軟體安全防護大作戰
TRANSCRIPT
![Page 2: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/2.jpg)
議程
應用系統、Mobile Apps最新潛在風險
軟體漏洞問題仍然十分嚴重
OWASP Top 10, Mobile Top 10指出常見漏洞煩型
企業整體應考量的防護重點
落實安全軟體開發
強化縱深防禦才能有效抵擋攻擊
分享叡揚10年逾100家應用系統安全解決方案導入經驗
成功關鍵因素
實務配套制度及執行重點
強化Apps安全,降低資安風險
![Page 3: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/3.jpg)
資安事件
2014/ 1
3
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2013
2014
LATEST
![Page 4: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/4.jpg)
資安事件
2015/10/2
4
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
2014
LATEST
![Page 5: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/5.jpg)
軟體安全問題層出不窮
75% of hacks occur at the application level Application
Host
Network
6
"75% of hacks occur at the application level " -
Gartner
"92% of reported vulnerabilities are in
applications, not networks" - NIST
![Page 6: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/6.jpg)
行動Apps安全調查
Top 100 Paid Apps
7
![Page 7: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/7.jpg)
國際標準與法規遵循
Compliance
8
PCI DSS HIPAA
SANS 25 OWASP TOP 10 & Mobile
BSIMM
CWE
Mix and match existing presets or create your own policy
![Page 8: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/8.jpg)
OWASP Top 10 Risk 2013
網站應用系統常見漏洞類型
A1: Injection
A2: Broken Authentication and Session Management
A3: Cross-Site Scripting (XSS)
A4: Insecure Direct Object References
A5: Security Mis-configuration
A6: Sensitive Data Exposure
A7: Missing Function Level Access Control
A8: Cross-Site Request Forgery (CSRF)
A9: Using Known Vulnerable Components
A10: Un-validated Redirects and Forwards
![Page 9: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/9.jpg)
行動App的風險
消費者行動App公開取得
無弱點App很容易透過逆向工程反組譯及竄改
“Secure” App
Hacked App
IPA
APK
![Page 10: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/10.jpg)
行動App的風險
破解執行碼的多種攻擊方式 保密性Confidentiality
完整性 Integrity
![Page 11: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/11.jpg)
行動App的風險
常見攻擊流程
12
![Page 12: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/12.jpg)
行動App的風險
常見攻擊流程
13
直接入侵手機系統
分析封包數據
Apps反組譯分析
源碼弱點攻擊主機(e.g.,injection)
竄改發佈
偷取App機敏資訊 偷取使用者個資
植入惡意程式監控
APT跳板 DDos對主機攻擊
進入重要網段
取得特權帳號 身份冒用
傳輸內部機敏管道
盜版製作
盜用演算法功能
取代正式版
消費者信心喪失
![Page 13: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/13.jpg)
OWASP Mobile TOP 10 Risks 2014
OWASP: Binary Hardening Is Key Risk
14
IPA APK
![Page 14: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/14.jpg)
資安官的挑戰
#1: 缺少Secure Coding知識
15
Developers Security Manager
![Page 15: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/15.jpg)
資安官挑戰
#2: 以寡擊眾
16
Developers Security Manager
![Page 16: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/16.jpg)
資安官挑戰
#3: 成本控管
17
![Page 17: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/17.jpg)
軟體安全的挑戰
開發人員不是資安專家
資安團隊在SDLC太晚期才發現問題
% Bugs introduced in this phase
% Bugs found in this phase
$ Cost to repair bug in this phase
$16,000
$1,000
$100
$250
$25
85%
Pe
rcen
tage
of B
ug
s and
Flaws
Code Build Test Release
SAST PENTEST
![Page 18: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/18.jpg)
安全軟體開發生命週期
治本 “Build Security In”
Abuse Cases
Security Requirements
Risk Analysis
Risk-based Security
Tests
Code Review (Tools)
Penetration Testing
Risk Analysis
Security Operations
FEEDBACK FROM THE FIELD
TEST AND TEST RESULTS
CODE TEST PLANS ARCHITECTURE
AND DESIGN REQUIREMENTS AND USE CASES
![Page 19: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/19.jpg)
成功關鍵因素- 4P
Process
Total Cost of Ownership
People Product Champions
Standard & Integration
Price
Easy to use
![Page 20: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/20.jpg)
People
21
資安團隊
訂出程式 安全標準
開發團隊
開發 安全程式
測試團隊
進行 安全測試
資安團隊
確認符合 安全標準
設計 開發 測試 上線
