Software Assurance: Building Security In

Slides:



Advertisements
Similar presentations
© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.
Advertisements

Security Controls – What Works
Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Stephen S. Yau CSE , Fall Security Strategies.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Enterprise Architecture
Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.
TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.
Gurpreet Dhillon Virginia Commonwealth University
Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.
SEC835 Database and Web application security Information Security Architecture.
EOSC Generic Application Security Framework
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Demystifying the Business Analysis Body of Knowledge Central Iowa IIBA Chapter December 7, 2005.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
™ ™ © 2006, KDM Analytics Software Assurance Ecosystem and its Applications Djenana Campara Chief Executive Officer, KDM Analytics Board Director, Object.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman.
Engineering Essential Characteristics Security Engineering Process Overview.
CSCE 522 Secure Software Development Best Practices.
Security Automation May 26th, Security Automation: the challenge “Tower of Babel” – Too much proprietary, incompatible information – Costly – Error.
ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.
AUB Department of Electrical and Computer Engineering Imad H. Elhajj American University of Beirut Electrical and Computer Engineering
DOD SOFTWARE ASSURANCE INITIATIVE: Mitigating Risks Attributable to Software through Enhanced Risk Management Joe Jarzombek, PMP Deputy Director for Software.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),
The NIST Special Publications for Security Management By: Waylon Coulter.
Presented for discussion with Implementation SIG Heather Grain.
Principles Identified - UK DfT -
Software Assurance: Building Security In
Quality Management System Deliverable Software 9115 revision A Key changes presentation IAQG 9115 Team March 2017.
Computer Scientist, Software and Systems Division, ITL
eHealth Standards and Profiles in Action for Europe and Beyond
Discussion Topics for Exploring OMG UPDM Way-ahead
BruinTech Vendor Meet & Greet December 3, 2015
Software Engineering (CSI 321)
Security Testing Methods
Modern Systems Analysis and Design Third Edition
Security Issues Formalization
Information Technology Sector
Evaluating Existing Systems
The Systems Engineering Context
For Computer Society Internal Use Only
Introduction to the Federal Defense Acquisition Regulation
Evaluating Existing Systems
Gender statistics in Information and Communication Technology for Women’s Empowerment and Gender Equality Dorothy Okello, Annual.
Software Assurance: Building Security In
The National Initiative for Cybersecurity Education (NICE)  AFCEA International Cyber Education, Research, and Training Symposium January 17, 2018 Bill.
Overview – Guide to Developing Safety Improvement Plan
Standards for success in city IT and construction projects
I have many checklists: how do I get started with cyber security?
Overview – Guide to Developing Safety Improvement Plan
Cyber-security and IEC International Standards
Risk Assessment = Risky Business
Software Assurance Maturity Model
Modern Systems Analysis and Design Third Edition
Getting benefits of OWASP ASVS at initial phases
Introducing ISTQB Agile Foundation Extending the ISTQB Program’s Support Further Presented by Rex Black, CTAL Copyright © 2014 ASTQB 1.
Continuity Guidance Circular Webinar
Modern Systems Analysis and Design Third Edition
2. An overview of SDMX (What is SDMX? Part I)
CVE.
Cybersecurity ATD technical
Group Meeting Ming Hong Tsai Date :
IT Management Services Infrastructure Services
Implementing UK Housing Data Standards
IoT and Supply Chain Risk Management
Presentation transcript:

Software Assurance: Building Security In TGDC Winter Meeting, 16 December 2011 Leveraging DHS/DoD/NIST Software Assurance Efforts for Voting Standards Joe Jarzombek, Director of Software Assurance, DHS National Cyber Security Division

Outline Short background on DHS/DoD/NIST Software Assurance Forums , Workshops and Products Focus on the Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration (CAPEC) ITU draft standards Applicability of CWE and CAPEC to voting security Creating a “vignette” for voting

Critical Considerations Software is the core constituent of modern products and services – it enables functionality and business operations Dramatic increase in mission risk due to increasing: Software dependence and system interdependence (weakest link syndrome) Software size & complexity (obscures intent and precludes exhaustive test) Outsourcing and use of un-vetted software supply chain (COTS & custom) Attack sophistication (easing exploitation) Reuse (unintended consequences increasing number of vulnerable targets) Number of vulnerabilities & incidents with threats targeting software Risk of asymmetric attacks and threats Increasing awareness and concern Software and the processes for acquiring and developing software represent a material weakness

Defining Software Assurance Software Assurance (SwA) is the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner (from CNSS 4009 IA Glossary)

