Chris Bailey, profile picture
Uploaded byChris Bailey
2,001 views

JavaOne2013: Secure Engineering Practices for Java

This document summarizes a presentation on secure engineering practices for Java given at JavaOne 2013. It discusses the importance of software assurance over just security controls. It emphasizes that achieving a high level of software assurance requires attention to security throughout the development lifecycle, including risk assessment, secure coding practices, security testing, documentation, and incident response. The presentation recommends that development teams understand security risks and threats in order to build secure software.

Embed presentation

Downloaded 53 times
JavaOne 2013 Secure Engineering Practices for Java Tim Ellison, IBM United Kingdom Ltd. CON 3615 © 2013 IBM Corporation
Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com 3 © 2013 IBM Corporation
The goal of Secure Engineering Practices is to achieve a high level of Software Assurance Software Assurance is not the same as Security Controls © 2013 IBM Corporation
Security Controls The mechanisms by which security is established and maintained across the people, data, applications, infrastructure of the system. Security controls, the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
Software Assurance How confident are we that the entire system comprising people, data, applications, and infrastructure is secure? Software Assurance, a statement of the “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner.” National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
The market for software and computing services is evolving Governments and Enterprise customers are adopting procurement requirements that give preference to software and computing services having “high assurance characteristics” over other commercial, off-the-shelf products and services. Many critical business and control systems require a high level of software assurance. © 2013 IBM Corporation
IBM X-Force View of Enterprise Security Incidents in 2012 http://www.ibm.com/services/us/iss/xforce/trendreports/ © 2013 IBM Corporation
Measuring the assurance of software and computing services  The requirements are evolving… – Meets recognized security standards – Public history of security bulletins & press reports – Passes security tests, including scanning source, automated security testing and penetration testing – Provides evidence that good software engineering practices were applied throughout the development lifecycle Unfortunately, there are no over-arching standards. © 2013 IBM Corporation
Secure Engineering Goals 1.ofProvide security out the box 2. Proactively respond to new threats and risks Ensure products and solutions provide a reasonable and adequate level of security at time of release, and they maintain and improve security from release to release. Act in a timely fashion for any report of vulnerability in an existing release, and proactively address any new threat that may apply. Achieving a high confidence in software security assurance requires attention throughout the full software lifecycle Development Supply Chain Development Process and Lifecycle Deployment Lifecycle © 2013 IBM Corporation
Software Assurance Activities The tools and practices needed within a given project depend upon  What is being built (component, product, solution, service or enterprise workload)  Where it is expected to be used (closed workgroup, intranet, internet, cloud or critical infrastructure) Operational  The relevant risks and threats Code integrity Manual Code Review Security Review of Open Source Architecture Review & Security Requirements Threat Analysis & Mitigation Planning Development Supply Chain Third Party SW Contract Terms Secure Coding Security Source Code Scan Secure Build Security Security Evaluation Evaluation Security System Test Binary Analysis Development Process and Lifecycle Use Case, Abuse Case and Fault Analysis Security Controls mechanisms Source and Object Code Control Pre-Production Assurance (Pen Testing) Monitoring & Analytics Change Mgmt Scanning Deployment Lifecycle Incident Handling © 2013 IBM Corporation
Adopting Secure Development Practices  Group specific activities that support secure engineering into a set of practices  Focusing on development process – Similar can be done for supply chain, deployment, etc Development Supply Chain Tools Practices Risk Assess & Threat Model Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness © 2013 IBM Corporation
Risk Assessment and Threat Modeling Essential Practice The goal of this practice is to identify potential risks or attacks against software product or solutions as it will be deployed and to make decisions about how to address these risks during development. 1.Decide what risks are important to the Identify Risks 1.Investigate threats related Analyze Threats software being built those risks 1.Create and adopt a mitigation plan to Plan Mitigations avoid / correct the issues © 2013 IBM Corporation
The Stride Threat Model – as an example Spoofing identity Tampering with data An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Repudiation and Nonrepudiation Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—e.g., a user performs an illegal operation in a system that lacks the ability to trace operations. Non-repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the receipt as evidence that the user received the package. Information disclosure Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers. Denial of service Elevation of privilege 14 Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed. http://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx © 2013 IBM Corporation
Anti-patterns: Addressing security exclusively through tests Reqmts Without overt actions the code will contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Remediation “loops” may add two to four months to a project depending on the complexity of the issues discovered 15 Programming team Code / Build Code Scan Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
Secure Design Practices  Understand the security requirements for the system early  Identify risks during design and prototyping and address them  Adopt established best practices for recognized risks (patterns), Attack surface reduction, principle of least privilege, defense in depth, security by default, ...  Document and describe the assurances you have about the system  Developers iterate towards a functional system based on a secure architecture 16 © 2013 IBM Corporation
