Post on 10-Aug-2020
Framework Solution for Life Cycle Security
Bar Biszick-Lockwood, cisa, cissp, csqaIT Quality and Security Assurance
barbis@qualityit.net
http://www.securityprocessprofessional.com
2
Agenda
IEEE P1074 StandardBusiness Justification for different approachISO 15408 as guideLife Cycle Security Process Framework modelKey additions to the Life CycleQ&A
© Copyright Bar Biszick-Lockwood/QualityIT Redmond, WA 2003 All Rights Reserved.
3
The Standard
IEEE P1074STANDARD FOR DEVELOPING A
SOFTWARE PROJECT LIFE CYCLE PROCESS
4
IEEE P1074
“Chinese menu”Large Trace-ability matrix of activitiesNearly closed systemAssumes no model, process or sequenceEncompasses entire software lifecycle from conception to retirementSupports projects engaged in any part of a software lifecycle process
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
5
Structure of the Standard
5 Activity Groups
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
6
Organization
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
7
Implementation Strategy
Evaluate scope of project Chose a software development methodology model (ie. waterfall, spiral, “V” etc)Consult the standard and populate the Activities to the chosen model
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
8
V” model example
Business Needs
Design System
Integration Test
System Test
Acceptance Test
Code System
Unit Test
Define Requirements
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
9
Originating Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
10
Receiving Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
11
Standards revision problem
Has the business and technology environment change enough as to warrant increased attention to security in a general engineering process standard?
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
IEEE Standards
13
Increase in security standards
14
Overall IEEE constituent activities
15
IEEE P1074ISA Team Conclusion
Efforts that do not treat security as an integral part of systems engineering and architecture fail to provide security
It no longer makes any business sense to spend any money, apply any resources and proceed with any software development project unless corporate assets and private customer data will be sufficiently secure
Source: http://www.qualityit.net/Resources/WhitePapers/JustificationForElevatingTheVisibilityAndPriorityOfSecurityActivitiesInTheRevisedIEEEP1074Standard.pdf
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
16
Validating the benefit
Evidence warrants increasing the visibility and priority of security activities in the software life cycle process.
How much attention should it get?What’s the practical value?What is the benefit relative to other security improvement approaches?
17
Overview of Security Approacheslast 20 years
Firewalls, IDS
Security Awareness
Detection and Response
Secure codingeducation
(current focus)
Effectiveness decreasing, doesn’t address insider threat
Doesn’t stop dishonest/disgruntled employees
Viruses too fast to detect and contain
Deflects attention from the root cause of the problem
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
18
SANS Top Vulnerabilities Q1 2005
Microsoft ProductsWindows License Logging Service Overflow (MS05-010) Microsoft Server Message Block(SMB) Vulnerability (MS05-011) Internet Explorer Vulnerabilities (MS05-014 and MS05-008) Microsoft HTML Help ActiveX Control Vulnerability (MS05-001) Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013) Microsoft Cursor and Icon Handling Overflow (MS05-002) Microsoft PNG File Processing Vulnerabilities (MS05-009) Computer Associates License Manager Buffer Overflows DNS Cache Poisoning VulnerabilityMultiple Antivirus Products Buffer Overflow VulnerabilitiesOracle Critical Patch UpdateMultiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes)
19
Secure Coding Practices7. Bound and mask input fields8. Limit inputs to buffers9. Apply rigorous error
handling10. Release threads11. Clear temp data/objects12. Remove unnecessary code13. Log and audit appropriately
1. Enforce security policy consistently
2. Operate with least privilege
3. Manage sensitive data4. Require strong
passwords5. Protect the kernel6. Fail safely
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
20
Microsoft’s Secure Development Life Cycle (SDL)
21
SDL Vendor Value
22
FUNCTIONALITY
Does what it’s supposed to do
Recovers successfullyErrors helpful in recovery
Applications get resources needed
Assures high availability
SECURITY
Does ONLY what it’s supposed to doFails securelyErrors don’t provide clues to technology
Applications never exceed range of resources needed
Makes sure anyone who doesn’t need to know doesn’t have the means, motive or opportunity to do so
Shifting to Security Mindset
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
23
Root cause of failure
Time and money
(Requirements Prioritization)
which is a life cycle issue outside the hands of developers
24
Developing secure software requires a fundamental shift in perspective, not just by
developers, but by the entire organization.
Why is this so hard?
