A Scalable Secure Development Program Rajiv Sharma, CSSLP Sr. Principal Program Manager, Oracle Global Product Security Front Range OWASP Conference, March 22nd, 2012

Agenda Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

IT Security Challenges… It’s not just about malicious hackers! Complex regulatory and privacy frameworks Continued requirement to demonstrate compliance Difficulty of managing risks in global ever- changing business environment Increasingly complex security requirements for networked applications and systems Need for maintaining “security in depth” Potential risks associated with insider threats It’s not just about hackers. Security has multiple dimensions. Security is not an end by itself, but a means for an organization to achieve its business objectives, comply with regulatory requirements and internal policies, etc.

Multi-Dimensional Aspects Of Security  Multi-Dimensional Aspects Of Security Today’s threats IP theft and economic espionage Financial fraud and organized crime Sophisticated hackers Opportunistic insiders What’s at stake Intellectual property Customer, employee, citizen, corporate data Financial loss Reputational loss Fines & penalties Other challenges Internal and external audits Supply chain security Changing regulatory landscape Data and systems consolidation Changing environments (mobile devices, cloud, etc.) Approach to security needs to be ‘holistic’: - need to align people, policies, and processes - need to work across the technical infrastructure - need to understand and properly address all threats - etc.

Security In Depth Considerations How degraded is your overall security posture when individual security mechanisms fail, are compromised or circumvented? How degraded is your overall security posture when system environment and use cases change? APT is concept “du jour”. Beyond APT, it comes down to ensuring security in depth. Key to successfully fending off persistent attacker is to make sure that you have layered approach to security, and that all layers provide incremental/complementary controls. In chess, all pieces have a role to play for the protection of the king.

Security In Depth Considerations How effective are your security controls? Have you been able to set proper security controls on each layer of your IT infrastructure to ensure a security in depth posture? How many of these IT security controls are software- enforced? Have they been turned ON? Will these security features function as you expect? Is your software free of security defects? Top questions to ask yourself? Do you truly know the answer to all these questions?

Why Do Organizations Get Hacked? OWASP Top 10 - 2010 A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration A7 – Insecure Cryptographic Storage A8 – Failure to Restrict URL Access A9 – Insufficient Transport Layer Protection A10 – Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP top 10 is a valuable list of the top 10 problems affecting web applications. This affects your homegrown web applications, as well as the COTS you have purchased and exposed on the Internet.

Why Do Organizations Get Hacked? Keeping up with security patches is good security practice Would you knowingly run on a vulnerable system for an extended period of time? The publication of security fixes by vendors often result in making potentially malicious hackers aware of the flaw: Reverse-engineering of the fixes for the purpose of developing malware or exploits Inclusion of the exploit in hacking toolsets (e.g., Metasploit) Apply security patches in a timely fashion Keeping up with newer releases is also good security practice! Newer releases may include additional fixes, which cannot always be backported to previous releases And of course… Follow your vendor’s deployment recommendations

Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development The security practices of your suppliers play a key role in maintaining your security in depth posture. What is Software Security Assurance?

Software Security Assurance Definition The process of ensuring that software is designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects. http://en.wikipedia.org/wiki/Software_Security_Assurance Definition.

Importance of Software Security Assurance Customers must be assured that: The software they purchase from their vendors is designed and developed securely, e.g.: Does the software do what it is designed to do and nothing more? How resilient to threats is software? The vendors have effective procedures to deal with security vulnerabilities and provide ongoing security assurance in their products. Note that it’s not just about making sure that the software is reasonably secure at the time of the purchase/deployment, but also that the vendor can be trusted to do the right thing throughout the life of the software and keep up with security. Have you ever considered that your ability to upgrade is an important part of the equation (as more recently released software is generally more secure)?

What Is Software Security Assurance? Implications for software Software must have been designed securely Security must be “built in, not bolted on” Software must provide adequate security controls (e.g. reflecting the data it will store, the threat environment in which it will operate, etc.) Software must have been securely developed Secure design and coding principles must have been followed Software must have been developed in a secure environment under a securely designed development process Software must provide reasonably secure posture by default Hardening instructions must be documented and available

What Is Software Security Assurance? Implications for software vendor/developer Security must be embedded in the organization’s DNA Organization must recognize that there is no “magic bullet” but that security is an ongoing commitment Vendors need to look at security not as a one time “to do” item, but as an important element of the organizational culture. It is not a one time item. It is a race. An ongoing commitment that should generally follow the same constantly improving principles as other engineering concepts.

Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development The security practices of your suppliers play a key role in maintaining your security in depth posture. What is Software Security Assurance?

Oracle Software Security Assurance Definition Oracle Software Security Assurance (OSSA) encompasses all the constantly-evolving processes, procedures, and technologies implemented by Oracle to ensure that Oracle’s products are meeting our customers’ security requirements, while providing for the most cost-effective ownership experience.

Oracle Software Security Assurance Highlights Maintaining the security posture of ALL Oracle customers is one of the greatest priorities of Oracle Applies to ALL Oracle software products, including software components of hardware products (e.g. firmware), throughout their lifecycle, and constantly evolving to adapt to new technologies, threats, and product use cases

Oracle Software Security Assurance Major programs include: Secure Development Standards Secure Configuration Initiative Internal and external security assessments (i.e. external security validations under FIPS and Common Criteria) Critical Patch Update & Security Alert Etc. Oracle security programs affect the entire product lifecycle

The Race is On! Security throughout the product lifecycle Security must be “built in, not bolted on” Ongoing assurance doesn’t stop when a product is released Security requirements change when the product is no longer used in the way it was designed for Need to address new attacks and exploit methods Need to effectively deal with vulnerabilities that made their way into released code Etc.