Shared Goals Promote Secure Coding Consistent guidance on Security Risks, Threats & Vulnerabilities Security Advice Reqmts Code may contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Programming team Code / Build Code Scan 17 Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
Secure Coding  A significant proportion of escaped vulnerabilities are traced to coding errors  Developers need to be familiar with the secure coding guidelines, MITRE top 25, etc.  Understand the concepts of trusted and untrusted code, tainted data, sensitive data, etc – The team and the application must handle them explicitly – Java 8 annotations can help with classifying constraints and metadata about variables  Prioritize departures from the coding standard by failure mode, effects, and criticality – Severity: How serious are the consequences of the error? – Likelihood: How likely is it that a flaw introduced by violating the rule could 18 lead to an exploitable vulnerability? – Remediation cost: How expensive is it to remediate existing code to comply with the standard? © 2013 IBM Corporation
Security Testing  Use threat modelling to target security testing based on risk – Prioritize testing with manual and tools based scenarios • Breach of access rules • Bad actor • Effect of malformed data • Out of process operations 100x  Static analysis – Does the code adhere to the coding guidelines? – Tools and formal code inspections  Dynamic testing – SQL injection – Fuzzing – Penetration testing 19 15x 1x design 6x coding verification release © 2013 IBM Corporation cost  Numerous studies show the cost of finding and fixing vulnerabilities rises exponentially through the development lifecycle
Security Documentation  All releases should be secure by design in their default configuration  High quality documentation about how to use a system securely is equally important  Users need clear guidelines about the security impact to modifying configurations – Inform users about secure deployment, and balancing usability with security – Security should be addressed as a specific topic, not spread throughout the documentation  Explain the impact of configurations that increase the attack surface of the system, e.g. – Backwards compatibility – Choice of communications protocols – Guest and demo accounts  Provide examples and templates for hardening the system in specific scenarios  Use threat modeling conclusions to inform users about best practices 20 © 2013 IBM Corporation
Security Incident Response  Expect security incidents even after following careful secure engineering practices  Incident response policy and plan – Establishing communications internally and externally – Be prepared for any eventuality, but focus on expected attacks attrition web-based hardware level e-mail improper usage loss / theft  Establish robust means of detecting and verifying incidents – logging, audits, external reports, validation checks, ...  Create guidelines for prioritizing incidents – Functional impact to the business – Information impact to confidentiality, integrity and availability of business data – Recoverability from incident occurrence  Learn lessons from incidents – Ensure the organization improves based on the history of security incidents © 2013 IBM Corporation
Education and Environment  Software assurance requires positive action maintained throughout the full system lifecycle Development Supply Chain Tools Practices Risk Assess & Threat Modeling Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness  Ensure development team has the same knowledge and perspective that adversaries might use. © 2013 IBM Corporation
Security Advice Expert Knowledge Actors Risks Assets Design team Programming team Threats Permissions Exploits Platforms Attacks Tools User Stories Common Weaknesses Defense in Depth Test team Users Roles Support team D e fe n s e s Vulnerability History Security Perimeter White hat Languages Security Controls Malware Black hat © 2013 IBM Corporation
Secure Engineering is the responsibility of the entire development All job roles need an understanding of the concepts Awareness and organization Education Project Planning Architects and Designers need to ensure that best practices for session handling, information protection, etc. are included in Design Specifications, Use Cases and Security Test Plans Secure Coding Test team Architects and Designers need to review the security characteristics of existing software and document a Threat Model for new software Security Requirements Design team Project/Release Managers need to include Secure Engineering in Project Planning activities Risk Assessment and Threat Modeling Management team and the implications of Security in Development Developers need to ensure that coding and configuration techniques are appropriate Security Testing Test Teams need to learn about security testing and perform Security Testing using AppScan, with appropriate test plan and policy Security Documentation Information Developers need to ensure that all offerings include appropriate Security Documentation Security Incident Response Support Teams must participate in Security Incident Response Process Programming team Support team © 2013 IBM Corporation
Summary  Security Controls and Software Assurance are both critical to enterprise users  Continued evidence of vulnerabilities in software has changed the focus from security controls and defenses to controlling the risk of security incidents.  To build secure software, development teams need to understand risks throughout the development lifecycle.  There are risks related to weaknesses in design, coding and integration, as well as, in use cases and abuse cases related to deployment models for critical business processes and workloads.  Development Teams need to grow skills in analyzing risks and threats and use the available tools. © 2013 IBM Corporation
© 2013 IBM Corporation
Photo attributions  Chart 7 – MRI = Jan Ainali – ATM = DaviSements – Car = Kevin Rodriguez Ortiz  Chart 16 – Coder = Matthew (WMF)  Chart 20 – Writer = greg.turner © 2013 IBM Corporation

