ENHANCING THE DEVELOPMENT LIFE CYCLE TO PRODUCE SECURE SOFTWARE

Dependence on information technology makes software assurance a key element of business continuity, national security, and homeland security. Software vulnerabilities jeopardize intellectual property, consumer trust, business operations and services, and a broad spectrum of critical applications and infrastructure, including everything from Supervisory Control and Data Acquisition systems to commercial-off-the-shelf applications. The integrity of key assets depends upon the reliability and security of the software that enables and controls those assets. However, informed consumers have growing concerns about the scarcity of practitioners with requisite competencies to build secure software. They have concerns with suppliers’ capabilities to build and deliver secure software with requisite levels of integrity and to exercise a minimum level of responsible practice. Because software development offers opportunities to insert malicious code and to unintentionally design and build software with exploitable weaknesses, security-enhanced processes and practices—and the skilled people to perform them—are required to build software that can be trusted not to increase risk exposure.

In an era riddled with asymmetric cyber attacks, claims about system reliability, integrity and safety must also include provisions for built-in security of the enabling software.

In their Report to the President entitled Cyber Security: A Crisis of Prioritization (February 2005), the President’s Information Technology Advisory Committee (PITAC) summed up the problem of non-secure software:

Network connectivity provides "door-to-door" transportation for attackers, but vulnerabilities in the software residing in computers substantially compound the cyber security problem. As the PITAC noted in a 1999 report, the software development methods that have been the norm fail to provide the high quality, reliable, and secure software that the Information Technology infrastructure requires.

Software development is not yet a science or a rigorous discipline, and the development process by and large is not controlled to minimize the vulnerabilities that attackers exploit. Today, as with cancer, vulnerable software can be invaded and modified to cause damage to previously healthy software, and infected software can replicate itself and be carried across networks to cause damage in other systems. Like cancer, these damaging processes may be invisible to the lay person even though experts recognize that their threat is growing. And as in cancer, both preventive actions and research are critical, the former to minimize damage today and the latter to establish a foundation of knowledge and capabilities that will assist the cyber security professionals of tomorrow reduce risk and minimize damage for the long term.

Vulnerabilities in software that are introduced by mistake or poor practices are a serious problem today. In the future, the Nation may face an even more challenging problem as adversaries—both foreign and domestic—become increasingly sophisticated in their ability to insert malicious code into critical software.

Software Assurance has emerged in response to the dramatic increases in business and mission risks that are now known to be attributable to exploitable software, including:

Dependence on software components of systems despite their being the weakest link in those systems;
Size and complexity of software that obscures its intent and precludes exhaustive testing;
Outsourcing of software development and reliance on unvetted software supply chains;
Attack sophistication that eases exploitation of software weaknesses and vulnerabilities;
Reuse and interfacing of legacy software with newer applications in increasingly complex, disparate networked environments resulting in unintended consequences and the increase of vulnerable software targets.

The growing extent of the resulting risk exposure is not yet well understood. The number of threats specifically targeting software is increasing, as the majority of today’s network- and system-level attacks exploit vulnerabilities in application-level software. These factors combine to the increase of risks to software-enabled capabilities and the vulnerability of software-intensive systems to asymmetric cyber threats. Only by establishing the basis for justifiable confidence in the software that enables their core business operations can the organizations that depend on software-intensive systems trust those systems to continue performing in a dependable, trustworthy manner, even in the face of attack.

Enhancing the Development Life Cycle to Produce Secure Software joins a growing body of software assurance information resources and tools provided through the Department of Homeland Security (DHS) BuildSecurityIn Web portal (https://buildsecurityin.us-cert.gov) that are intended to assist software developers, architects, acquirers, and educators in the improvement and verification of the quality, reliability, and security of the software they produce or procure-and in establishing the justification to use that software with confidence.

Enhancing the Development Life Cycle to Produce Secure Software[1] is intended to complement Software Security Assurance: A State-of-the-Art Report,[2] which provides an broad overview of the current methodologies, practices, technologies, and activities engaged in by government, industry, and academia for producing secure software and verifying software’s security. Enhancing the Development Life Cycle complements Software Security Assurance by describing in greater technical depth and detail the security principles and practices that software developers, testers, and integrators can adopt to achieve the twin objectives of producing more secure software-intensive systems, and verifying the security of the software they produce.

