Build It Right; Build It Secure Tom Neff USAF Software Engineer & Process Improvement Specialist CERT Conference ‘99CERT Conference ‘99

CERT Conference ‘99 The Perfect Solution... 2

CERT Conference ‘99...How Secure Is It?... 3

CERT Conference ‘99...Absolutely Impenetrable!!!... 4

CERT Conference ‘99 We need to communicate with the world to do our jobs....The Problem... 5

CERT Conference ‘99...The Solution... 6

CERT Conference ‘99 …The BIGGER Problem... 7

CERT Conference ‘99...The REAL Solution. 8

CERT Conference ‘99 Let’s Cover... A quick review of a typical product development lifecycle Where are folks CURRENTLY implementing security procedures? Where SHOULD you implement security? What can you do to decrease your cost for IT security? How can you make your IT security program more effective? 9

CERT Conference ‘99 Typical Product Development Explore a concept Determine what the requirements are Turn the requirements into a valid design Convert the design into a viable product Put the product to daily use Perform maintenance as needed 10

CERT Conference ‘99 Where does security get implemented? Concept Exploration? Requirements? Design? Development? Operations? Maintenance? 11

CERT Conference ‘99 Maintenance Where currently MOST security is executed. Closing the door after the cows left. Many COTS products Cost 100x 12

CERT Conference ‘99 Operations (1/2) Where currently most security problems are identified. Found by... trial and error intrusion corrupt data problems 13

CERT Conference ‘99 Operations (2/2) Where currently most security problems are identified. Attacks occur here Problems trigger search for resolution Some attempt to be proactive Help from CERT/CC Cost 90x 14

CERT Conference ‘99 Development A good start Product inspections: invite security folks Consider Ada; advantages… Cost 50x 15

CERT Conference ‘99 Design A better start Design security INTO the product Have security folks assist with design Keep it flexible Cost 10x 16

CERT Conference ‘99 Requirements An even BETTER start Include security features in the requirements Defer any feature that may cause security problems Cost 2x 17

CERT Conference ‘99 Concept Exploration Best Place to Start Looking at Security!!! Think security from the very beginning Involve security in the whole process Cheapest cost to implement security: 1x 18

CERT Conference ‘99 *PC Computing’s Helpful Hints Operations: Hack your own site Use a port scanner to see what doors are open Download Rhino9’s Ogre 0.9b at *PC Computing magazine Sep 99 issue. 19

CERT Conference ‘99 *PC Computing’s Helpful Hints Development: Encrypt everything that leaves your control. If using Windows, will need 3rd party product. PC Computing recommends Network Associates’ McAfee PGP Personal Privacy Others include WinMagic’s SecureDoc and RSA Data Security’s SecurPC. Courtesy PC Computing magazine Sep 99 issue. ( 20

CERT Conference ‘99 *PC Computing’s Helpful Hints Design: “You need to get up to speed on... security issues now.” Useful sites: – security – 21 – – – –

CERT Conference ‘99 +Software Development’s Helpful Hints Requirements: Be aware of all vulnerabilities of your hardware, software, and comm. Useful tools: E-commerce: Linux: Mobile code: Software Development Magazine, Aug 99 issue Dynamic passwords: Black box: Net scanner: SW Dongle :

CERT Conference ‘99 Tom Neff’s Helpful Hints Concept Exploration: Attend CERT Conf ‘

CERT Conference ‘99 Tom Neff’s Helpful Hints Process is EVERYTHING! Climb the process improvement ladder Form a CERT & Red Team Register with CERT/CC Info Cons Remember superchicken 24

CERT Conference ‘99 Tom Neff’s Helpful Hints You can’t control what you can’t control Outsourcing is a double-edged sword –Gives you flexibility and possible savings –Gives others intimate access to your system (Gardner Group: Y2K) 25

CERT Conference ‘99 24 Final thoughts: READ (you can get a free subscription to almost any magazine. Use the web Think like a hacker, act like a CEO