Continuing Commentary on NIST AppSec Guidance

Continuing with a commentary on NIST #appsecurity guidance, again, NIST reiterates what we recommended in Core Software Security and then updated (for Agile, CI/CD, DevOps) in Building In Security At Agile Speed:

 

Threat Model

Automate as much as possible

Static analysis (or equivalent) SAST/IAST

DAST (web app/api scan)

Functional tests

Negative testing

Fuzz

Check included 3rd party software

 

NIST guidance call’s out heuristic hard coded secrets discovery. Definitely a good idea. I maintain that it is best to design in protections for secrets through threat modelling. Secrets should never be hardcoded without a deep and rigorous risk analysis. (there are a few cases I’ve encountered where there was no better alternative. these are few and very far between.)

NIST guidance is essentially the same as our Industry Standard, Generic Security Development Life cycle (SDL).

There has been an implicit industry consensus on what constitutes effective software security for quite a while. Let’s stop arguing about it, ok? Call the activities whatever you like. but do them.

Especially, fuzz all inputs that will be exposed to heavy use (authenticated or not!) I’ve been saying this for years. I hope that fuzzing tools are finally coming up to the our needs?

https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer

MITRE D3FEND Is Your Friend

Defenders have to find the correct set of defences for each threat. Many attacks have no direct prevention making a many-to-to-many relationship. Threat:defence == M:N 

Certainly some vulnerabilities can be prevented or mitigated with a single action. But overall, there are other threats require an understanding of the issue and which defences might be applied.

While prevention is the holy grail, often we must:

— Limit access (in various ways and at various levels in the stack)
— Mitigate effects
— Make exploitation more difficult (attacker cost)

MITREcorp D3FEND maps defences to attacks

“…tailor defenses against specific cyber threats…”

In my threat modelling classes, the 2 most difficult areas for participants are finding all the relevant attack scenarios and then putting together a reasonable set of defences for each credible attack scenario. Typically, newbie threat modellers will identify only a partial defence. Or, misapply a defence.

MITRE ATT&CK helps to find all the steps an attacker might take from initial contact to compromise.

MITRE D3FEND and the ontology between ATT&CK and D3FEND give defenders what we need to then build a decent defence.

https://www.csoonline.com/article/3625470/mitre-d3fend-explained-a-new-knowledge-graph-for-cybersecurity-defenders.html#tk.rss_all

I don’t typically amplify security tool vendors’ announcements.

However, for about 15 years, I’ve been urging vendors to address the millions of developers who do not work for a company large enough to afford million dollar tools, or even tools whose entrance is $10’s of thousands. Millions of programmers cannot afford commercial tools as currently priced; I’m sorry to be so very blunt.

ForAllSecure have done it! The Mayhem for API Free Plan*
This is a significant step in the right direction to everyone’s benefit.

(Please attend my keynote at FuzzCon, August 5th, for what’s wrong with #appsec and why multiple techniques that must include #fuzzing comprise our current best hope for software security.)

Kudos to the folk at ForAllSecure. You’re leading the way towards a brighter, more secure future.

To be fair, a couple of static analyzer vendors have offered open source projects free scanning for quite some time. Open source programmers: there’s no excuse for not taking advantage of these services!

Still, much software is proprietary with lot of that written by startups, small shops, lone programmers. These coders need tools, too. We all suffer because a large percentage of coders don’t have access to a broad selection of commercial grade tools.

Other vendors, are you listening? I hope so.

*50 free scans/month

cheers,

/brook