Download Resource - Rogue Wave Software

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Cyber-security regulation wikipedia , lookup

Cross-site scripting wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Transcript
CREATE MORE SECURE SOFTWARE
CODE: 5 KEY STEPS
Lack of software security is alarmingly apparent
Software security, or rather the lack thereof, has become commonplace and an all too frequently
recurring story in print and electronic media around the world. Just a single incident, such as
the Target breach, which affected over 100 million people and cost Target an estimated $300
million, has the power to propel the subject of security from the world of IT professionals into the
conversations of everyday people. Of course, there have been many incidents, pre- and post-Target.
TJ Maxx, P.F. Chang’s, JPMorgan Chase, Snapchat, eBay, Home Depot, Staples... the list goes on and
on and includes public, private, and government organizations.
ROGUEWAVE.COM
2
Terms like identity theft, data breach, application breach, malware, denial of service attack, cyber-espionage, cyberwarfare, Trojan horse, computer virus, worm, and more are now familiar and unnerving even to people who don’t know
what they mean. Brand equity and trust, painstakingly built over decades in many cases, has been tarnished or worse by
the revelation that flaws in organizations’ software, systems, and/or business processes have put their customers and
other constituents at risk.
Not to belabor this, but consider the following:
• Software defects cost the U.S. economy approximately $60 billion annually.
• One study found that 98 percent of applications contained at least one application security risk, while the
average application contained more than 20.
• 57 percent of IT security professionals don’t believe their organizations are protected against cyber attacks.
• The number of U.S. data breaches tracked in 2014 hit a record high, representing an increase of 27.5 percent
over the number of breaches reported in 2013. (The actual increase is probably higher as many breaches are
not reported.)
• The hard cost of a single data breach can be mind boggling, ranging from hundreds of thousands of dollars to
tens of millions of dollars.
• 2014 saw a 300 percent increase in cyber-espionage incidents compared to the number of incidents in 2012.
THE SOURCE OF THE PROBLEM
Ultimately, all software security failures can be traced back to unsound application code or business processes. In fact,
80 percent of development costs can be attributed to finding and fixing flawed code. Yet, astoundingly, most developers
don’t consider security to be their responsibility. Instead, often driven by tight deadlines and ever more complex
application requirements, they see their jobs as writing and testing code to get applications done and out the door as
rapidly as possible. If security is a thought at all among developers, it’s often an afterthought. Even more alarmingly, a
recent survey of 1,700 developers found that 80 percent of them didn’t actually know how to secure sensitive data.
And, of course, denial is alive and well in many organizations. It goes something like this: “We haven’t had a problem with
security, so it’s not an issue for us.” Make no mistake, however — no organization is invulnerable. If your organization
hasn’t experienced a problem yet, don’t focus on your good fortune, but instead on the word “yet.” Sooner or later you
will be affected.
Denial isn’t an effective strategy for much of anything, let alone for ensuring software security. Instead, organizations
must develop strategies and processes that:
• Make clear that security is the responsibility of everyone in the organization.
• Educate employees about the types of threats and the potential consequences of those threats.
• Teach developers how to create safer, more secure applications.
• Ensure that security is a high priority in the development process — a priority that must be “baked in” from the
beginning of every project.
• Identify and provide developers with effective tools to assist them in creating secure code.
ROGUEWAVE.COM
3
IDENTIFY AND ADDRESS CODING FLAWS AND
VULNERABILITIES AS YOU GO
Baking in security to create reliable code as you go begins with identifying the most common sources of code
vulnerability and the most common attack vectors. While these sources are constantly changing, there are two invaluable
resources on the web to help you identify and track them. These are:
• OWASP Top 10 (www.owasp.org), which identifies common vulnerabilities including SQL, OS, and LDAP
injection; cross-site scripting; security misconfiguration; sensitive data exposure; and use of components with
known vulnerabilities.
• CWE Top 25 Common Weaknesses (cwe.mitre.org/top25/), which lists the most widespread and critical
software errors that can lead to serious vulnerabilities. Among these are: SQL injection, OS command injection,
buffer overflow, cross-site scripting, missing authentication for critical functions, missing authorization, missing
encryption of sensitive data, improper input validation, and the download of code without an integrity check.
A review of these and other resources shows that the three most common and recurring attack vectors year after year
are buffer overflows, cross-site scripting, and SQL injection.
Awareness of the threats is just the first step. Next, is the matter of how to identify errors and vulnerabilities on the fly
as you’re coding. Ideally, what you want is a tool or set of tools that work like spell check in a word processing program,
identifying issues in real time so you can address them immediately rather than trying to “proofread” thousands or
hundreds of thousands of lines of code after you believe you’ve completed your work. Humans aren’t really equipped for
this sort of task. You need automated tools to assist you as you go.
FIVE STEPS TO MORE SECURE CODE
There are a number of steps you can take and there are many resources available to you to help ensure the security of
your code. We’ve already mentioned two resources — OWASP Top 10 and CWE Top 25 — that provide you with current
information regarding the most common sources of problematic code. Given that 90 percent of typical applications use
open source components and that 46 million vulnerable open source components are downloaded each year, it’s a good
idea to be wary of all inputs — components and incoming data.
Another resource that can help you verify the safety and reliability of your code is the Rogue Wave Software OpenLogic
platform, with its certified library of hundreds of open source software packages. OpenLogic provides a free web site
where companies can find, research, and download certified, enterprise-ready open source packages on demand.
