Security and the Systems Development Life Cycle

Security and the Systems Development Life Cycle

Topics of discussion Why focus on security? Security background
Security defined Security components Usage guidelines Market place analysis

Why focus on security? 2002 survey indicated 92% had detected security breach in last 12 months and 75% said security breaches resulted in financial loss Security threats have increased by 9% in 3Q03; more serious incidents grew by 15% Increasing cost associated with security – January and February 2004 set record costs ($100B+) In 2002 Computer Security Institute surveyed large businesses and government agencies regarding security breaches. Internet Security Systems (ISS) said security threats increased by 9% in the third quarter of ISS said more serious incidents grew by 15%.5 In the first two months of 2004, security threats cost well over $100 Billion worldwide.8 Today, the number of computers that are networked continues to grow, and so is the number of organizations connecting to the Internet for critical business needs. This trend has an enormous impact on security for both application users and application developers. Sources: Viack white paper, Internetnews, Washington Times

Security background 1960s 1970s 1980s 1990s Today
Sources: Principles of Information Security,

Security background Systems built for single user 1960s 1970s 1980s
Today U.S. government that first started looking at computer security issues. The Department of Defense (DOD) started developing project named ARPANET and is the basis for today’s Internet – looked into networking to eliminate transfer of magnetic tapes Sources: Principles of Information Security,

Security background Systems built for single user 1960s 1970s 1980s
Today Distributed systems, but internal networks Security flaws of ARPANET identified Rand Report R-609 provided new security scope to include security of data, limiting random and unauthorized access to data, and involvement of personnel from multiple levels of organization. Sources: Principles of Information Security,

Systems networked to Internet
Security background Systems built for single user Systems networked to Internet 1960s 1970s 1980s 1990s Today Distributed systems, but internal networks Most computers linked together Security took form, but still not high priority Most of today’s security problems came from lack of security as major design requirement during 1990s Sources: Principles of Information Security,

Systems networked to Internet
Security background Systems built for single user Systems networked to Internet 1960s 1970s 1980s 1990s Today Distributed systems, but internal networks Companies making security a priority, allocated more dollars Very costly security threats exist

Security background Exceeds 94% of computer software market share
Microsoft - largest security player Exceeds 94% of computer software market share Most of world’s computers are vulnerable to same viruses / worms at the same time Systems are complex – one fix tends to create new flaws Sources: CyberInsecurity Report

Security background Microsoft – what are they doing about security?
Third-party vendor participation in developing solutions and improve patch-management process, policies and technologies Distributed security tools Retrained 18,000 developers to better deal with security issues Will spend $200 million to train all its developers in writing and reviewing secure code Sources: Microsoft

Security defined Some definitions “An end-to-end issue [that] involves operations systems, applications, and networking that requires technology and policy.” – Microsoft “The protection of information and the systems and hardware that use, store, and transmit that information” – Nat’l Security Telecom. and Systems Security Information Committee

Security defined Some definitions Information security in today’s enterprise is a “well-informed sense of assurance that the information risks and controls are in balance.” – Jim Anderson, Inovant

Security defined Security performs four functions
Protects the organization’s ability to function Enables the safe operation of applications implemented on the organization’s IT systems Protects the data the organization collects and uses Safeguards the technology assets in use at the organization Source: Principles of Information Security

Security components There are two perspectives when thinking of security: the application user and the application developer.

Security components Application user perspective
While focus of presentation is on development perspective, it’s important to understand the overall issue of security by briefly looking at the user perspective. from an organizational or application user perspective. How will we protect our assets? How do we prepare for the next intrusion when we don’t know what it looks like? How much money should we throw at security? What user procedures and practices do we have in place?

