Web Development Evolution The Business Perspective on Security
Web Development Evolution: The Business Perspective on Security William Bradley Glisson L. Milton Glisson Ray Welland 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 1
Why? • Data, Information, Knowledge • “One man’s data can be another man’s knowledge, and vice versa, depending on context” (Stewart, T. A. , The Wealth of Knowledge. ) • "Information is the world's new currency; information has value. “ (Secret Service Director Ralph Basham ) • “Knowledge is what we buy, sell, and do” (Stewart, T. A. , The Wealth of Knowledge. ) 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 2
Business Incentive • The 2004 (FBI) Computer Crime and Security Survey estimates that losses from internet security breaches, in the US, exceeded $141 million within the last year. • Pricewaterhouse. Coopers 2004 Survey indicates that security problems are on the rise in the United Kingdom and that malicious attacks are the primary culprits. • The Department of Trade and Industry’s (2004) survey estimates “security breaches continue to cost” UK businesses “several billions of pounds. ” • The Deloitte 2005 Global Survey estimates that identity theft cost the UK almost a billion dollars in 2003. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 3
Application Security “One dollar required to resolve an issue during the design phase grows into 60 to 100 dollars to resolve the same issue after the application has shipped. ” (Secure Business Quarterly 2001) Gartner estimates that the cost to fix a “security vulnerability during testing to be less than 2 percent of the cost of removing it from a production system. ” 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 4
Truth • Companies do not want to admit that their systems have been compromised • They do not want to incur the expense necessary to rectify the problem • They do not know how to fix the problem • They are not even aware that their systems have been compromised. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 5
Soft and Hard Cost • Telang and Wattal’s research indicates that a software vendor loses, on average, approximately 0. 6% of their stock price per vulnerability announcement. • Minimize the chance of copy cat attacks on their systems until the issue has been resolved and patched. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 6
Legislative Pressure • Economic Espionage Act of 1996 (EEA) • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Graham-Leach-Bliley Act of 1999 • Sarbanes-Oxley Act of 2002 (SOX) • Recently a ninety-one page bill was introduced in the Senate by Senator Patrick Leahy and Senator Arlen Specter containing new rules for corporate data security and stiff penalties for information burglars 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 7
What is Security? • Encryption, Secure Socket Layer (SSL), firewalls, creating and maintaining secure networks, the use of digital certificates, the different technologies used for authentication and authorization or intrusion detection systems • A secure system to one organization may not meet another organization’s definition of security 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 8
Security • Confidentiality – Proper access is restricted to the appropriate individuals. • Integrity – modification of assets by appropriate personnel & within guidelines. • Availability - Access is available to the appropriate parties at designated times. (Commonly known as the CIA Triad) 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 9
Security How much risk is the organization willing to accept and at what financial cost? Policy, procedures, standards, and technical controls (developed & implemented) will define the systems in terms of the CIA. Collaborative approach defines overall security of the system within a business. As Alan Zeichick, Conference Chairman of the Software Security Summit, phrased it, "Software is vulnerable! Enterprises have spent millions of dollars installing network firewalls and Virtual Private Networks, but the real danger is in poorly written applications” 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 10
Business Strategy Encompasses all of the information about the overall business that ranges over defining the – – – scope of the business establishing the business models broad marketing strategies establishment of processes and policies acquisition and distribution of information overall approach to technology within the organization. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 11
Business Strategy Perspectives • Corporate -high level strategy that details the organization’s purpose and scope • Business - deals with the competition in individual markets including market segmentation, market positioning, industry analysis, and brand value • Operational - concerns the implementation aspect of the business which would include optimising web site design, hardware requirements and utilization and software requirements 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 12
Corporate Level • Chief Executive Officers and Chief Financial Officers are potentially being held accountable for the security of their applications (SOX) • Champions - high level champions within the organization are more likely to succeed in changing and sustaining changes to corporate cultures • Security needs to be viewed as a collective organizational problem 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 13
Business Level • Businesses need to understand that their web site is their front door to the world. • Businesses need to outline the performance standards that they are going to provide and follow through with an effective, efficient and secure value chain while providing appropriate customer service capabilities. • If customers perceive that their data is not safe and secure, this can result in lost customers, lost future revenue, lost market advantage and possibly monetary compensation. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 14
Operational Level • There appears to be a lack of understanding on how to protect application code as it is developed. • BZ Survey “ 55. 9 percent blamed poor programming practices” for the number of vulnerabilities in software applications. • How does a business protect itself and capitalize on software application development in order to gain a competitive advantage for their business. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 15
WES Solution My Ph. D research has produced a possible solution, A Web Engineering Security (WES) Methodology. An independent flexible Web Engineering development methodology that is specific to security. Ø The process needs to be compatible with existing application development processes so that they are complementary, hence Ø Deliverables between phases will vary on the size of the organizational and the methodology they are implementing, and Ø Flexible enough to be tailored to individual companies of varying size. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 16
Web Engineering Security (WES) Methodology Principles • Good Communication – Within the development team – With the end user (Requirements / Feedback perspective) • Employee Education – Importance of security & potential organizational impact – Technical attacks & social engineering attacks • Cultural Support – Needs to originate from upper management – Needs to continually be fostered by upper management 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 17
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 18
