Embed Size (px)
Citation preview
Beyond Coding - Adopting the Right Mindset for Secure Software Development
(ISC)2 Rome Event, November 2011 Alessandro Moretti CISSP, CSSLP (ISC)2 European Advisory Board
Decision Making – Natural?
• Mental cognitive process resulting in the selection of a course of
action among several alternatives to produce a final choice.
• The output can be an action or an opinion of choice.
• Objectives must first be established, classified and placed in
order of importance
• Alternative actions must be developed
• The alternative must be evaluated against all the objectives
• The alternative that is able to achieve all the objectives is the
tentative decision
• The tentative decision is evaluated for more possible
consequences
• The decisive actions are taken, and additional actions are taken
to prevent any adverse consequences from becoming problems
and starting both systems (problem analysis and decision making)
all over again
Risk Assessment – Skilful?
• Supports most of our daily life decisions
• Supports Gain vs Loss decision
• Decision makers not paid to gamble
• Apply risk assessment “holistically” to Software
Security and the SDLC...
• Choice?
Beyond Coding
• Supply vs Demand – The need for a security mindset
• Risk Assessment – what is good Secure Software
Development?
• What next? - Sustaining Assurance
Alessandro Moretti
Alessandro Moretti, CISSP, CSSLP, MBCS, CEng, CITP is Co-
Chair of the European Advisory Board for (ISC)2, a non-profit
professional consortium which represents over 80,000
members worldwide.
Alessandro has over fifteen years experience in information
security. He has formerly held posts at National Computing
Centre, ICL, BNFL. Currently employed as Head of IT Risk
Services for UBS.
Overview & Background
• Global leaders in certifying and educating information security professionals with the CISSP
® and related
concentrations, CSSLP® and SSCP
®.
• Formed in 1989, not-for-profit consortium of industry leaders.
• Over 80,000 certified professionals in more than135 countries.
• Board of Directors - top information security professionals worldwide.
• All credentials are accredited ANSI/ISO/IEC Standard 17024 with the CISSP being the first technology-related credential to receive this accreditation.
Macro trends – Risk and Security
• Increased threat due to economic issues: Risk
tradeoffs among security, flexibility, performance,
and cost
• Globalization means companies take advantage of
vendors and suppliers around the world.
• The externalisation of IT moves technical controls
over information to contractual and legal controls.
– the application servers may reside in a “cloud”
(SaaS)
• Security and privacy concerns increase; increased
regulation and inspection.
Supply vs Demand – The need for a
security mindset
• Designers , Architects, Business analysts focused
on functional specifications.
• Rapid application development techniques
reduce time to market, but reduce time on
building in security.
• Commercial system providers, customers, and
in-house developers need to change their
security mindset.
People and Process – Planning for
security and risk
• Software (application) security is the responsibility
of all the stakeholders that are influencers in the
software development life cycle (SDLC).
• Any software is the result of a confluence of
people, process, and technology. Secure software
is the result of educated and informed people
implementing processes using inherently secure
technologies to provide solutions to a business
need.
Insecure Software: Process Problem
Developers have little appreciation for basic security tenets :
• Protection from disclosure (confidentiality)
• Protection from alteration (integrity)
• Protection from destruction (availability)
• Validating who is making the request (authentication)
• What rights and privileges does the requestor have (authorization)
• The ability to build historical evidence (auditing) and the management of configuration, sessions and exceptions
• If they are aware of the principles, do they understand the implementation practices?
Insecure Software: People Problem
Three primary conditions create information security
vulnerabilities in enterprise software applications:
• Inexperienced developers writing code
• Experienced developers writing code with inadequate
training in best practices for security
• Designers and managers failing to include security
considerations prior to development.
Influencers not understanding information security issues
as they pertain to the secure software lifecycle
IT Decision Making – Preparing for Choice
• Customer – How to I choose the right
provider, with the right security mindset?
• Supplier – How do I demonstrate we have the
right security mindset?
• People and Process Certification - The “Right”
security mindset – Certified Secure Software Lifecycle Professional (CSSLP)
– BCS ISEB qualifications
– OWASP – The Software Assurance Maturity Model
(SAMM)
– NCC - IT Department Accreditation
Certification – Benefits
Certification of professional staff can lead to:
• Improved workforce assurance
• Better critical infrastructure protection
• Reduced data loss
• Lowered organizational risk, including software
malpractice suits
• Enabling stricter adherence to industry and government
regulations
• Helps to implement the repeatable and measurable
processes of QA
Risk Assessment – what is good
Secure Software Development?
• Mature application security development lifecycle.
• Qualified and security certified professionals.
