Presentation is loading. Please wait.

Presentation is loading. Please wait.

Herbert Thompson, Ph.D., CISSP Chief Security Strategist People Security Software Security.

Published byMelvin Small Modified over 9 years ago

Similar presentations

Presentation on theme: "Herbert Thompson, Ph.D., CISSP Chief Security Strategist People Security Software Security."— Presentation transcript:

1 Herbert Thompson, Ph.D., CISSP Chief Security Strategist People Security Software Security

2 A Basic Fault Model Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs

3 Software Security Perfect Storm?

4 Technology is changing… The software communications is changing: The software communications is changing: Web services, AJAX, VOIP, … Web services, AJAX, VOIP, … The complexity of software and software communications is outpacing advances in IT security The complexity of software and software communications is outpacing advances in IT security Network defenses are covering a shrinking portion of the attack surface Network defenses are covering a shrinking portion of the attack surface Instead of good guys vs. bad guys its now about enabling partial trust – at the application layer Instead of good guys vs. bad guys its now about enabling partial trust – at the application layer Extranets, partner access, customer access, identity management, … Extranets, partner access, customer access, identity management, … Instead of internal or external, midternal** attacks offer the greatest risk… Instead of internal or external, midternal** attacks offer the greatest risk… **Midternal attacks: http://blogs.csoonline.com/not_external_or_internal_midternal_attackers_are_today_s_biggest_threat

5 Compliance and Consequences are Changing Wave of regulations, guidelines, standards,… Wave of regulations, guidelines, standards,… SOX, GLBA, HIPAA, PCI DSS, BASEL II, … SOX, GLBA, HIPAA, PCI DSS, BASEL II, … Audits create an “impending event” and change the risk economics Audits create an “impending event” and change the risk economics Hackers may attack you but auditors will show up Hackers may attack you but auditors will show up Consequences of failure have increased Consequences of failure have increased Waves of disclosure legislation Waves of disclosure legislation

6 The Attacker is Changing We are seeing the rise of organized attacker groups We are seeing the rise of organized attacker groups An entire underground economy has been created: An entire underground economy has been created: Meeting place for buyers and sellers Meeting place for buyers and sellers Trading: vulnerabilities, botnets, credit card numbers, PII, … Trading: vulnerabilities, botnets, credit card numbers, PII, … Exchange of “value” in non-sovereign currency Exchange of “value” in non-sovereign currency Exchange of “value” anonymously Exchange of “value” anonymously Ability to outsource technical malevolence Ability to outsource technical malevolence

7 Baking Security In: The Practicalities Implementation Implementation Key characteristics Key characteristics Lightweight – security practices need to improve security yet strike a balance between timeliness, resources, and investment Lightweight – security practices need to improve security yet strike a balance between timeliness, resources, and investment Awareness – individuals that play a role in the SDLC need to understand the importance of security and what the fundamental goals of the business security efforts are Awareness – individuals that play a role in the SDLC need to understand the importance of security and what the fundamental goals of the business security efforts are Buy-in – Upper management needs to support security programs which usually means showing how these activities mitigate business risk Buy-in – Upper management needs to support security programs which usually means showing how these activities mitigate business risk Measurement (consistency) Measurement (consistency) Gates represent minimal criteria that the software must adhere to Gates represent minimal criteria that the software must adhere to Need to establish security metrics structure that gels with existing quality metrics Need to establish security metrics structure that gels with existing quality metrics

8 Requirements Gathering customer security requirements and weaving them into product requirements Activities Activities  Gather market segment projections for product (who are we selling to)  For internal products: What are our existing internal security policies  Gather legislation, standards, regulations, etc. specific to each market segment (Compliance Check)  Translate these standards into positive / testable / measurable security requirements  Gather intelligence on the security features/claims of competing products  Outline negative security requirements Gates Gates Sync-check between customer security needs and product requirements Sync-check between customer security needs and product requirements

9 Design Thinking about abuse and following secure design principles (more on this in a minute) Activities Activities  Establish design baselines for security (cryptography, external packages, languages, etc.)  Baselines are guided by security requirements and corporate standards (compatibility with SSO, integrations with security frameworks, etc.)  Designers to be educated on key security design principles (least privilege, compartmentalization, etc.)  Ensure that all 3rd party/external components selected meet security requirements  Design with update in mind Gates Gates Checklist of security requirements and security design goals vs. implementation Checklist of security requirements and security design goals vs. implementation Gap analysis Gap analysis

