应用软件安全基础

Fortify Software Inc.,第,*,页,Know your code.Trust your code,软件安全基础,-,Develop Security Software,主讲人:王 宏,主 题,基本概念.,软件安全的重要性.,分析软件安全越来越严重的原因和根源.,解决软件安全问题的措施和方法.,基本概念,软件安全的定义,:在软件受到恶意的攻击下，软件能够正常运行（功能/性能),软件安全课题:,了解产生软件安全的风险并怎样去管理他们:,“Building secure software:designing software to be secure,make sure that software is secure,educating software developers ,architects and users about how to build security in”,软件安全的重要性,信息安全的期望,信息安全的现状,软件安全漏洞的发展趋势,传统解决信息安全的努力和投资方向,软件安全在信息安全中的重要地位,信息安全的期望,在,原理,上:我们花更多钱去降低的安全事件和安全利用,以此来帮助我们:,保护我们的业务不会被恶义的家伙破坏”,限制责任和义务,满足法规和标准,避免对公司品牌和声誉造成破坏,info-sec spending($),incidents&,exploits(#),然而在,事实,上,:,我们每年都花了数百万的资金在信息安全上,但是效果并不如意,我们遭遇的安全问题越来越多.,info-sec spending($17B),impact($40B),breaches grow dramatically-seriously impacting:,uptime,regulatory compliance,liability,brand,and,reputation,信息安全的现状,分析机构的最近统计,In 2004,average time from vulnerability announcement to 1st attack=,5.8 days,(99 days,2003),532%increase,in CERT incidents reported(2000-2003),43%report,an increase in e-crimes and intrusions versus previous year,On average,48 new vulnerabilities per week,were disclosed in 1H04These four factoids are just a sampling of results found by the FBI,Carnegie Mellons SEI CERT Coordination Center(an industry body that focuses on alerting corporations of security vulnerabilities),and Symantec in its 5th Internet Security Threat Report(Jan-June 2004).,软件安全漏洞的发展趋势,CERT 2006年的报告,我们的钱花在哪儿去了?,为什么我们的安全工作毫无效果?,Why?,传统信息安全的方法和投资方向,The experts are telling us:we have a,SOFTWARE,problem,“Over 70%of security vulnerabilities exist at the application layer,not the network layer.Its not just operating systems or web browsers,but all types of applications-particularly applications that automate key business processes.”,Gartner Group 2004,软件安全在信息安全中的重要地位,结 论,目前我们信息安全的主要问题是：,应用软件安全问题!,软件安全越来越严重的原因,为什么软件安全问题日益增长,黑客攻击方式的进化,传统的分层保护方案减轻系统的风险,为什么传统的基于网络的方案不工作,黑客可直接利用软件的弱点达到攻击系统,演示如何通过攻击软件达到窃取商业信息和破坏应用系统。,软件必须保护它们自己,传统学校关于安全技术的教育,软件补丁和软件安全攻击的关系,软件安全的根源问题。,为什么软件安全问题增长,Connectivity（互联性）,Extensibility（延展性）,Complexity （复杂性）,为什么软件安全问题变得如此困难?,Connectivity,The Internet is everywhere and most software is on it,Complexity,Networked,distributed,mobile code is hard,Extensibility,Systems evolve in unexpected ways and are changed on the fly,This simple interface,is this complex program,.NET,The network is,the computer.,1980,1985,1990,1995,2000,黑客攻击方式的进化,Password Guessing,Self-Replicating Code,Password Cracking,Exploiting Known Vulnerabilities,Burglaries,Hijacking Sessions,Networked Management Diagnosis,GUI,Automated Probes/Scans,www Attacks,Distributed Attack Tools,Staged Attack,Attack Sophistication,Intruder Knowledge,LOW,HIGH,1980,1985,1990,1995,2000,Disabling Audits,Back Doors,Sweepers,Sniffers,Packet Spoofing,Denial of Service,“Stealth”/Advanced Scanning Techniques,Cross-Site Scripting,传统的“加层”保护方案,Hackers,Worms&Viruses,Malicious Insiders,Traditional network/perimeter,defenses,Critical Software Automation Of Key Operational Processes,软件的应用因为业务和功能的需要必须打破传统的保护层,直接与外面的系统交互,Web Facing Applications,Legacy App Integration,Connectivity w/Partners&Suppliers,Outsourcing,Employee Self-Service,为什么传统的基于网络方案不工作,Key,Network,Web,Restrict Access,Firewall,Everyone has access,Authenticate users,Windows/Unix auth,HTTP has WEAK authentication,Monitor for attacks,IDS/IPS,Critical traffic is in SSL Tunnel,Track users(state),User of TCP/IP connections,HTTP is stateless,Block known attacks,IPS(Self-defending networks),Web attacks are extremely hard to distinguish from normal activity,Internet,DMZ,Trusted Inside,Corporate Inside,HTTP(S),IMAP FTP,SSH TELNET,POP3,Firewall only allows PORT 80(or 443 SSL)traffic from the Internet to the web server.,Any Web Server:80,Firewall only allows applications on the web server to talk to application server.,Firewall only allows application server to talk to database server.,IIS,SunOne,Apache,ASP,.NET,WebSphere,Java,SQL,Oracle,DB2,软件易于遭受的安全弱点:,SQL Injections,Buffer Overflows,Information Leakage,Other Categories,软件安全弱点的底线,:,Operations,Availability,Compliance,Credibility,Reputation,黑客直接利用软件的弱点攻击我们的系统,演示如何通过攻击应用系统达到窃取商业信息和破坏应用系统，使用的攻击方式：,SQL Injection Cross-Site Scripting Privacy Violation Forceful Browsing,演 示 攻 击,软件必须自我保护,Outside:,Source IP,Destination IP,Fragmented data,HTTP requests?,Inside,User sessions,SQL queries,Application variables,Historical patterns,Inside,软件必须自我保护,Outside:,传统学校关于安全技术的教育的原则,:,用防火墙来定义系统的,”,边界,”,把软件与外界隔离,.,过分依赖加密技术,SSL,secure lock on a paper bag!,当产品要发布的时候才去审查产品,在这个阶段所做的都是 “,Why did we do this like this?”,我们将以补丁,(patch),的方式修复它,.,我们已经了解到这个问题,.,不允许高级技术使用,:,如果它是新的,肯定有问题,.,让我们等,直到这种技术成熟了,保险了,我们才使用,.,想尽一切办法去否定使用新技术的想法,学校传统的安全技术教育,渗透测试和打补丁都不是最好的消除软件安全问题的方式,Penetrate and Patch is Bad,Average Curve of Number of Intrusions for a Security Bug Over Time,as Reported by,Arbaugh,Fithen and McHugh,2000,.,传统的安全模式:,保护,”,边界,”,网络安全,安全负责的人是,IT/MIS/CISSP,等部门,被动式,新的安全模式：,构建安全的系统,设计安全的软件,软件开发人员和设计人员对安全负责,主动式,*COTS=Commercial off the shelf,学校传统的安全技术教育,软件安全的根源问题,软件安全的问题是软件自身的缺陷问题,其主要在,软件设计,和,软件实现,的过程中产生,具体表现在软件设计的,架构问题,和,实现上