Security components Risk Assessment Information is a company’s most valuable asset. Organizations need to: Explore what type of information is at risk, Find out how it is at risk, and Determine what can be done to reasonably protect it

Security components Risk Assessment Security model
The y-axis of the chart – confidentiality, integrity, and availability – represents critical characteristics of information. Confidentiality describes data wherein only those who are authorized can access the information. Integrity refers an authentic state; the data has not been altered from its original state. Availability means a user can retrieve data when they want it and in the format they require. The x-axis refers to the state of data – it can be stored, processed, or transmitted. The z-axis describes the ways in which an organization can address a security threat related to the data, using policies, education or technology. The three dimensions described in the model presents 27 cells that represent areas which must be evaluated in order to protect an organization’s information. An example presented in the textbook, Principles of Information Security, is as follows: If you look at the intersection between the technology, integrity, and storage areas, you would expect to see a control or safeguard that indicates you have addressed the need to use technology to protect the integrity of information while storage. It is the job of the security team to ensure each cell of the model is evaluated and appropriately protected. NSTICCS states that “for each vulnerability discovered, the same model is used to determine appropriate security measures. It is important to note that a vulnerability may be left unsecured (at an awareness level in the third layer) if the designer or evaluator determines no threat to that vulnerability exists. Although no security practitioner should be satisfied with glaring vulnerabilities, a careful study of potential threats to the information may disclose that the cost of the security measure is more than the loss should the vulnerability be exploited.” Sources: Principles of Information Security, National Security Telecommunications and Information Systems Security Committee

Security components Principles of risk management
Assess risks and determine needs Implement appropriate policies and related controls Establish central management focus on risks and security US General accounting office adopted these five principles for risk management Monitor and evaluate policy and control effectiveness Promote awareness Sources: Cisco Systems white paper

Security components Security strategies Data Transfer Authentication
Data storage Authentication: verifies identify of person with whom you are communicating. User name and passwords is the first layer of security Data transfer: Secure Socket Layer (SSL) is often used to protect data as it is being transferred (i.e., credit card information). SSL is a protocol that enables secure communications on the internet. Data storage: Having an end-to-end encryption mechanism in place best protects stored data on the server. Policies: Organization must put into place policies that users must follow in order to protect company information. Authorization Policies Facilities Sources: Viack Corporation white paper

Security components Application developer perspective
While users generally focus on protecting themselves, developers typically focus on prevention. One way to reduce security threats is to develop a more security application

Security components Security Systems Development Life Cycle (SecSDLC)
National Institute of Standards and Technology (NIST) defines the following 5 phases of Systems Development Life Cycle Phase 1: Initiation Phase 2: Acquisition Phase 3: Implementation Phase 4: Maintenance Phase 5: Disposition For the purposes of our presentation, we are using NIST’s defined phases of the systems development life cycle when we discuss SecSDLC and how it fits into the SDLC. Sources: NIST Special Publication

Security components Steps unique to SecSDLC by Phase
Phase 1: Initiation Management defines project processes and goals and documents these in the program security plan SecSDLC shares many similar steps with the typical SDLC, however, there are steps that are unique to SecSDLC. Principles of Information Security text identifies these steps that we have categorized according to NIST’s SDLC phases. Sources: Principles of Information Security

Phase 2: Acquisition/Development (analysis and design) Analyze existing security policies and programs Analyze current threats and controls Examine legal issues Perform risk analysis Develop security blueprint Plan incident response actions Plan business response to disasters Sources: Principles of Information Security

Phase 2: Acquisition/Development (analysis and design) Determine feasibility of continuing or outsourcing the project Select the technologies needed to support the security blueprints Develop definition of successful solution Design physical security measure to support technological solutions Review and approve project Sources: Principles of Information Security

Phase 3: Implementation Buy or develop security solutions At end of phase, present tested package to management for approval Security Control Integration Sources: Principles of Information Security

Phase 4: Operations/maintenance Consistently monitor, test, modify, update, and repair to meet changing threats Confirmation management and control Phase 5: Disposition N/A Sources: Principles of Information Security

