Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ......

Framework Solution for Life Cycle Security

Bar Biszick-Lockwood, cisa, cissp, csqaIT Quality and Security Assurance

[email protected]

http://www.securityprocessprofessional.com

2

Agenda

IEEE P1074 StandardBusiness Justification for different approachISO 15408 as guideLife Cycle Security Process Framework modelKey additions to the Life CycleQ&A

© Copyright Bar Biszick-Lockwood/QualityIT Redmond, WA 2003 All Rights Reserved.

3

The Standard

IEEE P1074STANDARD FOR DEVELOPING A

SOFTWARE PROJECT LIFE CYCLE PROCESS

4

IEEE P1074

“Chinese menu”Large Trace-ability matrix of activitiesNearly closed systemAssumes no model, process or sequenceEncompasses entire software lifecycle from conception to retirementSupports projects engaged in any part of a software lifecycle process

© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003

5

Structure of the Standard

5 Activity Groups


6

Organization


7

Implementation Strategy

Evaluate scope of project Chose a software development methodology model (ie. waterfall, spiral, “V” etc)Consult the standard and populate the Activities to the chosen model


8

V” model example

Business Needs

Design System

Integration Test

System Test

Acceptance Test

Code System

Unit Test

Define Requirements


9

Originating Activity


10

Receiving Activity


11

Standards revision problem

Has the business and technology environment change enough as to warrant increased attention to security in a general engineering process standard?


IEEE Standards

13

Increase in security standards

14

Overall IEEE constituent activities

15

IEEE P1074ISA Team Conclusion

Efforts that do not treat security as an integral part of systems engineering and architecture fail to provide security

It no longer makes any business sense to spend any money, apply any resources and proceed with any software development project unless corporate assets and private customer data will be sufficiently secure

Source: http://www.qualityit.net/Resources/WhitePapers/JustificationForElevatingTheVisibilityAndPriorityOfSecurityActivitiesInTheRevisedIEEEP1074Standard.pdf


16

Validating the benefit

Evidence warrants increasing the visibility and priority of security activities in the software life cycle process.

How much attention should it get?What’s the practical value?What is the benefit relative to other security improvement approaches?

17

Overview of Security Approacheslast 20 years

Firewalls, IDS

Security Awareness

Detection and Response

Secure codingeducation

(current focus)

Effectiveness decreasing, doesn’t address insider threat

Doesn’t stop dishonest/disgruntled employees

Viruses too fast to detect and contain

Deflects attention from the root cause of the problem


18

SANS Top Vulnerabilities Q1 2005

Microsoft ProductsWindows License Logging Service Overflow (MS05-010) Microsoft Server Message Block(SMB) Vulnerability (MS05-011) Internet Explorer Vulnerabilities (MS05-014 and MS05-008) Microsoft HTML Help ActiveX Control Vulnerability (MS05-001) Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013) Microsoft Cursor and Icon Handling Overflow (MS05-002) Microsoft PNG File Processing Vulnerabilities (MS05-009) Computer Associates License Manager Buffer Overflows DNS Cache Poisoning VulnerabilityMultiple Antivirus Products Buffer Overflow VulnerabilitiesOracle Critical Patch UpdateMultiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes)

19

Secure Coding Practices7. Bound and mask input fields8. Limit inputs to buffers9. Apply rigorous error

handling10. Release threads11. Clear temp data/objects12. Remove unnecessary code13. Log and audit appropriately

1. Enforce security policy consistently

2. Operate with least privilege

3. Manage sensitive data4. Require strong

passwords5. Protect the kernel6. Fail safely


20

Microsoft’s Secure Development Life Cycle (SDL)

21

SDL Vendor Value

22

FUNCTIONALITY

Does what it’s supposed to do

Recovers successfullyErrors helpful in recovery

Applications get resources needed

Assures high availability

SECURITY

Does ONLY what it’s supposed to doFails securelyErrors don’t provide clues to technology

Applications never exceed range of resources needed

Makes sure anyone who doesn’t need to know doesn’t have the means, motive or opportunity to do so

Shifting to Security Mindset


23

Root cause of failure

Time and money

(Requirements Prioritization)

which is a life cycle issue outside the hands of developers

24

Developing secure software requires a fundamental shift in perspective, not just by

developers, but by the entire organization.

Why is this so hard?


25

What We Lack

“Wide angle view” of organizational risk and responsibility as it relates to technology security


27

IEEE P1074Revision Revelations

Security is a cross-disciplinary organizational risk problemWe can use organizational risk methods to help prioritize securityWe can use the project life cycle as the pivot point for effecting incremental organizational change


28

1074 Revision Recommendations

1. Determine Security Objectives during Envisioning (preferably before project approval for work)

2. Make PMs accountable for assuring the priority of security on the project

3. Execute mandatory Threat Modeling before finalizing design

4. Establish a final Accreditation gate


29

ISO 15408 “Common Criteria”

Common Criteria for Information Technology Security Evaluation

International standard used to rate trustworthiness of productsUsed by vendors to certify their productsUsed by consumers to compare product securityCan be used to guide development of products to a known trust level

30

Common Criteria Validated Products

Citrix MetaFrame XP Presentation Server with Feature Release 3—EAL2Check Point VPN-1/FireWall-1© NG –EAL4IBM WebSphere Application Server V5.0.2.8 EAL2+Oracle7 Release 7.2.2.4.13 –EAL4Cisco IPSec Crypto System –EAL4Red Hat Enterprise Linux AS, Version 3 Update 3 –EAL3+Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886 –EAL4+