Champions
![Page 22: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/22.jpg)
主動的安全程式開發,越早越好
講師授課
線上學習安全程式開發
Abuse Cases
Security Requirements
Risk Analysis
Risk-based Security Tests
Code Review (Tools)
Penetration Testing
Risk Analysis
Security Operations
FEEDBACK FROM THE FIELD
TEST AND TEST RESULTS
CODE TEST PLANS ARCHITECTURE
AND DESIGN REQUIREMENTS AND USE CASES
![Page 23: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/23.jpg)
依角色設計課程
Touchpoint: Foundational: Subject Matter Expert: Security Champion:
Foundations
Foundations of Information Security
Awareness
Foundations of Software Security
Introduction to PCI for Developers
Introduction to Cryptography for
architects & Developers
-
Requirements, Threats
and Architecture
Foundations of Software Security
Requirements Foundations of Threat Modeling Architecture Risk Analysis
Coding errors and
Defensive Programming
Attack and Defense
OWASP Top 10 Plus 2
Defensive Programming: JavaEE
(Web Applications)
Defensive Programming:
Javascript & HTML5
Defensive Programming:
Javascript & HTML5
(1 Day)
Security Testing - - Risk-based Security Testing
Strategy
Mobile
Foundations of Mobile Security
Foundations of Android Security
Foundations of iOS Security
Defensive Programming for
Android
Defensive Programing for iOS
-
Time Requirements 9 Hours 15 min 5 Hours 45 Min 4 Hours 30 min
![Page 24: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/24.jpg)
依角色設計課程
增加行動安全課程
# Role Class 1 Class 2 Class 3 Class 4
1 Mobile Developer Foundations of Mobile Security
Foundations of Android Security
Defensive Programming Android
Foundations of Threat Modeling
Foundations of iOS Defensive Programming iOS
Foundations of Javascript/HTML5
Defensive Programming Javascript/HTML5
3 Mobile Architects Foundations of Mobile Security
Foundations of Threat Modeling
4 AD Leads Foundations of Mobile Security
Foundations of Android or iOS Security
Foundations of Threat Modeling
Mobile
![Page 25: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/25.jpg)
Cigital全球最大軟體安全顧問公司
專業顧問群逾22年前瞻研究與客戶服務
源自美國國防部、NASA 的課程
出版超過20多本書,100多篇專業報告及產業分析
軟體安全專家知識庫
![Page 27: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/27.jpg)
Process
Standard
資安準則依風險分級分類
設定檢測條件與驗收標準
High risk
Medium risk
Low risk
Security
requirements
Static analysis1
Dynamic
Scanning
Pen
testing
Manual code review
Project Risk
classification
Test scripts
New New
2
Nat
ive
Hyb
rid
Mob
ile
Web
NA
NA
NA
![Page 28: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/28.jpg)
Process
Standard
資安準則依風險分級分類
設定檢測條件與驗收標準
專案類型 修復標準- 檢測條件
對外網站
1. High – OWASP Top 10 2. High – All 3. Medium – OWASP Top 10
用戶端重要系統 1. High - All 2. High - SANS Top 25
其他系統 1. High – SANS Top 25
![Page 29: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/29.jpg)
Process
Integration
30
程式入庫申請 源碼差異比對
源碼審查
程式入庫覆核、簽核
上版結果通知
程式差異比對
程式入庫覆核、簽核
程式建置 上版部署
整合AD帳號 功能權限設定 整合源碼審查 整合需求管理系統 整合版控系統
開發單位 控管單位
版控系統
統計分析
版控系統
自動源 碼檢測
程式入庫管制
整合需求管理
自動源 碼檢測
![Page 30: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/30.jpg)
![Page 31: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/31.jpg)
Product 精準有效
超過700種規則涵蓋「安全」以及「品質」 彈性挑選檢測條件
支援多元掃描方式 完整檢測(Full)
整個專案程式碼 單支程式碼
異動檢測(Incremental) 分析程式差異,快速取得完整報告
快速修復 提供弱點程式呼叫流程 提供最佳修復點 提供弱點原理、修復建議與範例
稽核管理 自動匯整檢測歷程 提供彈性分析
•32
•Net ( C#, ASP.NET, VB.NET),
•VBScript, Classic ASP, VB6,
• Java/JSP, C/C++, PHP,
• JavaScript/AJAX, Ruby, Perl,
• iOS(Objective-C), Android(Java),
Windows Mobile(C#)
•PL/SQL, HTML5
•Python, Groovy
17 Languages
時間較短
工欲善其事, 必先利其器
![Page 32: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/32.jpg)
Checkmarx SAST Architecture
33
Virtual Compiler
Code & Flow DB
Security Query Beyond Security
Detection Engine
![Page 33: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/33.jpg)