OpenLogic is continually updated with new releases and security patches to keep you up-to-date on the latest open
source enhancements. It provides real-time security alerting for the latest open source vulnerabilities as well as an
extensive knowledge base, including complete information on open source licenses.
Step one: Never trust inputs
Consider all input untrustworthy until proven otherwise. After all, most data breaches result from input trust issues.
Specifically, reject things you know are bad. For instance, refuse code from unknown or untrusted sources, including
code and data you may have inherited through a merger or acquisition.
ROGUEWAVE.COM
4
Beyond that, discard sensitive data as soon as possible, compile code at the highest possible warning level, and stay
abreast of and deploy security updates in a timely manner.
The Rogue Wave Software Klocwork static code analysis product is a very effective tool for identifying and locating input
trust issues. It enables you to analyze source code without actually executing programs built from that code, performing
on-the-fly static code analysis while you are writing code. This saves developers substantial time while improving
software quality and ensuring code integrity. In the words of one Klocwork user, “Klocwork lets us move faster and
reinforces good coding practices.”
OpenLogic can also be an invaluable resource to you in addressing the input trust issue throughout your project by
helping you implement and manage an OSS policy that governs how open source is accepted, deployed, and tracked
within your organization.
Step two: Check your code as you go
Identify areas in your code where weaknesses exist and check to see if you’re using any known insecure functions or APIs.
As described above, Klocwork static code analysis is a highly effective and proven method for analyzing source code
on-the-fly to identify defects including a host of security problems such as command injection, buffer overflows, and
insufficient access permissions. It’s also a very efficient tool that can reduce coding time by 26 percent while increasing
the quality and security of developers’ code.
Step three: Manage open source software acquisition, provisioning, and usage
Open source software (OSS) fills a specific technical gap for developers. However, it’s delivered “as is,” and is rarely created
with security in mind. Still, it’s fairly ubiquitous, with 99 percent of Global 2000 enterprises using OSS in mission-critical
software by 2016. Disturbingly, though, most organizations don’t know where and how OSS is being used.
The best way to minimize the risks associated with the use of OSS is to create an OSS policy to govern your
organization’s use of OSS, including OSS acquisition, provisioning, and tracking.
Here again, tools are available, such as OpenLogic, which helps create and manage policy, maintains a database of OSS
packages and versions that are authorized for use, and offers a knowledge base to solve any potential problem.
Step four: Use threat modeling
To further ensure the security of your code, you need to have a clear understanding of the ever-present potential
threats. That means thinking about all possible system threats and how your systems might be attacked before you
ever start coding. This thought process starts with system architecture and design.
Using threat modeling, you can identify vulnerabilities and then design countermeasures to neutralize these
vulnerabilities. Measures you can take include:
• Enforcing boundaries between your OS and processes.
• Protecting data both in transit and at rest using encryption.
• Keeping your cryptography code modular and separated so you can easily change it over time (as algorithms
are replaced) without significant impact to the rest of the system.
ROGUEWAVE.COM
5
Employing a tool like Klocwork for static code analysis can be extremely helpful by shining a light on security risks that
may not be obvious or anticipated by your design team.
Step five: Take responsibility
While it’s important that everyone in your organization recognizes that security is part of their responsibilities,
it’s particularly important for developers to understand and accept this responsibility. After all, it’s your code. No
one is better positioned to ensure software security than the developer. You should assume in today’s computing
environments that all code will be scrutinized and possibly attacked, and you should do everything in your power to
protect your code from the ever-growing numbers and types of attacks.
Achieving this objective begins with getting educated about the risks, consequences, and the actions you can take to
make your code as flawless and secure as possible. Even if your company doesn’t seem concerned about software
security or questions the value of the added time focusing on security might add to the development process, you
should know better and educate your colleagues.
You should enlist your peers in reviewing your code. And you should absolutely make use of the available and proven
tools such as Klocwork and OpenLogic from Rogue Wave Software. You should use them and run them often.
One more thing: standards compliance
Not only is Klocwork a proven tool for automating the detection of hundreds of different potential security vulnerabilities
in software code and providing development teams with a consistent, tool-based approach to identifying and remediating
these issues, it also actively supports secure coding initiatives. Klocwork helps developers comply with industry standards
including MISRA, CWE, OWASP, CERT, DISA-STIG, and SAMATE. Complying with standards is an important step that helps
ensure the security of your code and applications and inspire confidence among your customers and other users that
your products can be trusted.
DON’T GET BURNED
There may be no more dramatic way to truly learn a lesson than to get burned. But that’s really not necessary. And it’s
certainly not the best way to learn about the importance of software security. The costs of learning as the result of a
data breach or some other damaging security incident are simply too high — too high for your organization, for your
customers, and for you and your career.
Fortunately, as described in this paper, there are tools, processes, and other resources available to enable you to
minimize security risks by helping you develop high quality, error-free code and applications.
For more information on how you can create more secure and reliable software, visit our website at
www.roguewave.com.
ROGUEWAVE.COM
6
Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building
great software and accelerates the value gained from code across the enterprise. The Rogue Wave portfolio of complementary, cross-platform tools
helps developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code
integrity, while shortening development cycle times.
© 2015 Rogue Wave Software, Inc. All rights reserved.