integrate with IBM application protection Web App Protection Customized for Your Specific Vulnerabilities AppScan: Vulnerability Management Identify web application vulnerabilities Integrate results into IBM Security SiteProtector IBM Security SiteProtector: Centralized Control Open trouble tickets to patch vulnerabilities Analyze web app vulnerabilities for attacks targeting those vulnerabilities Provide recommended IPS policies to block attacks against your specific vulnerabilities Push web app protection policies to IPS appliances and server agents IBM Security Network IPS: Network-based Web App Protection Blocks attacks against web applications Full protection of a Web App Firewall IBM Security Server Protection: Server-based Web App Protection Security for web servers Blocks attacks against web applications 26

AppScan Enterprise: Dynamic analysis (black box) security testing in the collaborative application lifecycle Build Scan as part of build acceptance tests before releasing build to testing team Execute scan from web UI or Quick Scan simplified web interface Test Execute security test scripts as part of quality plan Option to integrate with Rational Quality Manager & execute scans from RQM Option to execute scans via simplified Quick Scan web interface Security Application Lifecycle Integrations Execute pre-production scans and audits Production Schedule & execute recurring scans against production applications for compliance and newly discovered vulnerabilities 27

AppScan Enterprise + AppScan Source for SAST: Static analysis (white box) security & quality testing in the collaborative application lifecycle Source Code Analysis for Security Testing in Development & Build Automation 28 Broad Application Support Out of the Box for Security Testing Java JSP C C++ Classic ASP (VB6) COBOL SAP ABAP*.NET C# VB.NET ASP.NET PHP HTML Perl Code Quality Static Analysis Identify code-level quality defects within IDE Automate code quality analysis as part of the build process for centralized software code scanning Key Performance Indicators (KPIs) to help developers learn best practices Languages: Java, C, C++ ColdFusion Client-Side JavaScript Server-Side JavaScript VBScript PL/SQL T-SQL * Requires Virtual Forge CodeProfiler for AppScan Source Edition Application Lifecycle Integrations Develop IDE plug-ins to remediate identified issues (Source for Remediation) Options to scan code locally from IDE (Source for Developer) Build Automatically trigger security scans with each build (Source for Automation) Review results from IDE or Security user & create work items for remediation Security Source for Security power user creates SAST scans executed from IDE or in build automation Executes advanced scans in preproduction security audits

AppScan Enterprise + AppScan Source for SAST: Solution components map to users, processes and application risk management Source for Security Configure scans for all users Scan Triage Results Manage Security Policies Source for Automation Build integration (ANT, NAnt, Make, Maven) Automate Scans Data Access API Source for Developer Scan with IDE plug-in Investigate Flaws from IDE Access results from build scan Remediate with Guidance Confirm Fix Source for Remediation Non-scanning IDE plug-in AppScan Enterprise Server GovernanceCollaboration Security Intelligence AppScan Enterprise Server Basic: limit 10 concurrent users AppScan Enterprise Server: Unlimited concurrent users 29

AppScan 8.5: Puntos clave AppScan Standard Glass-box Testing with Run-time analysis 100% coverage of OWASP Top 10 Connect proof of exploit with line of code Usability enhancements: Focus on ease of use Scan Expert improvements JavaScript Security Analyzer enhancements 40% of web sites have JavaScript vulnerabilities New documentation with Workflow for Advanced users Market-leading desktop solution that combines Most advanced security testing for precise results (DAST, glass-box, JSA) Broad technology coverage (RIA, Flash, Web Services) Ease of use AppScan Enterprise & Source Get beyond DAST vs. SAST by delivering a solution for enterprise Application Security & Risk Management Governance Collaboration Security intelligence: SiteProtector integration.net correlation Integrated DAST-SAST solutions Quality as an extension of security (available in Source for Automation, Source for Developer & Source for Remediation) SAST expanded language support SAP ABAP (with Virtual Forge) T-SQL PL/SQL COBOL 30

AppScan Benchmarking Proof: 3 rd part bakeoff Ranked #1 in accuracy 100% detection rate for all of the reflected XSS test cases, and 0% false positives on the false positive test cases AppScan performed extremely well in SQL Injection tests (although did not rank #1), it managed to find 127 issues out of 136 (93.38% success rate), with 3 False Positives out of the 10 False Positive test cases. http://sectooladdict.blogspot.com/ 31

Smarter planet El principal evento sobre innovación en software 32

www.ibm/software/rational Copyright IBM Corporation 2010. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 33