Enhancing the Development Life Cycle benefited greatly from contributions and critiques by participants in the Software Assurance Forum. The Software Assurance Forum was established jointly by the DHS and Department of Defense (DoD) Software Assurance Programs to provide a venue in which relevant initiatives and organizations across the private sector, academia, and government agencies can collaborate and partner to improve the state of the art of software development and acquisition by shaping a comprehensive strategy that addresses people, processes, technologies, and acquisition practices throughout the software life cycle.

DHS established its Software Assurance Program, consistent with the National Strategy to Secure Cyberspace which included action/recommendation 2-14: "DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development."

The co-sponsored Software Assurance Forum provides a public-private venue for stakeholders to discuss relevant issues and promote the objectives of software assurance throughout the development life cycle. The software assurance objectives are:

Dependability (Correct and Predictable Execution): Justifiable confidence can be attained that software, when executed, functions only as intended;
Trustworthiness: No exploitable vulnerabilities or malicious logic exist in the software, either intentionally or unintentionally inserted;
Resilience (and Survivability): If compromised, damage to the software will be minimized, and it will recover quickly to an acceptable level of operating capacity;
Conformance: A planned and systematic set of multi-disciplinary activities will be undertaken to ensure software processes and products conform to requirements and applicable standards and procedures.

A growing number of software and security engineers have identified and now promote principles, practices, and technologies that support these software assurance objectives. Their experiences have provided real-world evidence that software produced and vetted by such tools and practices exhibit fewer faults and weaknesses that are exploitable as vulnerabilities, while also increasing the software’s overall dependability and quality. Enhancing the Development Life Cycle describes these principles, practices, and technologies.

Recognizing that no single practice, process, or methodology offers a universal "silver bullet" for software security, the authors of Enhancing the Development Life Cycle do not set out to recommend a specific methodology. In this way, Enhancing the Development Life Cycle differs from many other works published on secure software engineering, secure programming, secure coding, application security, and similar topics.

What Enhancing the Development Life Cycle does do is present software practitioners with background in software security concepts and issues, and describes a set of frequently cited secure software principles and security-enhancing development practices. These are principles and practices that have been demonstrated in software development projects across government, industry, and academia, in the United States (U.S.) and abroad, to aid in the production, verification, and sustainment of software that is more dependable, more trustworthy, and more resilient than software produced without the benefit of those principles and practices. The information in Enhancing the Development Life Cycle is intended to prepare its readers to evaluate and choose from among the growing number of secure software development methodologies, practices, and technologies those best suited for adoption by their own development organizations to help reshape their life cycle processes and practices.

Enhancing the Development Life Cycle is expected to contribute to the growing Software Assurance community of practice. This freely downloadable document is intended solely as a source of information and guidance, and is not a proposed standard, directive, or policy from the DoD, DHS, or any other federal government organization. This document will continue to evolve with usage and changes in practice; therefore, comments on its utility and recommendations for improvement will always be welcome and should be addressed to the DACS at swa@thedacs.com or to Joe Jarzombek, the Director for Software Assurance, National Cyber Security Division, U.S. Department of Homeland Security at swa@cert.org.

Other software assurance documents are freely available through the Software Assurance Program of the U.S. Department of Homeland Security (DHS) National Cyber Security Division. The documents and resource material can be downloaded via the "Software Assurance Community Resources and Information Clearinghouse" at https://buildsecurityin.us-cert.gov/swa and the "Build Security In" website at https://buildsecurityin.us-cert.gov.

The Software Assurance Forum and Working Groups have provided collaborative venues for stakeholders to share and advance techniques and technologies relevant to software security, and they provide resources and seek ongoing feedback to improve those resources.

Software Security Assurance: A State-of-the-Art Report (SOAR) represents an output of collaborative efforts of software assurance subject matter experts in the Department of Defense (DoD) Information Assurance Technology Analysis Center and Data and Analysis Center for Software, in concert with organizations and individuals in the SwA Forum and working groups. The SOAR provides an overview of the current state of the environment in which software must operate and surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. The report also describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying software that can, with a justifiable degree of confidence, be said to be secure. The report also presents observations about noteworthy trends in software security assurance as a discipline. Many other SwA resources are provided by the SwA working groups.