Security components NIST security considerations Phase 1: Initiation
Security categorization Preliminary risk assessment To understand security and application development even more – the following are NIST’s security considerations – or steps – for each phase of the SDLC. Security configuration - identifies and classifies information, using a rating system. Security categorization allows an organization to identify and prioritize what is information is important to the business Preliminary risk assessment - organizations assess information in terms of integrity, availability, and confidentiality. Possible vulnerabilities are identified. A preliminary set of controls to prevent such risks from occurring would also be identified during this step Sources: NIST Special Publication

Security components NIST security considerations
Phase 2: Acquisition/Development (analysis and design) Risk assessment Security functional requirements analysis Security assurance requirements analysis Cost considerations and reporting Security plan Security control development Developmental security test and evaluation Risk assessment - This step is similar to the preliminary risk assessment but it is more detailed and formalized. Determines the organization’s security focus on particularly risky areas Security functional requirements analysis - Attention to laws and regulations also happens during this step Security assurance requirements analysis - This analysis is to make sure that there is an assurance that the information security will work as intended Cost considerations and reporting - project management can determine how much of the initial project budget is being spent on security during the SDLC Security plan - Developing the security plan means writing documentation about the security controls. The plan also includes the description of the project, as well as information supporting the security program Security control development - It makes sure that the controls are designed, developed and implemented Developmental security test and evaluation - Security testing and evaluation should be conducted before the deployment of the system to ensure security controls are effective Sources: NIST Special Publication

Phase 3: Implementation Inspection and acceptance Security control integration Inspection and Acceptance. verify that all the functionality described above is in the final system.. Security Control Integration. Once the site is implemented, the integration and acceptance tests begin Sources: NIST Special Publication

Phase 4: Operations/Maintenance Configuration management and control Continuously monitored Configuration Management and Control. ensures that any changes to the software, hardware, or firmware will be documented so that security was not impacts by the change, or if it was then it can be updated as well. Continuously Monitored: The controls that are in place should be monitored often and they should be tested often to ensure that everything is working correctly Sources: NIST Special Publication

Security components NIST security considerations Phase 5: Disposition
Information should be retained Media should be sanitized Disposal of the hardware and software Information Should be Retained. Data from the current project should be kept because it might be useful for the creation of another security system. Media Should be Sanitized. All data should be disposed of, deleted, and written over so that no one can recover and use the data. Disposal of the Hardware and Software: When it is time to dispose of the hardware and software, the security officer should ensure of its proper disposal Sources: NIST Special Publication

Security components CISCO security considerations
An individual or work group should be designed to take the lead role in the information systems (IS) security process IS security policies should be established and documented An assessment of needs and weaknesses should be initiated Awareness should be increased through employee training Effectiveness of security measures should be monitored and evaluated continuously Finally, CISCO’s believes management should perform these steps when addressing security Sources: CISCO white paper

Security components RUP / Agile methods Use case development
Requirements Prototyping Coding Testing Securing the production environment Use Case Development. Use Cases should include security models. For example, authorization is a form of application security that can be modeled as a process. In addition, the use case should explain what the system should do in the event that the user is not authenticated. In addition to modeling the security processes, business rules should further define application security. A password timeout or expiration would be an example of a business rule. Each use case should answer the question, “What process ensures that corporate assets and customer information is secure?” Requirements. Technical requirements define the features of the system that are not user defined and include server configuration, capacity, performance, scalability, and security. They should include security-related requirements. Some examples include: Session should time out after 10 minutes of inactivity requiring the user to log back into the application All incoming data must be validated for proper format before processed by the system Only Port 80 will be left open on production web servers. Prototyping. Prototyping is a key element in the RUP and Agile methods for building a system. Many times a prototype is put directly into production without security properly in place. Organizations should implement controls for ensure a prototype is not put made ‘live’ unless it meets a minimum set of requirements, including that the system is secure. Coding7. To benefit from more secure applications, development teams should practice secure coding, such as: Never trust incoming data to the system and apply checks to this data Never rely on the client to store sensitive data no matter how trivial Error messages must be generic to the user but documented for support purposes Utilize object inheritance, encapsulation, and polymorphism wherever possible Use environment variables prudently and always check boundaries and buffers Testing. It is critical to include security in the testing plan. All security measures should be documented in the test plan so that the quality assurance people can make note to test them. Having security built into the test plan ensures that the system is going to perform as intended, and ensure that the security protections in place act as they are intended to. Securing the Production Environment. During this part of the security process, some security practices should be in place, including backup recovery plan, limited access to server, disabling certain web ports, applying necessary patches, and the removal of old files with old file extensions on any web server made public. These items should be frequently reviewed to make sure that they are being followed Sources: SPI Dynamics white paper