More Related Content

ODP
Windows Debugging Tools - JavaOne 2013
byMattKilner
 
PDF
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
by0xdaryl
 
ODP
Security in the Real World - JavaOne 2013
byMattKilner
 
PDF
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
byChris Bailey
 
PDF
Impact2014: Introduction to the IBM Java Tools
byChris Bailey
 
PDF
JavaOne BOF 5957 Lightning Fast Access to Big Data
byBrian Martin
 
ODP
Debugging Native heap OOM - JavaOne 2013
byMattKilner
 
PPT
Ten things you should know when writing good unit test cases
byPaulThwaite
 
Windows Debugging Tools - JavaOne 2013
byMattKilner
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
by0xdaryl
 
Security in the Real World - JavaOne 2013
byMattKilner
 
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
byChris Bailey
 
Impact2014: Introduction to the IBM Java Tools
byChris Bailey
 
JavaOne BOF 5957 Lightning Fast Access to Big Data
byBrian Martin
 
Debugging Native heap OOM - JavaOne 2013
byMattKilner
 
Ten things you should know when writing good unit test cases
byPaulThwaite
 

What's hot

PDF
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
byWASdev Community
 
PPTX
Ibm PureApplication system
bykhawkwf
 
PPTX
Windows 7 client performance talk - Jeff Stokes
byJeff Stokes
 
PDF
Load Test Methodology: Server Load Testing
byIxia
 
PDF
Overcoming Scaling Challenges in MongoDB Deployments with SSD
byMongoDB
 
PPTX
Cloud Performance Testing with LoadRunner
byRichard Bishop
 
PDF
IBM Health Center Details
byRohit Kelapure
 
PDF
Effective admin and development in iib
bym16k
 
PDF
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
bySymantec
 
PDF
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
byRob Convery
 
ODP
Building highly available architectures with WAS and MQ
byMatthew White
 
PDF
Three key concepts for java batch
bytimfanelli
 
PDF
Performance comparison on java technologies a practical approach
bycsandit
 
DOCX
Profile narendraredy
byNARENDRA REDDY S
 
ODT
Healthcheck 07 application
byNakedi Kobo
 
PDF
Ebs performance tuning session feb 13 2013---Presented by Oracle
byAkash Pramanik
 