"Software Assurance in Acquisition: Mitigating Risks to the Enterprise" was published in October 2008 through the National Defense University Press. This collaboratively developed document provides a reference for security-enhanced software acquisition and outsourcing by incorporating SwA throughout the acquisition process from the acquisition planning phase to contracting, monitoring and acceptance, and follow-on phases. For each phase, the material covers SwA concepts, recommended strategies, and acquisition management tips. It also includes recommended request for proposal and/or contract language and due diligence questionnaires that may be tailored to facilitate the contract evaluation process. A pre-production copy is freely downloadable via the DHS SwA Community Resources and Information Clearinghouse at https://buildsecurityin.us-cert.gov/swa/acqact.html

"Practical Measurement Framework for Software Assurance and Information Security" was published in October 2008 through the Practical Software and Systems Measurement Support Center. It provides an approach for measuring the effectiveness of achieving Software Assurance (SwA) goals and objectives at an organizational, program or project level. It addresses how to assess the degree of assurance provided by software, using quantitative and qualitative methodologies and techniques. This framework incorporates existing measurement methodologies and is intended to help organizations and projects integrate SwA measurement into their existing programs. The document can be free downloaded via the PSM Support Center web site under "Products" then "white papers". The link is: http://www.psmsc.com/Prod_TechPapers.asp. The link directly to the paper is: http://www.psmsc.com/Downloads/TechnologyPapers/SwA%20Measurement%2010-08-8.pdf

¹Sponsored by the DHS Software Assurance Program and collaboratively developed through contributions of the Software Assurance Forum working groups, the document is published by the Defense Technical Information Center’s Data and Analysis Center for Software (DACS) as a community resource.
²Goertzel, Karen Mercedes, et al. Software Security Assurance: A State-of-the-Art Report. Herndon, Virginia: Information Assurance Technology Analysis Center (IATAC) of the DTIC, 31 July 2007. Accessed 28 January 2008 at: http://iac.dtic.mil/iatac/download/security.pdf