Security components Some key roles in security
Chief Information Officer Contracting Officer Information Security Program Manager Information Systems Security Officer Program Manager / Acquisition Initiator / Program Official Privacy Officer Legal Advisor / Contract Attorney The CIO’s main responsibility is to plan and budget for technology projects within the organization. They are the people who steer the projects technology use as well as the reasons for the need of the system The Contracting Officer is the person who has the authority to enter into, administer, and/or terminate contracts and make related determinations and findings The Information Security Program Manager is mainly responsible for developing some sort of standards to be used in the systems development. They would also be the ones in charge of implanting structured methodologies in to the SDLC. Some of their security roles include the identification and evaluations of the system to minimize information security risks within the company. They are also in charge of performing risk analyses and building a case for acquiring appropriate security solutions to combat the risks. The Information System Security Officer is responsible for ensuring the security of an information system throughout its life cycle. Program Manager This person oversees the programming side of the SDLC. This person plays and essential role in security and is aware of the functional requirements of the system. A Privacy officer Is responsible for ensuring that the services or system being procured meet existing privacy policies regarding protection, dissemination (information sharing and exchange) and information disclosure. Legal advisor This person Is responsible for advising the team on legal issues during the acquisition process. Sources: NIST Special Publication

Security components Benefits Information assets are protected
Making security a process means it can be improved over time and shared amongst development teams Improves security of application, possibly increasing market share Improves quality of application Find an HCI mentor Find a full-time job as a “User Interface Designer” Find a workshop for interviewing skills Find a networking event for a usability specialist Make a 30-minute face-to-face meeting with career advisor

Usage guidelines When to use/when to avoid
Any business that has applications linked to Internet must incorporate security measures Degree of protection depends on value of information assets and likelihood of threat being realized The team created paper prototype based on information gathered from the cluster analysis and we focused on what were the most critical tasks of the web site: Find event Seek advice Search jobs From there we prototyped more specific tasks for our usability testing: Find an HCI mentor Find a full-time job as a “User Interface Designer” Find a workshop for interviewing skills Find a networking event for a usability specialist Make a 30-minute face-to-face meeting with career advisor

Usage guidelines Economic impact Year Worldwide Economic Impact
$US Billions 2004 2001 2000 1999 1998 1997 1996 1995 115 13.2 17.1 12.1 6.1 3.3 1.8 0.5 table indicates there is a growing trend of increased economic impact due to external security threats, such as worms, viruses, Trojans In addition, the Business Roundtable – a trade group for executives of 150 of America’s largest corporations – estimates that banks and savings institutions alone pay about $1 billion a year as a result of attacks by viruses and worms. Clearly, the high cost for organizations to protect themselves and the cost of damage stemming from breaches are evidence that attention must be paid to information security Sources: Cisco Systems white paper

Usage guidelines Implementation success factors
Users are aware of policies, use policies Management continuous evaluates and updates security plan Organization stays up-to-date on security topic Sources: Cisco Systems white paper

Usage guidelines Implementation challenges
Companies can never really be prepared when they don’t know what next threat looks like or where it’s coming from No real science or concrete solution to address threats – each application is different, each threat is different, each business is different Sources: Cisco Systems white paper