選擇檢測條件
![Page 34: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/34.jpg)
有效分析
直指不安全的程式檔
35
指出安全弱點發生的程式碼列位置
指出安全弱點發生的程式碼列位置
自動產生 Call Graph 有效追蹤問題流程
安全弱點區分嚴重等級(H/M/L/I)
歸類發現的安全弱點 指出發生於那支程式
![Page 35: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/35.jpg)
有效分析
36
詳細弱點說明
![Page 36: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/36.jpg)
有效分析
最佳修復點,一次修復大量弱點
37
指出該類問題中,共同的原因點 由此處下手,效率最高
![Page 37: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/37.jpg)
彈性專案管理
自由拖曳Row/Column進行樞紐分析
多種圖表類型
可匯出PDF/Excel
38
![Page 38: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/38.jpg)
檢測報表
綜觀資訊
![Page 39: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/39.jpg)
檢測報表
40
綜觀資訊
![Page 40: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/40.jpg)
檢測報表
41
綜觀資訊
![Page 41: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/41.jpg)
檢測報表
42
綜觀資訊
![Page 42: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/42.jpg)
檢測報表
43
綜觀資訊
![Page 43: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/43.jpg)
檢測報表
44
綜觀資訊
![Page 44: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/44.jpg)
Checkmarx內建整合機制
45
![Page 45: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/45.jpg)
落實軟體安全開發生命週期
46
Design, Build, Test Plan
High-Level Risk Assessments
Security Policy Review
Define Security Requirements
Security Architecture Review
Threat modeling Static Analysis
Dynamic Testing
Penetration Testing
Test,
Deploy
Application Monitoring
Secure Code Review
Secure Coding Training
Final Functional & Security Testing
![Page 46: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/46.jpg)
為您的Apps做好把關
47
Binary Code Source Code
Free of critical flaws and vulnerabilities
Protects itself against attacks
![Page 47: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/47.jpg)
治本 “Build Security In”
不影響開發流程
![Page 48: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/48.jpg)
支援多種平台
49
3/16/2016
Broad Platform Support
Binary vs Source Approach
Depth in Defense Approach
Multiple Protection Techniques
Java ARM X86 .NET
Over 7 mobile platforms alone
No Source Code Changes Required!
Hook Detection
Data Obfuscation
Symbol Stripping
Code Obfuscation
Symbol Renaming
Root Detection
Resource Verification
Checksum
Anti-Debug
Self-Repair
Damage Swizzling Detection
最先進的技術
交互保護的防禦網
全面防禦靜態與動態分析
確保機敏性與完整性
![Page 49: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/49.jpg)
Secure SDLC需要加入完整性防護
Integrity Protection
50
ARXAN CONFIDENTIAL
Design, Build, Test Plan
High-Level Risk Assessments
Security Policy Review
Define Security Requirements
Security Architecture Review
Threat modeling Static Analysis
Dynamic Testing
Penetration Testing
Test &
Deploy
Application Monitoring
Secure Code Review
Secure Coding Training
Final Functional & Security Testing
Protect
Application integrity protection
App Integrity Protection Design
Application Integrity Vulnerability Assessment
![Page 50: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/50.jpg)
叡揚資安團隊 您最好的夥伴
51
2006 率先引進源碼安全檢測工具,至今累計輔導超過一百家客戶
2010 引進多項應用系統安全與資料保護解決方案
2012 建置源碼自動化檢測機制,落實Secure SDLC
2013 執行大型銀行資安健檢專案,客戶滿意度高
2013 開設.NET與Java安全程式實作班,至今輔導超過300位學員
2014 建立企業級應用系統資料加密平台
2015 導入反逆向工程解決方案,成功協助客戶解除APP遭反解, 影響企業形象之危機
2016 提供全生命週期,全方位的應用系統安全解決方案
2012 提供雲端源碼檢測服務(Secure Code On Demand)
![Page 52: 軟體安全防護大作戰](https://reader035.vdocuments.pub/reader035/viewer/2022062900/58ec8f121a28ab9a168b46d7/html5/thumbnails/52.jpg)
Demo
3.3/8 14:20~14:40 源碼檢測輕鬆做 – 迅速修復漏洞、SDLC整合
展示Gartner 評價第一的源碼檢測工具Checkmarx,協助程式開發、程式管理、資安人員輕鬆把關軟體安全及SDLC整合,例開發流程、上線流程等。 (一) 如何執行源碼檢測: - 10分鐘內快速上傳檢測 - 自動從版控取得source code - 自動化檢測(build management整合、程式異動差異檢測等)
(二) 配合法規(OWASP Top10, Mobile等)檢測
(三) 報表檢視: - 弱點詳細路徑、檔案名稱、行數 - 快速修復: 一次修復大量弱點 - 樞紐分析多個系統弱點趨勢/列表