Deployment & Distribution Engineering Secure Software Last - - PowerPoint PPT Presentation

deployment distribution
SMART_READER_LITE
LIVE PREVIEW

Deployment & Distribution Engineering Secure Software Last - - PowerPoint PPT Presentation

Mar 08, 2024 268 likes •489 views

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 SE Doesnt End at Release Deployment counts too Despite our best efforts to produce

slide-1
SLIDE 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Deployment & Distribution

Engineering Secure Software

Last Revised: November 6, 2020 1

slide-2
SLIDE 2

SWEN-331: Engineering Secure Software Benjamin S Meyers

SE Doesn’t End at Release

  • Deployment counts too

○ Despite our best efforts to produce secure software, vulnerabilities can exist only when deployed in a production environment ○ Users expect “secure by default”

  • Your organization needs to be ready

○ Incident response plan ○ Version control practices

  • Your installation and configuration scripts count

○ Recommended firewall configuration ○ Security manager configuration

2

slide-3
SLIDE 3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Recent(ish) PostgreSQL Incident

  • PostgreSQL reported a show-stopping vulnerability on April 4th, 2013
  • “Argument injection vulnerability in PostgreSQL [9.2.x ..] allows

remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).”

  • “The vulnerability allows users to use a command-line switch for a

PostgreSQL connection intended for single-user recovery mode while PostgreSQL is running in normal, multiuser mode. This can be used to harm the server.”

3

slide-4
SLIDE 4

SWEN-331: Engineering Secure Software Benjamin S Meyers

How PostgreSQL Responded

  • Embargo on the bug: March 13th - April 4th

○ Removed the public version control repositories during the embargo ○ Announced on the mailing lists to expect an immediate upgrade soon, without much detail

  • Contacted vendors especially affected (e.g. Heroku)

○ Core PostgreSQL developers assisted the vendors directly ○ Tested patches on vendors’ environments ○ Heroku already had a history of working directly with developers

  • n experimental features

4

slide-5
SLIDE 5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Incident Response Plan

  • Incident definition

○ How do you know that this behavior is bad? ○ Use high-level risks and indicators from initial risk assessment

  • Establish who is involved

○ Monitoring duties ○ Contacts for specific issues ○ Security response team

  • Chain of escalation

○ Know who to contact to fix the problem ○ Who see the bugs? (e.g. Cisco CEO gets daily escalation reports)

5

slide-6
SLIDE 6

SWEN-331: Engineering Secure Software Benjamin S Meyers

Incident Response Plan

  • Establish procedures

○ Writing the patch ○ Testing the patch ○ Security expert review of the patch ○ Reacting to specific exploits

  • Establish working relationships with key vendors
  • Establish criteria for notifying the world

○ Too late? Active exploits make you look behind ○ Too early?

■ Unnecessary panic ■ Invites exploits

6

slide-7
SLIDE 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

Version Control Practices

  • Releases are treated as branches

○ Most current version: trunk branch

■ AKA upstream ■ Continuously-updated to the latest version

○ Maintenance: release branch

■ Diverges from the main trunk ■ New changes to an old release? Backport

○ Upstreams and backports can differ if the code has since changed a lot

  • Configuration management coordinator

○ Keeps track of all the branches and releases ○ New developers often work on backports ○ Keeps track of “testing gotchas” from one release to another (e.g. environment changes)

7

slide-8
SLIDE 8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Upstream & Backport

8

r45545 r45546 1.0 Release /branches/1.0 Upstream /trunk

slide-9
SLIDE 9

SWEN-331: Engineering Secure Software Benjamin S Meyers

Upstream & Backport

9

r45545 r45546 1.0 Release /branches/1.0 Upstream /trunk Vulnerability

slide-10
SLIDE 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

Upstream & Backport

10 10

r45545 r45546 1.0 Release /branches/1.0 Upstream /trunk Vulnerability

Security Response Team

Patch

slide-11
SLIDE 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

Upstream & Backport

11 11

r45545 r45546 1.0 Release /branches/1.0 Upstream /trunk Vulnerability

Security Response Team Configuration Coordinator

Patch

slide-12
SLIDE 12

SWEN-331: Engineering Secure Software Benjamin S Meyers

Upstream & Backport

12 12

r45545 r45546 1.0 Release /branches/1.0 Upstream /trunk r45547 Vulnerability

Security Response Team Configuration Coordinator

1.1 Patch

slide-13
SLIDE 13

SWEN-331: Engineering Secure Software Benjamin S Meyers

Upstream & Backport

  • Sometimes…

○ Vulnerabilities get introduced by a backport (regression) ○ Vulnerabilities only affect the backport, not upstream ○ Vulnerabilities affect some branches, but not others