10 Development Baking security into development is primarily about security awareness Activities Activities  Training: educate developers on how to think about security, insecurity and abuse  Perform secure code reviews on critical components  Develop a secure coding baseline  Tools: source code scanning, … Gates Gates Unit testing (requirements driven) Unit testing (requirements driven) Code scanning (to assure adherence to coding policy – e.g. No strcpy) Code scanning (to assure adherence to coding policy – e.g. No strcpy)

11 Testing Security testing is about thinking like the bad guy and understanding abuse as well as use Security testing is about thinking like the bad guy and understanding abuse as well as use Activities Activities  Security testing techniques – 19 “attacks” from How to Break Software Security (Addison Wesley 2003)  Develop abuse cases  Fuzz-testing  Awareness training for tester Gates Gates Pass battery of abuse case testing Pass battery of abuse case testing Test against technical and business model threats Test against technical and business model threats Fuzz tests no longer yielding results Fuzz tests no longer yielding results

12 Testing Security testing is about thinking like the bad guy and understanding abuse as well as use Security testing is about thinking like the bad guy and understanding abuse as well as use Activities Activities  Security testing techniques – 19 “attacks”  Develop abuse cases  Fuzz-testing  Awareness training for tester Gates Gates Pass battery of abuse case testing Pass battery of abuse case testing Test against technical and business model threats Test against technical and business model threats Fuzz tests no longer yielding results Fuzz tests no longer yielding results

13 Deployment Ensure that customers and operations can deploy our systems securely, that they are secure by default, and that they gel with likely environments Activities Activities  Develop a secure deployment guide  Document “security assumptions”  Produce/deploy updates in a way that meets customer requirements Cost of deployment Cost of deployment Timeliness Timeliness Secure patching Secure patching Learn from mistakes (feedback into process) Learn from mistakes (feedback into process)

14 Summary Most of today’s software development processes don’t create secure software Most of today’s software development processes don’t create secure software Secure software requires process improvement Secure software requires process improvement Secure software requires executive commitment Secure software requires executive commitment Secure software requires everyone in the SDLC to think about abuse as well as use Secure software requires everyone in the SDLC to think about abuse as well as use

15 Putting it all together: Where to turn next… Valuable resources: Valuable resources: www.searchappsecurity.com – A great repository of application security articles, tips, techniques, news and interviews. www.searchappsecurity.com – A great repository of application security articles, tips, techniques, news and interviews. www.searchappsecurity.com http://blogs.csoonline.com/blog/hugh_thompson - My blog on CSO’s site. Focuses on security risks as well as security in the development. http://blogs.csoonline.com/blog/hugh_thompson - My blog on CSO’s site. Focuses on security risks as well as security in the development. http://blogs.csoonline.com/blog/hugh_thompson www.securityfocus.com/bugtraq -arguably the source for new vulnerabilities discovered in software www.securityfocus.com/bugtraq -arguably the source for new vulnerabilities discovered in software www.securityfocus.com/bugtraq www.appsic.org – consortium dedicated to security metrics and security ROI. Great resource for understanding security ROI www.appsic.org – consortium dedicated to security metrics and security ROI. Great resource for understanding security ROI www.appsic.org msdn.microsoft.com/security/sdl – Microsoft's security process site msdn.microsoft.com/security/sdl – Microsoft's security process site msdn.microsoft.com/security/sdl Some GREAT (bias warning: some are mine ) books on software security: Some GREAT (bias warning: some are mine ) books on software security:

16 Questions? Presented by: Herbert H. Thompson, Ph.D. hugh@hughthompson.com Blog: http://blogs.csoonline.com/blog/hugh_thompson http://blogs.csoonline.com/blog/hugh_thompson Tel: +1 321 795 4531

Download ppt "Herbert Thompson, Ph.D., CISSP Chief Security Strategist People Security Software Security."

Similar presentations

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Ahsan Kabir Project Manager Ahsan Kabir Project Manager ………………………….

Ahsan Kabir Project Manager Ahsan Kabir Project Manager ………………………….
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works

Security Controls – What Works
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.

Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Similar presentations

Ads by Google