ENHANCING THE DEVELOPMENT LIFE CYCLE

TO PRODUCE SECURE SOFTWARE

Version 2.0

October 2008

FOREWORD	i
CREDITS AND ACKNOWLEDGEMENTS	v
TABLE OF CONTENTS	vii
List of tables	xv
List of figures	xv
1 INTRODUCTION	1
1.1 Document purpose and intended audience	1
1.2 Document structure and content	3
2 BACKGROUND: UNDERSTANDING THE PROBLEM	6
2.1 What is secure software?	6
2.2 Why does software assurance matter?	8
2.3 Which software must always be secure?	9
2.4 What makes software secure?	10
2.5 Threats that target software	15
2.5.1 Attacks that exploit software vulnerabilities	19
2.5.2 Causes of weaknesses and vulnerabilities	27
2.5.2.1 Does vulnerability avoidance equate to security?	30
2.6 Security training, education, and professional certification for software practitioners	31
3 INTEGRATING SECURITY INTO THE SDLC	34
3.1 Influence of how software comes to be on its security	35
3.2 General software security principles	36
3.2.1 Software assurance, information assurance, and system security	37
3.3 Secure development life cycle activities and practices	45
3.4 Secure version management and change control of SDLC artifacts	50
3.5 Security assurance cases for software	51
3.6 SDLC methodologies that aid in secure software production	54
3.6.1 Secure SDLC methodologies	54
3.6.2 Can agile methods produce secure software?	56
3.6.3 Formal methods and secure software development	64
4 REQUIREMENTS FOR SECURE SOFTWARE	67
4.1 The challenge of negative and non-functional requirements	69
4.2 Origins of requirements for secure software	72
4.3 Deriving requirements that will ensure security of software	74
4.4 Secure software requirements verification challenges	77
4.5 Requirements engineering and security modeling methodologies and tools	79
4.5.1 Attack modeling	80
4.5.1.1 Security use cases, misuse cases, and abuse cases	81
4.5.1.2 Attack patterns	82
4.5.1.3 Threat modeling	85
4.5.1.4 Other modeling techniques	87
4.5.1.4.1 Attack trees and attack graphs	87
4.5.1.4.2 Anti-models	89
4.5.1.4.3 State-transition diagrams	90
5 SECURE DESIGN PRINCIPLES AND PRACTICES	91
5.1 Secure architecture considerations	91
5.2 Secure software design principles and practices	92
5.2.1 General Principle 1: Minimize the number of high-consequence targets	93
5.2.1.1 Principle of least privilege	93
5.2.1.2 Principle of separation of privileges, duties, and roles	95
5.2.1.3 Principle of separation of domains	96
5.2.2 General Principle 2: Don’t expose vulnerable or high-consequence components	97
5.2.2.1 Keep program data, executables, and program control/configuration data separate	97
5.2.2.2 Segregate trusted entities from untrusted entities	98
5.2.2.3 Minimize the number of entry and exit points into and out of any entity	101
5.2.2.4 Assume environment data is not trustworthy	101
5.2.2.5 Use only safe interfaces to environment resources	101
5.2.3 General Principle 3: Deny attackers the means to compromise	102
5.2.3.1 Simplify the design	102
5.2.3.2. Hold all actors accountable, not just human users	104
5.2.3.3 Avoid timing, synchronization, and sequencing issues	105
5.2.3.4 Make secure states easy to enter and vulnerable states difficult to enter	106
5.2.3.5 Design for controllability	106
5.2.3.6 Design for secure failure	107
5.2.3.7 Design for survivability	107
5.2.3.8 Server functions should never rely on clients to perform high-consequence functions or trust client-originated data	108
5.3 Modeling and risk analysis for architecture and design	109
5.3.1 Leveraging misuse and abuse cases in architecture	111
5.3.2 Leveraging attack patterns in architecture and design	112
5.4 Relationship of security patterns to secure software	114
5.5 Execution environment security constraints, protections, and services for software	117
5.5.1 Environment-level compartmentalization: constraint and isolation mechanisms	119
5.5.1.1 Standard operating system access controls	119
5.5.1.2 Trusted operating systems	119
5.5.1.3 Security-enhanced operating systems	120
5.5.1.4 Hardened and security-enhanced operating systems	120
5.5.1.5 Minimized kernels and microkernels	121
5.5.1.6 Virtual machines	122
5.5.1.7 Trusted processor modules	122
5.5.1.8 Tamper-resistant processors	123
5.5.2 Application frameworks	123
5.5.3 Benign software on a malicious host	125
5.6 Secure architecture and design methodologies	126
6 SECURE COMPONENT-BASED SOFTWARE ENGINEERING	127
6.1 Architecture and design considerations for component-based software systems	129
6.2. Security issues associated with COTS and OSS components	131
6.2.1 Lack of visibility (the “black box” problem)	131
6.2.2 Ignorance of pedigree and provenance	132
6.2.3 Questionable validity of security assumptions	134
6.2.4 Presence of unused and unexpected functions: dormant, dead, and malicious code	134
6.3 Security evaluation and selection of components	136
6.3.1 Steps in a component security evaluation	137
6.3.2 Questions to ask about components under evaluation	140
6.4 Implementing secure component-based software	141
6.5 Secure sustainment of component-based software	142
7 SECURE CODING	144
7.1 Secure coding principles and practices	144
7.1.1 Keep code small and simple	144