Stakeholders in the SDLC
Software Assurance Maturity Model
(SAMM)
Open framework to help organizations formulate
and implement a strategy for software security
that is tailored to the specific risks facing the
organization. The resources provided by SAMM
will aid in: • Evaluating an organization’s existing
software security practices
• Building a balanced software security program
in well-defined iterations
• Demonstrating concrete improvements
to a security assurance program
• Defining and measuring security-related activities
within an organization
Software Assurance Maturity Model
(SAMM)
SAMM Roadmaps
• To make the “building blocks”
usable, SAMM defines Roadmaps
templates for typical kinds of
organizations
• Independent Software Vendors
• Online Service Providers
• Financial Services Organizations
• Government Organizations
Certified Secure Software Lifecycle
Professional (CSSLPCM) Domains
(ISC)²® CSSLP CBK Domains
• Secure Software Concepts
• Secure Software Requirements
• Secure Software Design
• Secure Software Implementation/Coding
• Secure Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance, and
Disposal
Secure Software Concepts
•Confidentiality, Integrity, Availability
•Authentication, Authorization, and Auditing
•Security Design Principles
•Risk Management (e.g., vulnerabilities, threats and controls)
•Regulations, Privacy, and Compliance
•Software Architecture (e.g., layers)
•Software Development Methodologies
•Legal (e.g., Copyright, IP and trademark)
•Standards (e.g., ISO 2700x, OWASP)
•Security Models (e.g., Bell-LaPadula, Clark-Wilson and Biba)
•Trusted Computing (e.g., TPM TCB)
•Acquisition (e.g., contracts, SLAs and specifications)
Secure Software Design
• Design Processes
– Attack surface evaluation, Threat modeling, Control Identification,
Control prioritization
• Design Considerations
• Confidentiality, Integrity, Availability, Authentication,
Authorization, and Auditing
• Security design principles, Interconnectivity, Security management
interfaces, Identity management
• Architecture
• Distributed, Service-oriented, Rich Internet applications, Pervasive
computing
• Integration with existing architectures
• Software as a Service
• Technologies
• IAM, Audit, DRM, Flow control (e.g., proxies, firewalls,
middleware)
• Data protection (e.g., DLP, encryption and database security)
• Computing environment (e.g., programming languages,
virtualization, and operating systems
• Integrity (e.g., code signing)
Secure Software Design
Saltzer & Schroeder: Security Design Principles
• Economy of mechanism
• Fail Safe Defaults
• Complete Mediation
• Open Design
• Separation of Privilege
• Least Privilege
• Least Common Mechanism
• Psychological acceptability
Secure Software Requirements
• Policy Decomposition
– Confidentiality, Integrity, Availability Requirements
– Authentication, Authorization, and Auditing
Requirements
– Internal and External Requirements
• Identification and Gathering
– Data Classification
– Use Cases
– Abuse Cases (inside and outside adversaries)
Secure Coding
•Declarative versus programmatic security (e.g., bootstrapping,
cryptographic agility, and handling configuration parameters)
•Common software vulnerabilities and countermeasures
•Defensive coding practices (e.g., type safe practices, locality,
memory management, error handling)
•Exception management
•Configuration management (e.g., source code and versioning)
•Build environment (e.g., build tools)
•Code/Peer review
•Code Analysis (static and dynamic)
•Anti-tampering techniques (e.g., code signing)
•Interface coding (e.g., proper authentication and third party API)
Secure Software Testing
•Testing for Security Quality Assurance
–Functional Testing (e.g., reliability, logic, performance and scalability)
–Security Testing (e.g., white box and black box)
–Environment (e.g., interoperability)
–Bug tracking (e.g., defects, errors and vulnerabilities)
–Attack surface validation
•Test types
–Penetration Testing
–Fuzzing, Scanning, Simulation Testing (e.g., environment and data)
–Testing for Failure
–Cryptographic validation (e.g., environment and data)
•Impact Assessment and Corrective Action
•Standards for software quality assurance (e.g., ISO 9126, SSE-CMM and
OSSTMM)
•Regression testing
Secure Software Acceptance &
Deployment
• Pre-release or pre-deployment
– Completion Criteria (e.g., documentation, BCP)
– Risk Acceptance
– Documentation (e.g., DRP and BCP)
• Post-release
– Validation and Verification (e.g., Common Criteria)
• Independent testing (e.g., third-party)
• Installation and Deployment
– Bootstrapping (e.g., key generation, access management)
– Configuration Management (e.g., elevated privileges, hardening,
platform change)
Secure Software Operations &
Maintenance
• Operations and Maintenance
– Monitoring (e.g., Metrics and Audits)
– Incident Management
– Problem Management (Root Cause Analysis)
– Patching
• End of life policies
What next? - Sustaining Assurance
• Confucius said, “The superior man, when resting in safety,
does not forget that danger may come. When in state of
security he does not forget the possibility of ruin. When
all is orderly, he does not forget disorder may come. Thus
his person is not endangered and his states and all their
clans are preserved.”
• Applying this wisdom, it is easy to see that when it comes
to software security, not only should software be
designed, developed, and deployed securely, but it should
also be operationally secure and should maintain the level
of security as intended.
Sustaining Assurance
• A secure, formal and structured software
development methodology, along with
enforceable and pertinent policies, must become
a part of any organization’s operations.
• Trained and qualified people who are
empowered with the knowledge of how to
implement software security controls, balance
threats and countermeasures, and balance
business with technology.
CSSLP Case Study / Whitepaper
• (ISC)² Case Study: Securing the Right Information Security Team
• (ISC)² Hiring Guide Securing the Organization: Creating a Partnership Between HR
and Information Security
• CSSLP Whitepaper I: The Need for Secure Software
• CSSLP Whitepaper II: Software Assurance: A Kaleidoscope of Perspectives
• CSSLP Whitepaper III: Software Security Being Secure in an Insecure World
• CSSLP Whitepaper IV: The Ten Best Practices for Secure Software Development
• CSSLP Whitepaper V: Code (In)Security
www.isc2.org/d-zone
Ten Best Practices
1. Protect the Brand Your Customers Trust
2. Know Your Business and Support it with Secure Solutions
3. Understand the Technology of the Software
4. Ensure Compliance to Governance, Regulations, and Privacy
5. Know the Basic Tenets of Software Security
6. Ensure the Protection of Sensitive Information
7. Design Software with Secure Features
8. Develop Software with Secure Features
9. Deploy Software with Secure Features
10. Educate Yourself and Others on How to Build Secure Software