Security Throughout The Product Lifecycle Examples Product Definition Product Development Ongoing Assurance Examples of Oracle Software Security Assurance requirements Security requirements to be documented in product definition, specifications, and design phases Mandatory use of previously vetted security code for complex security functions (crypto, authentication, etc.) Ongoing reviews to validate compliance with: Secure Development Standards, previously documented security specifications, etc. Extensive use of automated vulnerability discovery tools as part of the development lifecycle and extensive use of penetration testing Mandatory use of security checklists Disclosure of vulnerability when a fix is available on all supported release and platform combinations Equality of all customers Vulnerability fixed in severity order

Secure Development Standards Codified security standards are at the core of Oracle Software Security Assurance Coding guidelines Secure coding principles Examples of what not to do Requirements to use previously vetted security code for complex security functions (crypto, authentication, etc.) Minimum secure design requirements (e.g., weak/old crypt algorithms are banned) Etc. Mandatory training

Product Definition Security requirements are expressed as early as design and engineering specifications phases Security requirements include: Requirements born from Secure Coding Standards Product-specific requirements (such as those resulting from new security features) Established security criteria must be satisfied and reviewed at each step of the development and release process

Product Development Ongoing reviews to validate compliance with: Secure Coding Standards Previously documented security specifications Additional design reviews for security Extensive use of scanning and testing tools to provide ongoing feedback to development team in regards to quality of produced code Proactive security testing Destructive security testing

Ongoing Assurance Security testing take place throughout useful life of the product Pre-release security scanning and testing: Automated and ad hoc tests throughout development phase Compliance with security release checklist is mandatory before release Post-release security activities: Targeted security review to assess resistance to new and emerging threats, or validate absence of vulnerabilities Submission of security flaws by customers and security researchers Ethical hacking (internal security assessment) Updated secure configuration best practices are available online Independent Security Evaluations Common Criteria (ISO-15408) , FIPS 140-2

Oracle Vulnerability Remediation Practices Introduction While our #1 priority is the prevention of security vulnerabilities in released code, Oracle has very mature security vulnerability remediation practices Security patching is a “necessary evil” and most public evidence of ongoing assurance effort: Need to address vulnerabilities uncovered during ongoing assurance effort Need to address vulnerabilities resulting from new attack methods or use case scenario by our customers Need to address vulnerabilities reported by external security researchers Critical Patch Update program is designed to maintain the security posture of Oracle customers at lowest possible cost for them

Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development The security practices of your suppliers play a key role in maintaining your security in depth posture. What is Software Security Assurance?

Cultivating Security Community in Development Security is a strategic requirement defined by the Global Product Security organization Braintrust for security topics and expertise Definition and enforcement of Secure Coding Standards Security review in support of M&A activities Development and maintenance of core security modules Lead ongoing assurance activities Definition and delivery of security training programs (including remedial effort when required) Report into the Chief Security Officer Security at Oracle follows a mostly decentralized model to reflect the differences in products and the development groups that produce them

Security Assurance Within the Corporate Structure CEO Larry Ellison CEO Larry Ellison Chief Corporate Architect Global Product Security CSO Global Information Security VP Information Security Global Physical Security Sr. Director Physical Security Corporate Security Architecture Security Architect

Oracle’ s SPOC Community Global Product Security leads the community and provides consistent baselines for security processes and procedures for all Security Points Of Contact (SPOCs) Community spread throughout all product development Provides for flexible model consistent with a variety of development styles Fosters innovation and captures lessons learned from other groups to use

Delegated Security Model Each product family has a senior level Security Lead Liaison to Global Product Security and their senior development management for all security matters Lead a virtual team of Security Points of Contact (SPOCs) that represent security assurance for each component of the product family SPOCs act as the tactical security resource for the product component In-depth knowledge of component leads to building security in at the lowest level Receive focused training in software security assurance Key role throughout the product lifecycle: participate in design reviews, document reviews, code reviews, bug triage, patching, etc.

SPOC Engagement in OSSA Security Points of Contact (SPOC) Community Security Assurance Training Ethical Hacking Secure Coding Standards External Certifications Secure Configuration Security Tools Adoption Security Alerts Security Checklists Security Reviews Security Policies Core Security Modules Customer Feedback The SPOC Community is central to all security assurance activities

Security Points of Contact (SPOCs) Key role to achieve baking security in Flexible model, accommodates a variety of development styles Security experts within each product component team Professional security resource in each product development team In-depth knowledge of component(s) represented Receive focused training in security assurance Liaison between Security Lead and Global Product Security Participate in design reviews, document reviews, code reviews, bug triage Responsible for and report compliance status for each component in each major product release Automated Security Checklist System Security reviews with Security Lead and Global Product Security

Responsibilities of the SPOC Apply licensed 3rd-party code security updates to component Read security alerts from partner vendors and act as necessary for the component Apply latest Critical Patch Updates and security fixes for underlying Oracle components Monitor hacker exploits and news Ensure component security bugs are included in the next Critical Patch Update Knowledge of publicly known security bugs in old releases of the component and verify that all are fixed in the current release Communicate all security news to the development team

The Ideal SPOC Avoids potential security vulnerabilities and associated costs for patching – for both Oracle and the customer Guards Oracle’s reputation and sales against security issues Ensures the government and regulatory requirements in the security area are satisfied

Binding the Community Together SPOC identification “tag” in corporate directory Monthly SPOC newsletter More than SPOCs, widely read Annual SPOC Summits Internal and External Speakers Comprehensive, centralized Global Product Security wiki Key component is the Secure Coding Practices SPOC Web Conferences on specific topics Internal Oracle Social group for SPOCs OraTweet for security-related questions

Community Membership is Growing Not just Development SPOCs…. QA SPOCs Architects Security Features Developers Other Groups IT organizations Consultants SaaS Staff

Q&A