PPTX
DB2 for z/OS Solutions
bysoftbasemarketing
 
PPT
Windows 7 For Geeks
byAdil Mughal
 
PPT
scale_perf_best_practices
bywebuploader
 
PPT
WCE031_WH06
bywebuploader
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
byWASdev Community
 
Ibm PureApplication system
bykhawkwf
 
Windows 7 client performance talk - Jeff Stokes
byJeff Stokes
 
Load Test Methodology: Server Load Testing
byIxia
 
Overcoming Scaling Challenges in MongoDB Deployments with SSD
byMongoDB
 
Cloud Performance Testing with LoadRunner
byRichard Bishop
 
IBM Health Center Details
byRohit Kelapure
 
Effective admin and development in iib
bym16k
 
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
bySymantec
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
byRob Convery
 
Building highly available architectures with WAS and MQ
byMatthew White
 
Three key concepts for java batch
bytimfanelli
 
Performance comparison on java technologies a practical approach
bycsandit
 
Profile narendraredy
byNARENDRA REDDY S
 
Healthcheck 07 application
byNakedi Kobo
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
byAkash Pramanik
 
DB2 for z/OS Solutions
bysoftbasemarketing
 
Windows 7 For Geeks
byAdil Mughal
 
scale_perf_best_practices
bywebuploader
 
WCE031_WH06
bywebuploader
 

Viewers also liked

PDF
Introduction to the IBM Java Tools
byChris Bailey
 
PDF
Debugging Java from Dumps
byChris Bailey
 
PDF
JavaOne 2013: Memory Efficient Java
byChris Bailey
 
PDF
Tuning IBMs Generational GC
byChris Bailey
 
PDF
Java Code to Java Heap - En Français
byChris Bailey
 
PDF
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
PDF
Impact2014: Practical Performance Troubleshooting
byChris Bailey
 
PDF
QCon Shanghai: Trends in Application Development
byChris Bailey
 
PDF
JavaOne 2014: Java vs JavaScript
byChris Bailey
 
PPTX
Node Summit 2016: Web App Architectures
byChris Bailey
 
PDF
FrenchKit: End to End Application Development with Swift
byChris Bailey
 
PDF
JavaOne2013: Implement a High Level Parallel API - Richard Ning
byChris Bailey
 
PDF
Real World Java Compatibility (Tim Ellison)
byChris Bailey
 
PDF
Practical Performance: Understand and improve the performance of your applica...
byChris Bailey
 
PDF
JavaOne 2014: Java Debugging
byChris Bailey
 
PDF
Swift Summit: Pushing the boundaries of Swift to the Server
byChris Bailey
 
PDF
JavaOne 2015: From Java Code to Machine Code
byChris Bailey
 
PDF
High speed networks and Java (Ryan Sciampacone)
byChris Bailey
 
PDF
Java security in the real world (Ryan Sciampacone)
byChris Bailey
 
PDF
From Java code to Java heap: Understanding and optimizing your application's ...
byChris Bailey
 
Introduction to the IBM Java Tools
byChris Bailey
 
Debugging Java from Dumps
byChris Bailey
 
JavaOne 2013: Memory Efficient Java
byChris Bailey
 
Tuning IBMs Generational GC
byChris Bailey
 
Java Code to Java Heap - En Français
byChris Bailey
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
byChris Bailey
 
Impact2014: Practical Performance Troubleshooting
byChris Bailey
 
QCon Shanghai: Trends in Application Development
byChris Bailey
 
JavaOne 2014: Java vs JavaScript
byChris Bailey
 
Node Summit 2016: Web App Architectures
byChris Bailey
 
FrenchKit: End to End Application Development with Swift
byChris Bailey
 
JavaOne2013: Implement a High Level Parallel API - Richard Ning
byChris Bailey
 
Real World Java Compatibility (Tim Ellison)
byChris Bailey
 
Practical Performance: Understand and improve the performance of your applica...
byChris Bailey
 