7.1.2 Use a consistent coding style	145
7.1.3 Follow secure coding standards and/or guidelines	145
7.1.4 Make code forward and backward traceable	146
7.1.5 Code for reuse and maintainability	146
7.1.6 Allocate memory and other resources carefully	146
7.1.7 Minimize retention of state information	147
7.1.8 Leverage security through obscurity only as an additional deterrence measure	147
7.1.9 Avoid unauthorized privilege escalation	147
7.1.10 Use consistent naming	147
7.1.11 Use encapsulation cautiously	148
7.1.12 Leverage attack patterns	148
7.1.13 Input encoding and validation	149
7.1.13.1 Implementing input validation	149
7.1.13.1.1 Preliminary client-side validation	151
7.1.13.1.2 XML schema and input validation	151
7.1.13.2 Testing input validation logic	152
7.1.14 Output filtering and sanitization	153
7.1.15 Avoid security conflicts arising between native and non-native, passive and dynamic code	153
7.1.16 Review code during and after coding	153
7.2 Survivability through error, anomaly, and exception handling	157
7.3.1 Anomaly awareness	159
7.3.2 Event monitors	159
7.3.3 Security error and failure handling	159
7.3.4 Core dump prevention	160
7.4 Secure memory/cache management	160
7.4.1 Safe creation and deletion of temporary files	161
7.5 Interprocess authentication	162
7.5.1 Secure RPC	163
7.6 Secure software localization	163
7.7 Language-specific security considerations	164
7.8 Tools that assist in secure coding and compilation	166
7.8.1 Compiler security checking and enforcement	167
7.8.2 Safe software libraries	169
7.8.3 Runtime error checking and safety enforcement	169
7.8.4 Code obfuscation	169
8 RISK-BASED SOFTWARE SECURITY TESTING	170
8.1 Test planning	173
8.1.1 Test timing	174
8.1.2 System and Application Security Checklists	176
8.2 Software security test techniques	178
8.2.1 White and grey box testing techniques	178
8.2.1.1 Source code fault injection	179
8.2.1.2 Dynamic code analysis	181
8.2.1.3 Property-based testing	182
8.2.2 Black box testing techniques	182
8.2.2.1 Binary fault injection	182
8.2.2.2 Fuzz testing	184
8.2.2.3 Binary code analysis	184
8.2.2.4 Byte code analysis	185
8.2.2.5 Black box debugging	185
8.2.2.6 Vulnerability scanning	186
8.2.2.7 Penetration testing	188
8.3 Interpreting and using test results	189
9 SECURE DISTRIBUTION, DEPLOYMENT, AND SUSTAINMENT	191
9.1 Preparations for secure distribution	191
9.1.1 Review and sanitization of user-viewable source code	192
9.1.1.1 Preventing disclosure of user-viewable source code and copying of all browser-displayed content	195
9.1.2 Bytecode obfuscation to deter reverse engineering	197
9.2 Secure distribution	197
9.2.1 Protection for online distributions	197
9.2.2 Protection for offline distributions	197
9.3 Secure installation and configuration	198
9.3.1 Instructions for configuring restrictive file system access controls for initialization files and target directories	199
9.3.2 Instructions for validating install-time security assumptions	199
9.3.3 Instructions for removing all unused and unreferenced files	199
9.3.4 Instructions for changing of passwords and account names on default accounts	200
9.3.5 Instructions for deleting unused default accounts	200
9.3.6 Other considerations for locking down the execution environment	201
9.4 Secure sustainment considerations	202
9.4.1 Vulnerability management	202
9.4.2 Software aging and security	204
APPENDIX A: ABBREVIATIONS, ACRONYMS, AND DEFINITIONS	207
A.1 Abbreviations and acronyms	207
A.2 Definitions	211
APPENDIX B: RESOURCES AND BIBLIOGRAPHY	223
B.1 Freely-Accessible Online resources	223
B.2 Restricted-Access Online Resources	251
B.3 Bibliography	254
APPENDIX C: SECURITY CONCERNS ASSOCIATED WITH SPECIFIC SOFTWARE TECHNOLOGIES, METHODOLOGIES, AND PROGRAMMING LANGUAGES	258
C.1 Security concerns associated with Web service software	258
C.2 Security concerns associated with embedded system software	259
C.3 Formal methods and secure software	262
C.4 Security concerns and benefits associated with specific programming languages	267
C.4.1 C and C++	267
C.4.2 Java	268
C.4.2.1 Secure Java development	269
C.4.3 C# and VB.NET	271
C.4.4 Ada	273
C.4.5 Ruby	275
C.4.6 Server-side scripting languages	276
C.4.6.1 Perl	278
C.4.6.2 PHP	279
C.4.6.2.1 Setting register_globals to “Off”	280
C.4.6.2.2 PHP implementation of input validation	282
C.4.6.2.3 Naming conventions for variables	283
C.4.6.3 Python	283
C.4.6.4 ASP and ASP.NET	284
C.4.7 Client-side scripting languages	285
C.4.7.1 JavaScript	286
C.4.7.2. AJAX (Asynchronous JavaScript And XML)	287
C.4.7.3 VBScript	289
C.4.7.4 TCL	289
C.4.8 Mobile code security	290
C.4.8.1 Digital signing of mobile code	291
C.4.8.2 Mobile code signature validation	291
C.4.9 Shell scripting languages	292
C.4.10 Secure language variants and derivatives	292
C.5. Leveraging Design by Contract™ for software security	293
APPENDIX D: SECURITY CHECKLIST EXCERPTS	296

Copyright © 2010, ITT Corporation Privacy Policy	webmaster@thedacs.com 775 Daedalian Drive Rome, NY 13441 (800) 214-7921 Fax: 315-838-7130
This site is best viewed in Firefox 1.0+ or IE 6.0+

FOREWORD

TABLE OF CONTENTS