Products and Contributions Software Assurance Forum and Working Groups … encourage the production, evaluation and acquisition of more secure and resilient software through targeting: People Processes Technology Acquisition Developers and users education & training Sound practices, standards, & practical guidelines for secure software development Security test criteria, measurement, diagnostic tools, common languages & enumerations, SwA Research & Development Software security improvements through due-diligence questions, specs and guidelines for acquisitions/ outsourcing Products and Contributions Build Security In - https://buildsecurityin.us-cert.gov and SwA community resources & info clearinghouse SwA Common Body of Knowledge (CBK) & Glossary Organization of SwSys Security Principles/Guidelines SwA Developers' Guide on Security-Enhancing SDLC SwA Curriculum Project: Masters and Undergraduate Software Security Assurance State of the Art Report Systems Assurance Guide, via DoD and National Defense Industrial Association (NDIA) SwA-related standards – ISO/IEC JTC1 SC7/27/22, IEEE CS, OMG, TOG, & CMM-based Assurance Practical Measurement Framework for SwA/InfoSec Making the Business Case for Software Assurance SwA Metrics & Tool Evaluation (SAMATE) with NIST, SwA Ecosystem w/ DoD, NSA, NIST, OMG & TOG NIST Special Pub 500 Series on SwA Tools Security Automation Enumerations & Languages (CVE, OVAL, CWE, CAPEC, MAEC, CybOX), scoring systems, and risk analysis capabilities SwA in Acquisition: Mitigating Risks to Enterprise Software Project Management for SwA State of the Art Report (SOAR) * SwA Forum is part of Cross-Sector Cyber Security Working Group (CSCSWG) established under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) that provides legal framework for participation.

How can the Software Assurance Community Contribute to Voting? Through Standards! The Voluntary Voting System Guidelines (VVSG) leverages standards wherever possible in specifying requirements for voting system quality assurance (ISO 9000), workmanship (ASTM), common data format (IEEE P1622) and other areas Standards promote quality, transparency, interoperability and testability in voting systems for stakeholders, including: Voting system manufacturers Voting system testing laboratories States that acquire those systems The software assurance community has developed a suite of industry standards in support of software weakness understanding and automated analysis. We focus on two ITU draft standards that could further strengthen VVSG with respect to security, integrity and privacy, in particular: The Common Weakness Enumeration (CWE), The Common Attack Pattern Enumeration and Classification (CAPEC) VVSG defines requirements

What is a Weakness? A (software) weakness is a property of software/ systems that, under the right conditions, may permit unintended or unauthorized behavior

What is a Vulnerability? A (software) vulnerability is a collection of one or more weaknesses that contain the right conditions to permit unauthorized parties to force the software to perform unintended behavior (a.k.a. “is exploitable”)

An Opportunity to Embrace an Emerging Set of Standards that Strengthens VVSG The Common Weakness Enumeration (CWE) is a (consensus built) dictionary of software weaknesses Funded through DHS National Cyber Security Division 6 years ago, there was no CWE Today the software assurance community “speaks CWE” 31 organizations 53 products and services 800+ software weaknesses (throughout the Software Development Lifecycle) defined and documented Voted on at last ITU-T Study Group 17 Question #4 Meeting in Geneva, August 2011; will be finalized in February 2012

CWE Web Site http://cwe.mitre.org

CWE Content Each CWE entry includes: Description SDL time of introduction Common consequences Likelihood of exploit Detection methods Examples (in source code) Mitigations Relationship to other weaknesses (parent, child, sibling) Related attack patterns , described in the Common Attack Pattern Enumeration and Classification (CAPEC) White box definition (lower-level, structural description) Common Vulnerability Enumerations (CVEs) with this “root cause” weakness

An Example of Mapping a CWE as a Normative Reference in VVSG Requirements VVSG 1.1/2.0 – “If stack overflow does not automatically result in an exception, the application logic shall explicitly check for and prevent stack overflow. “ CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’) VVSG 1.1/2.0 – “If the programming language does not provide automatic run-time detection of numeric overflow, all arithmetic operations that could potentially overflow the relevant data type shall be checked for overflow.” CWE-190: Integer Overflow or Wraparound

CWE Promotes Better Understanding of and Automated Verification of Software Weaknesses VVSG can use CWE in its normative descriptions of “non-conformant” weaknesses in software A common (standardized) lexicon of security automation languages and enumerations facilitates: As a reference: greater (human) understanding of software weaknesses, vulnerabilities, attacks and mitigations through common terminology and concepts In automated tooling: machine verification through consumption and understanding of that lexicon, and as a common language for reporting results This requires machine-readable, formalized definitions of CWE (an effort underway in the SwA Technology/Tools Working Group)

CWE and Tool “Effectiveness” Testing, Another Resource for Voting System Assurance DHS and NIST (through SAMATE) are developing a CWE Compatibility Effectiveness Testing Program for software assurance tools: To determine how effectively automated software tools (in particular, source code analysis tools) can identify individual CWEs in source code VVSG 1.1/2.0 focuses on “integrity” CWEs This testing program will provide users of tools such as voting system manufacturers and Voting System Testing Laboratories (VSTLs) with increased confidence that the tools that they use truly identify the kinds of weaknesses that are “disallowed” in voting system software Dr. Paul Black (NIST) is spearheading this project

A Complementary Standard to CWE: CAPEC http://capec.mitre.org The Common Attack Pattern Enumeration and Classification (CAPEC) is a complementary (draft) ITU standard to CWE for describing (with a similar level of detail as CWE) known patterns of cyber attack. Information for each attack type includes: Description Related CWE Attack prerequisites Likelihood of exploit Method of attack Resources required Probing techniques Indicators – Warnings of attack Related attack patterns Related security principles Confidentiality/Availability/Integrity (CAI) impact Together, CWE and CAPEC provide a foundation of information to the security analyst as to the nature of a particular weakness, as well as how that weakness might be exploited maliciously

Leveraging CWE in Security Assurance Automation Software Assurance The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidently inserted at anytime during its life cycle and that the software functions as intended. Derived From: CNSSI-4009 Automation Languages, tools, enumerations and repositories Committee on National Security Systems (CNSS) Instruction Number 4009, April 2010 (http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf) throughout the Lifecycle Including design, coding, testing, deployment, configuration and operation

Automation is one piece of the SwA puzzle.

Where can automation help - today? What is the context? Where can automation help - today? What problems are we trying to solve? Where do we start?

S: The set of all software in existence at some point in time Notional W W: The set of all instances of software weaknesses in S

Wd: The set of all discovered software weaknesses in W Notional W Wd Wd: The set of all discovered software weaknesses in W

V: The set of all vulnerabilities in W Notional W Wd V V: The set of all vulnerabilities in W

Vd: The set of all discovered vulnerabilities in V Notional W Wd V Vd Vd: The set of all discovered vulnerabilities in V

Weaknesses we really care about For the software we’re responsible for Notional W Wd Weaknesses we really care about How do we identify these? which weaknesses are most important?

Lists are a good start but they are designed to be broadly applicable Prioritizing weaknesses to be mitigated OWASP Top 10 CWE/SANS Top 25 Lists are a good start but they are designed to be broadly applicable We would like a way to specify priorities based on business/mission risk

Common Weakness Risk Analysis Framework (CWRAF) How do I identify which of the 800+ CWE’s are most important for my specific business domain, technologies and environment? Common Weakness Scoring System (CWSS) How do I rank the CWE’s I care about according to my specific business domain, technologies and environment? How do I identify and score weaknesses important to my organization?

Common Weakness Risk Analysis Framework (CWRAF) Example Weightings Technical Impacts 1. Modify data 2. Read data 3. DoS: unreliable execution 4. DoS: resource consumption 5. Execute unauthorized code or commands 6. Gain privileges / assume identity 7. Bypass protection mechanism 8. Hide activities W1=0 W2=0 W3=10 W4=4 W5=10 W6=0 W7=0 W8=0 Layers 1. System 2. Application 3. Network 4. Enterprise Technical Impact Scorecard Multiple pieces – we’ll focus on “Vignettes”

and Communication Technology (ICT) Applications in various Domains Leveraging Vignettes in Cyber Security Standardization for Key Information and Communication Technology (ICT) Applications in various Domains Common Weakness Risk Assessment Framework uses Vignettes with Archetypes to identify top CWEs in respective Domain/Technology Groups

Most Important Weaknesses “Vignette” CWSS Scoring Engine CWSS Score CWE 97 CWE-79 95 CWE-78 94 CWE-22 CWE-434 CWE-798 93 CWE-120 CWE-250 92 CWE-770 91 CWE-829 CWE-190 CWE-494 90 CWE-134 CWE-772 CWE-476 CWE-131 … W Wd Most Important Weaknesses User-defined cutoff CWRAF/CWSS in a Nutshell

Creating a Voting “Vignette” Some questions that a Voting vignette may help answer: What CWEs are “disallowed” in VVSG? What are the most common CWEs identified in test lab, red team and source code analysis reports of voting systems? What CWEs have been identified in test lab, red team and source code analysis reports, but are NOT mentioned in VVSG? What are the differences in CWEs for polling-place (vs. internet) voting system architectures?

Potential Benefit of a Voting Vignette To EAC/TGDC/NIST A way to apply risk analysis to weaknesses (as opposed to vulnerabilities) in voting system software A way to prioritize potential weaknesses in voting system associated with (more serious) reported vulnerabilities and therefore A way to identify and address these types of weaknesses early in the manufacturer’s development process for the voting system

Summary DHS/DoD/NIST Software Assurance Forums and Working Groups provide a broad resource of assurance activities across process, people, technology and acquisition In particular, the CWE and CAPEC ITU standards can be leveraged to strengthen VVSG in defining and automated detection of software weaknesses A voting “vignette” is an opportunity to explore: What software weaknesses are most important, and What software weaknesses are prevalent in today’s voting systems, versus what is identified as important in VVSG How weakness priorities change, based upon different voting system architectures

Discussion