JavaOne 2014: Java Debugging
byChris Bailey
 
Swift Summit: Pushing the boundaries of Swift to the Server
byChris Bailey
 
JavaOne 2015: From Java Code to Machine Code
byChris Bailey
 
High speed networks and Java (Ryan Sciampacone)
byChris Bailey
 
Java security in the real world (Ryan Sciampacone)
byChris Bailey
 
From Java code to Java heap: Understanding and optimizing your application's ...
byChris Bailey
 

Similar to JavaOne2013: Secure Engineering Practices for Java

PPT
Software Security Testing
byankitmehta21
 
PDF
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
PDF
OWASP Secure Coding Quick Reference Guide
byAryan G
 
PPT
Software Security topic in Information security .ppt
byismaeelsahib032
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PDF
Software Development Life Cycle – Managing Risk and Measuring Security
byThomas Malmberg
 
PDF
Secure Engineering Practices for Java
byTim Ellison
 
PPTX
IBM Relay 2015: Securing the Future
byIBM
 
DOCX
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
byChristopherAntonius
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
PPTX
information system security --internet cyber security
byVivekSinghShekhawat2
 
PPTX
Enhancing Cybersecurity: Mitigating Common Threats
byVivekSinghShekhawat2
 
PPTX
Unit-I PPT.pptx
byPRALHAD MAGADUM
 
PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PPTX
Securing the Development Supply Chain
byAll Things Open
 
PPTX
"make secure" securing the development supply chain All Things Open 2019
byWes Widner
 
Software Security Testing
byankitmehta21
 
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
OWASP Secure Coding Practices - Quick Reference Guide
byLudovic Petit
 
OWASP Secure Coding Quick Reference Guide
byAryan G
 
Software Security topic in Information security .ppt
byismaeelsahib032
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
Software Development Life Cycle – Managing Risk and Measuring Security
byThomas Malmberg
 
Secure Engineering Practices for Java
byTim Ellison
 
IBM Relay 2015: Securing the Future
byIBM
 
WHAT IS SOFTWARE ENGINEERING (CYBERSECURITY)
byChristopherAntonius
 
Software Security in the Real World
byMark Curphey
 
What Every Developer And Tester Should Know About Software Security
byAnne Oikarinen
 
information system security --internet cyber security
byVivekSinghShekhawat2
 
Enhancing Cybersecurity: Mitigating Common Threats
byVivekSinghShekhawat2
 
Unit-I PPT.pptx
byPRALHAD MAGADUM
 
Reduce Third Party Developer Risks
byKevo Meehan
 
Securing the Development Supply Chain
byAll Things Open
 
"make secure" securing the development supply chain All Things Open 2019
byWes Widner
 

