Desvendando o desenvolvimento seguro de software

Desvendando o desenvolvimento seguro de software

• 1.
  IBM Technical Summit2013 Erik Oliveira Senior Security Consultant, IBM Security System [email protected] © 2013 IBM Corporation
• 2.
  Please note thefollowing IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. 2
• 3.
  Mundo interconectado EXPLOSÃO DE DADOS CONSUMERIZAÇÃO DATI Com o advento da Empresa 2.0 e do negócio social, desapareceu a linha entre tempo, dispositivos e dados pessoais e profissionais TUDO ESTÁ EM TODA PARTE Organizações continuam mudando para novas plataformas, inclusive computação em nuvem, virtualização, dispositivos móveis, negócio social e muito mais SOFISTICAÇÃO DOS ATAQUES 3 A era do "Big Data" – a explosão da informação digital – chegou e é facilitada pela difusão de aplicativos acessados de todos os lugares A velocidade e destreza dos ataques aumentaram, associados a novos agentes com novas motivações, do crime cibernético e terrorismo, até invasões patrocinadas por governos
• 4.
  Seu dispositivo é 4
• 5.
  Mobile Malware 2013 Source:Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013 5
• 6.
  Distribuição de Vulnerabilidadepor linguagem 6
• 7.
  Contexto Mundial Tipo deataque Software Bethesda Injeção SQL Manipulação de URL Northrop Grumman Fox News X-Factor Phishing focalizado Citigroup SW de terceiros Policia Federal espanhola DDoS Secure ID Sony Lockheed Martin L3 Communications O tamanho do círculo estima o impacto relativo da quebra de segurança Sony BMG Grécia Booz Allen Hamilton PBS PBS RSA HB Gary Sega Contas do Gmail Epsilon Desconhecido Site do premier italiano FMI Vanguard Defense SOCA Site do gov. malaio Polícia peruana Nintendo Gov. Brasileiro Governo Turco Monsanto SK Communications Coreia Polícia do Arizona OTAN Senado dos EUA Fev 7 Mar Abril Maio Junho Julho Ago
• 8.
  Custo da brecha Custos: 1,000,000x Fluxode Segurança Dano a Empresa Notificação ao cliente Multas Litígio Exposição da reputação Exposição da marca Custo para reparo Fluxo Funcional 10x 1x Desenvolvimento 8       Teste Produção
• 9.
  Detectando SQL Injection Source– um métodos retornando string insegura // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " + "userid='" + username + "' " + "AND password='" + password +Usuário pode mudar o SQL "'"; executado commandos // ... ResultSet rs = stmt.executeQuery(query); Sink – um potencial método perigoso 9
• 10.
  Detectando SQL Injection Stringusername = request.getParameter("username"); // ... String username = request.getParameter("username"); String password = request.getParameter("password"); // ... String query = "SELECT * from tUsers where " +' "userid='" + username + "' " + "AND password='" + password + "'"; String query = "SELECT …" + username // ... ResultSet rs = stmt.executeQuery(query); ResultSet rs = stmt.executeQuery(query); 10
• 11.
  Detectando SQL Injection Stringusername = request.getParameter("username"); username = ‘anything' OR 'x'='x ‘ username = ‘x' AND 1=(SELECT COUNT(*) FROM tabname); --‘ username = ‘x' AND userid IS NULL; --‘ String query = "SELECT …" + username 11
• 12.
  Fluxo de dados 1 2 3 4 12
• 13.
  Como funciona AppScan Automaçãode Testes de Segurança em Aplicações Análise Relatório (identificar riscos) Scan das aplicações (detalhado e assertivo) Fix 13
• 14.
  Ciclo de Vida CODIFICAÇÃO BUILD QA SEGURANCAE PRODUÇÃO IBM AppScan Enterprise Server AppScan Source users AppScan Enterprise user Eclipse, Visual Studio, RAD AppScan Source for Automation AppScan Standard (via CLI) (scanning agent) AppScan Enterprise user AppScan Standard Build Management Gerenciamento de Ameaças 14 AppScan Enterprise user (web client) AppScan Standard (desktop)
• 15.
  AppScan Segurança Relatório Corporativo • Configuraçãode Software • Registro de progresso • Scan • Compare Applications • Triagem de Resultados • Manage Security Policies AppScan Enterprise Server • Dashboardas customizados • Gerenciamento de risco • Base de conhecimento • Banco de Assessment IDE Plug-Ins • Regras Customizadas Automação • Fluxo de Investigação • Guia de remediação • Scan automatizados • Scan • ANT, Make, Maven • Confirmação de Fix 15 • Integração de Buidl • APIs de acessos de dados
• 16.
  AppScan  Templates Wizards Importe EclipseWorkspaces e soluções .NET  Matrix de Vulnerabilidade Isolamento de vulnerabilidades confirmadas Otimização de triagem de issues Auxilia na falta de expertise de segurança  Filtros poderosos Facilidade de utilização Foco em baixo número de riscos prioritários Filtros pré definidos 16 Vulnerabilidade Confirmadas
• 17.
  AppScan  Análise rápida –Gereciamento de memória e cache – Otimização de re-scan – 100+ patentes  Fluxo de dados / Fluxo de chamadas – Suporte para longas trilhas – Facilidade em idetificar código malicioso ou não  Desconsidera coisas que a análise não entende  Nada é ignorado – Relatório de “Lost Sinks” 17  Análise de StringString Analysis – Identifica de forma automática a validação de rotinas – Tecnologia de IBM Research – Checa efetividade da validação lógica
• 18.
  AppScan Linguagem Suportadas Out-of-the-Box  Java Perl  JSP  ColdFusion C  Client-Side JavaScript  C++  .NET  Server-Side JavaScript – C#  VBScript – VB.NET  COBOL – ASP.NET  PL/SQL  Classic ASP (VB6)  T-SQL  PHP  Android e IOS  HTML 18  SAP ABAP Extensível Análises por expressão regular  Definir regras customizadas  Usar o poder da expressões regulares  Associação de regras com maioria das linguagem
• 19.
  19
• 20.
  Acknowledgements and disclaimers Availability:References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2013. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml Other company, product, or service names may be trademarks or service marks of others. 20
• 21.
  © Copyright IBMCorporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 21