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
25
What We Lack
“Wide angle view” of organizational risk and responsibility as it relates to technology security
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
27
IEEE P1074Revision Revelations
Security is a cross-disciplinary organizational risk problemWe can use organizational risk methods to help prioritize securityWe can use the project life cycle as the pivot point for effecting incremental organizational change
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
28
1074 Revision Recommendations
1. Determine Security Objectives during Envisioning (preferably before project approval for work)
2. Make PMs accountable for assuring the priority of security on the project
3. Execute mandatory Threat Modeling before finalizing design
4. Establish a final Accreditation gate
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
29
ISO 15408 “Common Criteria”
Common Criteria for Information Technology Security Evaluation
International standard used to rate trustworthiness of productsUsed by vendors to certify their productsUsed by consumers to compare product securityCan be used to guide development of products to a known trust level
30
Common Criteria Validated Products
Citrix MetaFrame XP Presentation Server with Feature Release 3—EAL2Check Point VPN-1/FireWall-1© NG –EAL4IBM WebSphere Application Server V5.0.2.8 EAL2+Oracle7 Release 7.2.2.4.13 –EAL4Cisco IPSec Crypto System –EAL4Red Hat Enterprise Linux AS, Version 3 Update 3 –EAL3+Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886 –EAL4+
31
Protection Profiles (PP)
Controlled Access Protection Profile--EAL3Firewall with strict requirements –EAL5+Labeled Security Protection Profile—EAL3Role-Based Access Control Protection Profile –EAL2+Trusted Computing Platform Alliance Trusted Platform Module PP—EAL3+Smartcard Integrated Circuit Protection Profile—EAL4+
32
SECURITY
Security Objectives
Compliance & Standards
Security Assessment
Documentation
ISO 15408 Common Criteria “glue”
+Vision Revision
PRODPenTestingSupport
SDLC
Requirements
ConstructionTesting
Arch. / Design
Planningand controls
Acceptance & Release
Common Criteria
Accreditation(Sign Off)
Protection Profiles /EAL Criteria
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
SecurityProfile
Security Target (initial)
33
Hackers (internal & external)
Administrators (executive & tactical)
Physical Environment
Application/System Developers
System Hardware & Software
CC Threat Roles
Authorized User
T
H
R
E
A
T
S
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
34
ISO 15408 Common Criteria Threat Categories
Administrative error of commissionAdministrative error of omissionAdministrative hostile modificationAdministrator privacy policy violationAuthorization abuseComponent failureData smugglingDenial of receipt Denial of sendDenial of service AttackDistributed system component failureEavesdroppingEncryption hackingError invoked breach of confidentialityError invoked data inaccessibilityError related breach of data integrity
Error related breach of trusted security function
Faulty CodeHacker undetected accessIdentify spoofing (masquerading)Malicious code attacksMan in the middle attacks
(intercept and modification)Misuse of available resourcesNon-repudiation controls
circumventionPhysical system attacks, profiling
and transmission attacksPower supply attacksSocial engineeringUnauthorized modificationUser transmission abuses
35
ISO 15408 Common Criteria Threat Categories
Administrative error of commissionAdministrative error of omissionAdministrative hostile modificationAdministrator privacy policy violationAuthorization abuseComponent failureData smugglingDenial of receipt Denial of sendDenial of service AttackDistributed system component failureEavesdroppingEncryption hackingError invoked breach of confidentialityError invoked data inaccessibilityError related breach of data integrity
Error related breach of trusted security function
Faulty CodeHacker undetected accessIdentify spoofing (masquerading)Malicious code attacksMan in the middle attacks
(intercept and modification)Misuse of available resourcesNon-repudiation controls
circumventionPhysical system attacks, profiling
and transmission attacksPower supply attacksSocial engineeringUnauthorized modificationUser transmission abuses
36
Secure Life Cycle Framework
Security Objectives
Security Accreditation
Security Project Controls
Acceptance and Release
Security Target(initial)
CC –PP/EAL criteria orAcceptability Criteria
Application Architecture
Mandatory Threat Modeling
Security Target(final)
Security Profile
CompareCompare
© Bar Biszick/QualityIT Redmond, WA 2003
37
Inputs to Security Objectives
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
38
Influence of Security Objectives
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
39
Inputs to Architecture Design
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
40
Influence of Architecture Design after Threat Modeling
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
41
Inputs to Accreditation Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
42
Influence of Accreditation Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
43
Current Security Standards
GAISPISO 17799SSE-CMMISO 15408NIST 800x
SANS GIACITILCobiTISFISACA/ISSA collaboration
44
What is needed
An organizational framework for coordinating
software security efforts
across all disciplines
over the lifetime of the software
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
45
Framework Solution for Life Cycle Security
Security Objectives
Security Accreditation
Security Project Controls
Acceptance and Release
Security Target(initial)
PP or EAL orAcceptability Criteria
Application Architecture
Threat Modeling
Security Target(final)
Security Protection Profile
CompareCompare
© Bar Biszick/QualityIT Redmond, WA 2003
46
Conclusions
Security is an old problem that has become a new priorityGuidance must address business prioritization problemsInjecting security guidance into general process standards will be far more effective than creating dedicated security life cycle guidance.
47
Unique EffortA timely, aggressive response to compelling business need stressing a Defense in Depth approachThe first effort to formally adapt Common Criteria principles and assets for direct use in the development processThe first effort to comprehensively address Information Security Assurance in an IEEE process standardThe only IEEE standard suggesting overview guidance for security
48
What you can do to help
IEEE P1074 will ballot in June 6.If you’re an IEEE Standards Society member, please register & voteIf you are not an IEEE member, express interest to IEEE in this revised standard.http://standards.ieee.org/myballot
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
49
Framework For Software Life Cycle Security Workshop
Two day workshop7 hours instruction, 5 hours labsFor PMs, Tech Leads, Devs and TestersWalks through entire security life cycle framework using real world examplesCovers Security Objectives identification, Threat Modeling, PM Responsibilities, Coding and Testing Approaches, Risk communicationSupports Sarbanes-Oxley etc.Integrates ISO 17799 and ISO 15408 Common Criteria principles into SDLCIncludes a metric tool
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
http://www.securityprocessprofessional.com
51
Contact Info
Bar Biszick, cisa, cissp, csqaIT Quality and Security Assurance206-388-3333barbis@qualityit.net
http://www.securityprocessprofessional.com
PRESENTATION:http://www.qualityit.net/Resources/Presentations/FrameworkSolution.pdf
Note: Bar Biszick-Lockwood is not a representative of IEEE
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003