More from Chris Bailey

PDF
InterConnect: Java, Node.js and Swift - Which, Why and When
byChris Bailey
 
PDF
Swift Summit 2017: Server Swift State of the Union
byChris Bailey
 
PDF
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
byChris Bailey
 
PDF
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
byChris Bailey
 
PDF
NodeJS Interactive 2019: FaaS meets Frameworks
byChris Bailey
 
PDF
Node Summit 2018: Cloud Native Node.js
byChris Bailey
 
PDF
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
byChris Bailey
 
PDF
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
byChris Bailey
 
PDF
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
byChris Bailey
 
PDF
Swift Cloud Workshop - Swift Microservices
byChris Bailey
 
PDF
AltConf 2017: Full Stack Swift in 30 Minutes
byChris Bailey
 
PDF
Server-side Swift with Swagger
byChris Bailey
 
PDF
Try!Swift India 2017: All you need is Swift
byChris Bailey
 
PDF
FrenchKit 2017: Server(less) Swift
byChris Bailey
 
PDF
Playgrounds: Mobile + Swift = BFF
byChris Bailey
 
PDF
IBM Cloud University: Java, Node.js and Swift
byChris Bailey
 
PDF
AltConf 2019: Server-Side Swift State of the Union
byChris Bailey
 
PDF
InterConnect: Server Side Swift for Java Developers
byChris Bailey
 
PDF
Swift Cloud Workshop - Codable, the key to Fullstack Swift
byChris Bailey
 
PDF
Index - BFFs vs GraphQL
byChris Bailey
 
InterConnect: Java, Node.js and Swift - Which, Why and When
byChris Bailey
 
Swift Summit 2017: Server Swift State of the Union
byChris Bailey
 
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
byChris Bailey
 
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
byChris Bailey
 
NodeJS Interactive 2019: FaaS meets Frameworks
byChris Bailey
 
Node Summit 2018: Cloud Native Node.js
byChris Bailey
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
byChris Bailey
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
byChris Bailey
 
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
byChris Bailey
 
Swift Cloud Workshop - Swift Microservices
byChris Bailey
 
AltConf 2017: Full Stack Swift in 30 Minutes
byChris Bailey
 
Server-side Swift with Swagger
byChris Bailey
 
Try!Swift India 2017: All you need is Swift
byChris Bailey
 
FrenchKit 2017: Server(less) Swift
byChris Bailey
 
Playgrounds: Mobile + Swift = BFF
byChris Bailey
 
IBM Cloud University: Java, Node.js and Swift
byChris Bailey
 
AltConf 2019: Server-Side Swift State of the Union
byChris Bailey
 
InterConnect: Server Side Swift for Java Developers
byChris Bailey
 
Swift Cloud Workshop - Codable, the key to Fullstack Swift
byChris Bailey
 
Index - BFFs vs GraphQL
byChris Bailey
 

Recently uploaded

PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
How to Evaluate a High Performance Database
byScyllaDB
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 