31

Protection Profiles (PP)

Controlled Access Protection Profile--EAL3Firewall with strict requirements –EAL5+Labeled Security Protection Profile—EAL3Role-Based Access Control Protection Profile –EAL2+Trusted Computing Platform Alliance Trusted Platform Module PP—EAL3+Smartcard Integrated Circuit Protection Profile—EAL4+

32

SECURITY

Security Objectives

Compliance & Standards

Security Assessment

Documentation

ISO 15408 Common Criteria “glue”

+Vision Revision

PRODPenTestingSupport

SDLC

Requirements

ConstructionTesting

Arch. / Design

Planningand controls

Acceptance & Release

Common Criteria

Accreditation(Sign Off)

Protection Profiles /EAL Criteria


SecurityProfile

Security Target (initial)

33

Hackers (internal & external)

Administrators (executive & tactical)

Physical Environment

Application/System Developers

System Hardware & Software

CC Threat Roles

Authorized User

T

H

R

E

A

T

S


34

ISO 15408 Common Criteria Threat Categories

Administrative error of commissionAdministrative error of omissionAdministrative hostile modificationAdministrator privacy policy violationAuthorization abuseComponent failureData smugglingDenial of receipt Denial of sendDenial of service AttackDistributed system component failureEavesdroppingEncryption hackingError invoked breach of confidentialityError invoked data inaccessibilityError related breach of data integrity

Error related breach of trusted security function

Faulty CodeHacker undetected accessIdentify spoofing (masquerading)Malicious code attacksMan in the middle attacks

(intercept and modification)Misuse of available resourcesNon-repudiation controls

circumventionPhysical system attacks, profiling

and transmission attacksPower supply attacksSocial engineeringUnauthorized modificationUser transmission abuses

35

ISO 15408 Common Criteria Threat Categories

Administrative error of commissionAdministrative error of omissionAdministrative hostile modificationAdministrator privacy policy violationAuthorization abuseComponent failureData smugglingDenial of receipt Denial of sendDenial of service AttackDistributed system component failureEavesdroppingEncryption hackingError invoked breach of confidentialityError invoked data inaccessibilityError related breach of data integrity

Error related breach of trusted security function

Faulty CodeHacker undetected accessIdentify spoofing (masquerading)Malicious code attacksMan in the middle attacks

(intercept and modification)Misuse of available resourcesNon-repudiation controls

circumventionPhysical system attacks, profiling

and transmission attacksPower supply attacksSocial engineeringUnauthorized modificationUser transmission abuses

36

Secure Life Cycle Framework

Security Objectives

Security Accreditation

Security Project Controls

Acceptance and Release

Security Target(initial)

CC –PP/EAL criteria orAcceptability Criteria

Application Architecture

Mandatory Threat Modeling

Security Target(final)

Security Profile

CompareCompare

© Bar Biszick/QualityIT Redmond, WA 2003

37

Inputs to Security Objectives


38

Influence of Security Objectives


39

Inputs to Architecture Design


40

Influence of Architecture Design after Threat Modeling


41

Inputs to Accreditation Activity


42

Influence of Accreditation Activity


43

Current Security Standards

GAISPISO 17799SSE-CMMISO 15408NIST 800x

SANS GIACITILCobiTISFISACA/ISSA collaboration

44

What is needed

An organizational framework for coordinating

software security efforts

across all disciplines

over the lifetime of the software


45

Framework Solution for Life Cycle Security

Security Objectives

Security Accreditation

Security Project Controls

Acceptance and Release

Security Target(initial)

PP or EAL orAcceptability Criteria

Application Architecture

Threat Modeling

Security Target(final)

Security Protection Profile

CompareCompare

© Bar Biszick/QualityIT Redmond, WA 2003

46

Conclusions

Security is an old problem that has become a new priorityGuidance must address business prioritization problemsInjecting security guidance into general process standards will be far more effective than creating dedicated security life cycle guidance.

47

Unique EffortA timely, aggressive response to compelling business need stressing a Defense in Depth approachThe first effort to formally adapt Common Criteria principles and assets for direct use in the development processThe first effort to comprehensively address Information Security Assurance in an IEEE process standardThe only IEEE standard suggesting overview guidance for security

48

What you can do to help

IEEE P1074 will ballot in June 6.If you’re an IEEE Standards Society member, please register & voteIf you are not an IEEE member, express interest to IEEE in this revised standard.http://standards.ieee.org/myballot


49

Framework For Software Life Cycle Security Workshop

Two day workshop7 hours instruction, 5 hours labsFor PMs, Tech Leads, Devs and TestersWalks through entire security life cycle framework using real world examplesCovers Security Objectives identification, Threat Modeling, PM Responsibilities, Coding and Testing Approaches, Risk communicationSupports Sarbanes-Oxley etc.Integrates ISO 17799 and ISO 15408 Common Criteria principles into SDLCIncludes a metric tool


51

Contact Info

Bar Biszick, cisa, cissp, csqaIT Quality and Security [email protected]


PRESENTATION:http://www.qualityit.net/Resources/Presentations/FrameworkSolution.pdf

Note: Bar Biszick-Lockwood is not a representative of IEEE


Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ......

Documents

Transcript of Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ......