CS2S562 Secure Software Development Trustworthy Software Initiative

Today Trusted Software Initiative (TSI) What is the TSI? Why TSI? How does it work – basic overview Some example of resources provided

What is the TSI? UK Government Initiative UK Government sponsored, part of £850m ‘National Cyber Security Program’ Run on behalf of UK Government by ‘Cyber Security Centre’ at Warwick University Aim: to improve software in terms of: Safety Security Reliability Availability Resilience Not to be confused with Microsoft ’Trustworthy Computing’ (deceased 2014, 2100 jobs gone)

Why is TSI important Software engineering now = mechanical engineering ca. 1800 It works but things explode quite often, trial and error approach Not engineering, dabbling Only few and emerging standards  few interchangeable components Is now part of HE curriculum (i.e. this module) Employers will expect you to know it (e.g. interview)

The Effect of Standards Guess what happened here Yes, standard was introduced.

Real Life Example DFUPS (Diabetic Foot Ulcer Prevention System, 2015) Engineering: 2 months (hard- and software design, production) Regulatory: 12 months standard compliance, testing paperwork, forms, … ca. 800 pages in total

A Few Definitions Some of them we know already... TERM TRUSTED TRUSTWORTHY Safety (operate without causing harm) Must Security (operate protected against accidents or attacks) Availability (ability to deliver when requested) Should Resilience (ability to transform, renew or recover) Reliability (deliver services as specified) Privacy (not observing or disturbing, free of attention) May Lecture 10

What does TSI do? The CWE Create, publish and update resources such as the ‘Common Weakness Enumerator’ (CWE) (sounds horrible but is in fact a very useful list of coding error sources) Instrumental in developing standards, most importantly BS PAS 754:2014 Lecture 22

Standards Why? Make things interchangeable Save costs & time Promote best practice Level the playing field Accreditation of products (lowers insurance cost, improves marketing, usually a legal requirement, e.g. CE marking, medical devices directive, …)

BS PAS 754:2014 The standard applies to: BS PAS 754:2014, Figure 2 BS= British Standard, PAS=Publicly Available Standard, 754=number, 2014= year of publication

BS PAS 754:2014 Used throughout software life cycle System specification Component specification Module RISK ANALYSIS test System System validation VERIFICATION Validation Plan Specification User: Overall system Requirements BS PAS 754:2014 Used throughout software life cycle BS PAS 754:2014, Figure 5 TSMS = Trustworthy Software Management System

BS PAS 754:2014 In order to achieve this: The PAS implements it own definitions and references existing standards: BS ISO/IEC 27001:2013, Information technology Security techniques, Information security management systems – Requirements BS ISO/IEC/IEEE 42010, Systems and software engineering – Architecture description ISO/IEC 15288, Systems and software engineering – System life cycle processes BS EN ISO 9000:2005, Quality management systems Several others

BS PAS 754:2014 The Trustworthy Software Framework BS PAS 754:2014, Figure 3

BS PAS 754:2014 Level 1: Concepts Governance Risk Controls (on risk) Management arrangements (e.g. ISO 9001) Risk Risk identification, minimisation and mitigation Controls (on risk) On personnel, physical artefacts (i.e. the software itself), processes, technical issues Compliance (using controls) A regime to ensure the above are implemented & maintained

BS PAS 754:2014 Level 2: Principles Applicability Governance Controls Only where relevant (see next slide) Governance Understanding: general environment, trust environment, general & trustworthiness risks Controls Maintaining competence, manage people risk, code protection, defect management, “hygienic” coding, … Compliance Verifications, reviews

BS PAS 754:2014 It’s not one size fits all, it’s scalable IMPACT ROLE None Routine Significant Critical Paramount N/A Level 3 Level 4 Explicit Implicit Level 2 Ancillary Level 0 Level 1 Trustworthiness delivered by: Level 0: (no process required) Level 1: due diligence Level 2: managed processes Level 3: established processes Level 4: predictable and optimised processes

BS PAS 754:2014 Level 3: Techniques

BS PAS 754:2014 Level 4: Repository http://www.uk-tsi.org/ (work in progress) CWE: the ‘Common Weakness Enumerator’ http://cwe.mitre.org/ A list of currently over 1000 common software bugs Very useful for programmers (“how not to…”) Especially the top 25 list

CWE (Top 10 from the top 25 list) hyperlink Rank ID Name [1] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] CWE-306 Missing Authentication for Critical Function [6] CWE-862 Missing Authorization [7] CWE-798 Use of Hard-coded Credentials [8] CWE-311 Missing Encryption of Sensitive Data [9] CWE-434 Unrestricted Upload of File with Dangerous Type [10] CWE-807 Reliance on Untrusted Inputs in a Security Decision hyperlink

Case Study Austerity – how did it happen?

Case Study Austerity – how did it happen?

Core of Trusted Component Case Study Austerity – how did it happen? From lecture 4 (Formatted I/O): Unformatted input Trusted Component Canonicalise Output sanitisation Output Normalise Core of Trusted Component Sanitise Validate

Further Reading http://www.uk-tsi.org/ http://cwe.mitre.org/ PPT by director of TSI The BS PAS 754:2014 standard document (normally £55)