JavaOne2013: Secure Engineering Practices for Java

  • 1.
    JavaOne 2013 Secure EngineeringPractices for Java Tim Ellison, IBM United Kingdom Ltd. CON 3615 © 2013 IBM Corporation
  • 2.
    Important Disclaimers THE INFORMATIONCONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
  • 3.
    About me  Basedin the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com 3 © 2013 IBM Corporation
  • 4.
    The goal of SecureEngineering Practices is to achieve a high level of Software Assurance Software Assurance is not the same as Security Controls © 2013 IBM Corporation
  • 5.
    Security Controls The mechanismsby which security is established and maintained across the people, data, applications, infrastructure of the system. Security controls, the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
  • 6.
    Software Assurance How confidentare we that the entire system comprising people, data, applications, and infrastructure is secure? Software Assurance, a statement of the “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner.” National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
  • 7.
    The market forsoftware and computing services is evolving Governments and Enterprise customers are adopting procurement requirements that give preference to software and computing services having “high assurance characteristics” over other commercial, off-the-shelf products and services. Many critical business and control systems require a high level of software assurance. © 2013 IBM Corporation
  • 8.
    IBM X-Force Viewof Enterprise Security Incidents in 2012 http://www.ibm.com/services/us/iss/xforce/trendreports/ © 2013 IBM Corporation
  • 9.
    Measuring the assuranceof software and computing services  The requirements are evolving… – Meets recognized security standards – Public history of security bulletins & press reports – Passes security tests, including scanning source, automated security testing and penetration testing – Provides evidence that good software engineering practices were applied throughout the development lifecycle Unfortunately, there are no over-arching standards. © 2013 IBM Corporation
  • 10.
    Secure Engineering Goals 1.ofProvidesecurity out the box 2. Proactively respond to new threats and risks Ensure products and solutions provide a reasonable and adequate level of security at time of release, and they maintain and improve security from release to release. Act in a timely fashion for any report of vulnerability in an existing release, and proactively address any new threat that may apply. Achieving a high confidence in software security assurance requires attention throughout the full software lifecycle Development Supply Chain Development Process and Lifecycle Deployment Lifecycle © 2013 IBM Corporation
  • 11.
    Software Assurance Activities Thetools and practices needed within a given project depend upon  What is being built (component, product, solution, service or enterprise workload)  Where it is expected to be used (closed workgroup, intranet, internet, cloud or critical infrastructure) Operational  The relevant risks and threats Code integrity Manual Code Review Security Review of Open Source Architecture Review & Security Requirements Threat Analysis & Mitigation Planning Development Supply Chain Third Party SW Contract Terms Secure Coding Security Source Code Scan Secure Build Security Security Evaluation Evaluation Security System Test Binary Analysis Development Process and Lifecycle Use Case, Abuse Case and Fault Analysis Security Controls mechanisms Source and Object Code Control Pre-Production Assurance (Pen Testing) Monitoring & Analytics Change Mgmt Scanning Deployment Lifecycle Incident Handling © 2013 IBM Corporation
  • 12.
    Adopting Secure DevelopmentPractices  Group specific activities that support secure engineering into a set of practices  Focusing on development process – Similar can be done for supply chain, deployment, etc Development Supply Chain Tools Practices Risk Assess & Threat Model Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness © 2013 IBM Corporation
  • 13.
    Risk Assessment andThreat Modeling Essential Practice The goal of this practice is to identify potential risks or attacks against software product or solutions as it will be deployed and to make decisions about how to address these risks during development. 1.Decide what risks are important to the Identify Risks 1.Investigate threats related Analyze Threats software being built those risks 1.Create and adopt a mitigation plan to Plan Mitigations avoid / correct the issues © 2013 IBM Corporation
  • 14.
    The Stride ThreatModel – as an example Spoofing identity Tampering with data An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Repudiation and Nonrepudiation Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—e.g., a user performs an illegal operation in a system that lacks the ability to trace operations. Non-repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the receipt as evidence that the user received the package. Information disclosure Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers. Denial of service Elevation of privilege 14 Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed. http://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx © 2013 IBM Corporation
  • 15.
    Anti-patterns: Addressing securityexclusively through tests Reqmts Without overt actions the code will contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Remediation “loops” may add two to four months to a project depending on the complexity of the issues discovered 15 Programming team Code / Build Code Scan Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
  • 16.
    Secure Design Practices Understand the security requirements for the system early  Identify risks during design and prototyping and address them  Adopt established best practices for recognized risks (patterns), Attack surface reduction, principle of least privilege, defense in depth, security by default, ...  Document and describe the assurances you have about the system  Developers iterate towards a functional system based on a secure architecture 16 © 2013 IBM Corporation
  • 17.
    Shared Goals PromoteSecure Coding Consistent guidance on Security Risks, Threats & Vulnerabilities Security Advice Reqmts Code may contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Programming team Code / Build Code Scan 17 Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
  • 18.
    Secure Coding  Asignificant proportion of escaped vulnerabilities are traced to coding errors  Developers need to be familiar with the secure coding guidelines, MITRE top 25, etc.  Understand the concepts of trusted and untrusted code, tainted data, sensitive data, etc – The team and the application must handle them explicitly – Java 8 annotations can help with classifying constraints and metadata about variables  Prioritize departures from the coding standard by failure mode, effects, and criticality – Severity: How serious are the consequences of the error? – Likelihood: How likely is it that a flaw introduced by violating the rule could 18 lead to an exploitable vulnerability? – Remediation cost: How expensive is it to remediate existing code to comply with the standard? © 2013 IBM Corporation
  • 19.
    Security Testing  Usethreat modelling to target security testing based on risk – Prioritize testing with manual and tools based scenarios • Breach of access rules • Bad actor • Effect of malformed data • Out of process operations 100x  Static analysis – Does the code adhere to the coding guidelines? – Tools and formal code inspections  Dynamic testing – SQL injection – Fuzzing – Penetration testing 19 15x 1x design 6x coding verification release © 2013 IBM Corporation cost  Numerous studies show the cost of finding and fixing vulnerabilities rises exponentially through the development lifecycle
  • 20.
    Security Documentation  Allreleases should be secure by design in their default configuration  High quality documentation about how to use a system securely is equally important  Users need clear guidelines about the security impact to modifying configurations – Inform users about secure deployment, and balancing usability with security – Security should be addressed as a specific topic, not spread throughout the documentation  Explain the impact of configurations that increase the attack surface of the system, e.g. – Backwards compatibility – Choice of communications protocols – Guest and demo accounts  Provide examples and templates for hardening the system in specific scenarios  Use threat modeling conclusions to inform users about best practices 20 © 2013 IBM Corporation
  • 21.
    Security Incident Response Expect security incidents even after following careful secure engineering practices  Incident response policy and plan – Establishing communications internally and externally – Be prepared for any eventuality, but focus on expected attacks attrition web-based hardware level e-mail improper usage loss / theft  Establish robust means of detecting and verifying incidents – logging, audits, external reports, validation checks, ...  Create guidelines for prioritizing incidents – Functional impact to the business – Information impact to confidentiality, integrity and availability of business data – Recoverability from incident occurrence  Learn lessons from incidents – Ensure the organization improves based on the history of security incidents © 2013 IBM Corporation
  • 22.
    Education and Environment Software assurance requires positive action maintained throughout the full system lifecycle Development Supply Chain Tools Practices Risk Assess & Threat Modeling Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness  Ensure development team has the same knowledge and perspective that adversaries might use. © 2013 IBM Corporation
  • 23.
    Security Advice Expert Knowledge Actors Risks Assets Design team Programming team Threats Permissions Exploits Platforms Attacks Tools User Stories Common Weaknesses Defense inDepth Test team Users Roles Support team D e fe n s e s Vulnerability History Security Perimeter White hat Languages Security Controls Malware Black hat © 2013 IBM Corporation
  • 24.
    Secure Engineering isthe responsibility of the entire development All job roles need an understanding of the concepts Awareness and organization Education Project Planning Architects and Designers need to ensure that best practices for session handling, information protection, etc. are included in Design Specifications, Use Cases and Security Test Plans Secure Coding Test team Architects and Designers need to review the security characteristics of existing software and document a Threat Model for new software Security Requirements Design team Project/Release Managers need to include Secure Engineering in Project Planning activities Risk Assessment and Threat Modeling Management team and the implications of Security in Development Developers need to ensure that coding and configuration techniques are appropriate Security Testing Test Teams need to learn about security testing and perform Security Testing using AppScan, with appropriate test plan and policy Security Documentation Information Developers need to ensure that all offerings include appropriate Security Documentation Security Incident Response Support Teams must participate in Security Incident Response Process Programming team Support team © 2013 IBM Corporation
  • 25.
    Summary  Security Controlsand Software Assurance are both critical to enterprise users  Continued evidence of vulnerabilities in software has changed the focus from security controls and defenses to controlling the risk of security incidents.  To build secure software, development teams need to understand risks throughout the development lifecycle.  There are risks related to weaknesses in design, coding and integration, as well as, in use cases and abuse cases related to deployment models for critical business processes and workloads.  Development Teams need to grow skills in analyzing risks and threats and use the available tools. © 2013 IBM Corporation
  • 26.
    © 2013 IBMCorporation
  • 27.
    Photo attributions  Chart7 – MRI = Jan Ainali – ATM = DaviSements – Car = Kevin Rodriguez Ortiz  Chart 16 – Coder = Matthew (WMF)  Chart 20 – Writer = greg.turner © 2013 IBM Corporation