Project Development Risk Assessment • This step provides an opportunity for the organization’s development team to understand the application from a risk point of view and helps to generate applicable questions to address the application security requirements phase – Formal (Document /Board Approval) • Advantage for management is that it presents a clear understanding of the risks before a substantial investment is made in the development of the web application • Disadvantage of a highly formalized process is that it can slow down the development process. – Informal (Expert Opinion) • Advantage faster in nature • Disadvantage introduces more risk 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 19
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 20
Organizational Compatibility • Security Policy Compatibility – Policies, standards, baselines, procedures, and guidelines can assist in large organizations to provide cohesiveness within the organization. – “The goal of an information security policy is to maintain the integrity, confidentiality and availability of information resources. ” (Hare, C. , Policy Development, ) – In smaller organizations, policies can be implicit to the organization. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 21
Organizational Compatibility • Corporate Culture Compatibility – Employee security awareness programs, employee education on social engineering attacks, recognition of organizational norms. – Remind employees periodically about security policies, standards, baselines, procedures, and guidelines (Integrating security into their annual evaluation ) – Technological acceptance of corporate norms is when a solution has been implemented in the environment, becomes accepted and then becomes expected. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 22
Organizational Compatibility • Technological Compatibility – Infrastructure compatibility • Does the technical expertise to create new applications exist in the company? • Is the current code repository compatible with the proposed development? • Does the hardware infrastructure support the new applications? – Value Added • “value configuration(s)” one of the goals of the organization should be to provide added value regardless of the product or service that is being offered. Technology is a major contributor to this goal in today’s market place. • How will this help add value to their organization? 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 23
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 24
Security Design / Coding • Previously generated information allows the technical architect to pick the most appropriate technical controls from a design, risk and cost perspective. • Encouraging programmers to adhere to coding standards and to pursue good coding practices, and participate in code reviews will increase the code readability which will inherently improve software enhancement maintenance and patch maintenance. • “Better software engineering development leads to more maintenance, not less” (Glass, R. L. , Facts and Fallacies of Software Engineering) 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 25
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 26
Controlled Environment Implementation • Implement in an environment that mirrors production testing compatibility – Operating System – Software Configurations – Interfacing Programs • Goal - Minimise Surprises! 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 27
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 28
Testing • Programmers should be running their own battery of tests when the code is conceived • Allotment of Appropriate time • Augment the testing process – Automated Tools – Test Script (Developers, Testers, End-users) – Outside Auditors Conducting Penetration Tests – White Box / Black Box 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 29
Evidence • The National Institute of Standards and Technology (NIST) estimates that “ 93% of reported vulnerabilities are software vulnerabilities. ” • Organization for Internet Safety (OIS) publishes Guidelines for Security Vulnerabilities Reporting and Response – “A flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy. ” 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 30
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 31
Web Engineering Security (WES) Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 32
End User Evaluation • All systems must be evaluated with a sample of end-users, not surrogates! • Critical to the success of the solution – End user avoidance by working around security – Compromised due to a flaw in the design / code • Possibility that the application will be abused, corporate credibility lost, and financial consequences incurred. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 33
Conclusions • Technical solutions alone will not solve current security issues in the global web environment. • Increasing business, legislative, societal pressures will force organizations to strategically address application security from a development perspective • The most effective way to handle security, in the application design, is to incorporate security upfront into the development methodology. • Not following a web application development methodology that specifically addresses security is an expensive and dangerous strategy for any business. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 34
Further Work • Fortune 500 Financial Organization Case Study – Industry Survey (ICWE) – Process Observation – Recommendations – Recommendation Implementation – Data Gathering 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 35
Contact Details Brad Glisson, Department of Computing Science, University of Glasgow E-mail: glisson@dcs. gla. ac. uk. Web: www. dcs. gla. ac. uk/~glisson/ Prof. Milton Glisson, E-mail: glissonm@ncat. edu Prof. Ray Welland, E-mail: ray@dcs. gla. ac. uk. Web: www. dcs. gla. ac. uk/~ray/ 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 36
Extra Slides 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 37
Common Application Security Problems • • Un-validated parameters Cross-site scripting Buffer overflows Command injection flaws Error-handling problems Insecure use of cryptography Broken Access Controls 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 38
Project Development Risk Assessment • NIST - National Institute of Standards and Technology - agency of the U. S. Commerce Department's Technology Administration. • COBRA - Security risk analysis application • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation - Focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology. • FRAP - Facilitated Risk Analysis Process 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 39
Agile Web Engineering (AWE) 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 40
AWE & WES Comparison Agile Web Engineering (AWE) Web Engineering Security (WES) Business Analysis Project Development Risk Assessment Requirements Application Security Requirements o o o Security Policy Compatibility Corporate Culture Compatibility Technological Compatibility Design Security Design / Coding Implementation Controlled Environment Implementation Testing o o o Application Testing Incident Management Disaster Recovery Management Evaluation (End User Evaluation) Deploy in Production End User Evaluation 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 41
Secure Value Chain • Overall, the business environment continues to become more interconnected, hence, traditional boundaries between organizations are eroding. • This tight integration, from a security view point, opens the door to a multitude of problems, if an attack is successful, in compromising one of the linked systems. 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 42
Definitions • • • Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities. Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. The Open Web Application Security Project (OWASP). The Ten Most Critical Web Application Security Vulnerabilities. c 2004 http: //www. owasp. org/index. jsp 12/23/2021 glisson@dcs. gla. ac. uk Department of Computing Science 43
- Slides: 43