13 13

r45545 r45546 1.0 Release /branches/1.0 Upstream /trunk r45547 Vulnerability

Security Response Team Configuration Coordinator

1.1 Patch

slide-14
SLIDE 14

SWEN-331: Engineering Secure Software Benjamin S Meyers

Releasing Patched Version

  • You will need to release patched versions of your product
  • “Patch it yourself” approach (e.g. Adobe Flash, Acrobat)

○ Software contacts the vendor periodically and downloads software updates ○ Benefits:

■ Simple, easy ■ You control how it works

○ Drawback:

■ You have to implement update functionality ■ Root vs. non-Root ■ Spoofing update sites ■ What if the update system breaks?

14 14

slide-15
SLIDE 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

Releasing Patched Version

  • You will need to release patched versions of your product
  • Package manager approach (e.g. apt, yum, Mac App Store)

○ Benefits: ■ OS support means packages are handled all in one place ■ Harder to compromise: uses hash digests to verify ○ Drawback:

■ Can annoy users ■ e.g. “Package X.1.2 isn’t in the system?!?!” ■ One company/organization in control

15 15

Source: gis.stackexchange.com/

slide-16
SLIDE 16

SWEN-331: Engineering Secure Software Benjamin S Meyers

Security Managers

  • Often a programming language feature

○ Required for untrusted API situations ○ Prevents sensitive API calls

■ e.g. System.exit(1) // Java ■ e.g. System properties (read and write)

○ Highly customizable ○ Turned off by default

  • Many languages have them, or community provides them

○ Java: Java Security Manager ○ Python: RestrictedPython, etc. ○ Perl: Safe.pm ○ Ruby: Safe ○ C/C++: None -- use OS mechanisms

16 16

slide-17
SLIDE 17

SWEN-331: Engineering Secure Software Benjamin S Meyers

Security Managers in Practice

  • In a server situation

○ Limits access to underlying OS (e.g. file access, logging) ○ Limits OS-sensitive functions (e.g. opening a socket)

  • In a desktop situation

○ Used to mitigate extensibility concerns ○ Mitigates the “malicious plugin” problem

17 17

slide-18
SLIDE 18

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: catalina.policy

  • Java servlet container from Apache Tomcat

○ A web application is untrusted code running in the same VM ○ DoS and access to underlying OS are concerns too

  • Server startup JAR is given full permissions
  • Grant read permissions to some system-wide properties

18 18

// These permissions apply to the server startup code grant codeBase “file:${catalina.home}/bin/bootstrap.jar” { permission java.security.AllPermission; }; permission java.util.PropertyPermission “java.home”, “read”; permission java.util.PropertyPermission “java.naming.*”, “read”; permission java.util.PropertyPermission “javax.sql.*”, “read”;

slide-19
SLIDE 19

SWEN-331: Engineering Secure Software Benjamin S Meyers

Example: catalina.policy

  • Grant application-specific logging, file permissions, etc
  • Grant read API permissions for web applications for a given

package

19 19

// All JSP’s need to be able to read this package permission java.lang.RuntimePermission “accessClassInPackage.org.apache.tomcat”; permission java.util.logging.LoggingPermission “control”; permission java.io.FilePermission “${java.home}${file.separator}conf${file.separator}logging.properties”, “read”;

slide-20
SLIDE 20

SWEN-331: Engineering Secure Software Benjamin S Meyers

Other Things to Consider

  • Enable and configure firewalls

○ Define who (which IP’s) have access to what (ports/services)

  • Scheduled testing

○ Sanity checks

  • Develop a platform/library migration plan

○ What subsystems are affected by library changes? ○ How do we port from Linux to Windows?

  • Develop a software retirement plan

○ How will you retire an older version of your software? ○ How will you retire your entire project?

20 20