Usage guidelines Key players Computer Associates IBM Symantec
Microsoft Global Council of CSOs Black Hat Inc. Computer Associates – top revenue earner in security products and has broadest range of security products of any vendor IBM – one of two organizations offering a comprehensive framework for enterprise security Symantec – provides up-to-date information about current threats and security responses as well as provides downloads to fix virus- and worm-related vulnerabilities Microsoft – software products and services have upwards of 90% of market. Continue to invest money, people, and training to help secure their products. Have several ongoing security initiatives in place Global Council of CSOs – the council is made up of senior high-tech security executives from major corporations such as eBay, Motorola, MCI, Microsoft, Citigroup, and Bank of America. The 10 members will form a think tank focused on encouraging dialogue between the members, as well as between the corporate sector and government agencies Black Hat Inc. - founded in 1997 by Jeff Moss to fill the need for computer security professionals to better understand the security risks and potential threats to their information infrastructures and computer systems. Black Hat Inc. produces 5 briefing & training events a year on 3 different continents. Speakers and attendees travel from all over the world to meet and share in the latest advances in computer security

Usage guidelines Market data / analysis
Information Security’s research partner TheInfoPro has generated a financial look at what organizations are spending with security in The company surveyed 175 Fortune 1000 companies and below is some of the results Most are spending as much or more for security this year Sources: Infosecuritymag

Usage guidelines Market data / analysis Sources: Infosecuritymag

Usage guidelines Market data / analysis
Perimeter spending includes things like firewalls and anti-spam software. Infrastructure includes new identify and access management tools. Security management spending focuses on vulnerability management products and practices, including assessment scanning and configuration management Sources: Infosecuritymag

Usage guidelines Market data / analysis Offshoring

Usage guidelines Offshoring – mitigating risks
Understand security trends and best practices in the industry Identify risks Ensure continuous and up-to-date training programs Provide a point-of-escalation for global incidents response Culture compatibility – understand the country where you are offshoring Today a major security concern for companies relates to the growing trend in offshoring work. More and more companies are sending development work offshore to foreign companies. Other organizations are offshoring work processes / job functions. All offshoring creates additional security risks. According to neoIT research8, some ways to help mitigate security risks associated with offshoring, include Sources: neoIT

Usage guidelines Offshoring – mitigating risks (cont.)
Ask for Information Protection and network security document – IPR Policy, disaster recovery and business continuity plans, etc. Research to determine if the supplier adheres to the International Security and Data Privacy Standards Computer Associates – top revenue earner in security products and has broadest range of security products of any vendor IBM – one of two organizations offering a comprehensive framework for enterprise security Symantec – provides up-to-date information about current threats and security responses as well as provides downloads to fix virus- and worm-related vulnerabilities Microsoft – software products and services have upwards of 90% of market. Continue to invest money, people, and training to help secure their products. Have several ongoing security initiatives in place Global Council of CSOs – the council is made up of senior high-tech security executives from major corporations such as eBay, Motorola, MCI, Microsoft, Citigroup, and Bank of America. The 10 members will form a think tank focused on encouraging dialogue between the members, as well as between the corporate sector and government agencies Black Hat Inc. - founded in 1997 by Jeff Moss to fill the need for computer security professionals to better understand the security risks and potential threats to their information infrastructures and computer systems. Black Hat Inc. produces 5 briefing & training events a year on 3 different continents. Speakers and attendees travel from all over the world to meet and share in the latest advances in computer security Sources: neoIT

Conclusions Security is an ever-changing, never-ending process
All users must now take an active role in assuring security Threats are becoming more widespread and their financial costs are increasing The team created paper prototype based on information gathered from the cluster analysis and we focused on what were the most critical tasks of the web site: Find event Seek advice Search jobs From there we prototyped more specific tasks for our usability testing: Find an HCI mentor Find a full-time job as a “User Interface Designer” Find a workshop for interviewing skills Find a networking event for a usability specialist Make a 30-minute face-to-face meeting with career advisor

Security and the Systems Development Life Cycle

Similar presentations

Presentation on theme: "Security and the Systems Development Life Cycle"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Security and the Systems Development Life Cycle

Similar presentations

Presentation on theme: "Security and the Systems Development Life Cycle"— Presentation transcript:

Similar presentations

About project

Feedback