CSSLP

Alexander J. FryFounder, Strong Cryptowww.strongcrypto.com

D e c o n s t r u c t e d

The

And other topics related to Software Security

Who am I?• Founder – Strong Crypto, a software security consultancy• (ISC)2 SME – question writer for the CSSLP examination• Member – OWASP Global Industry Committee

• Co-author - The CSSLP Prep Guide

Introduction• I’m a hands-on security professional. I perform code

reviews and security testing, work with software developers, and train personnel.

• I’m here to share my perspectives on the CSSLP and other topics in software security.

• This is an informal presentation. Feel free to contribute to the discussion while it is underway. Just raise your hand and I’ll call on you when I get to a stopping point.

• All of the opinions expressed in this presentation are my own, but some of the CSSLP introductory material is from (ISC)2.

What is the CSSLP?

• Certified Secure Software Lifecycle Professional (CSSLP)

• It is a top-level (base) credential just like the CISSP• Professional certification program• Takes a holistic approach to security in the software

lifecycle• Tests candidates competency; knowledge, skill, and

abilities (KSAs); to significantly mitigate the security concerns

Source: (ISC)2 – CSSLP Launch Presentation

Purpose

• The purpose of the Certification is to provide a credential that speaks to the individual’s understanding of and ability to deliver secure software through the use of best practices.

• The target professionals for this Certification would be anyone who is directly and in some cases indirectly involved in the Software Lifecycle.

Source: (ISC)2 – CSSLP Launch Presentation

Software Lifecycle Stakeholder Chart

Source: (ISC)2 – CSSLP Launch Presentation

Software Lifecycle

Stakeholders

Top ManagementBusiness Unit Heads

IT Manager

Security Specialists

Application Owners

Developers/Coders

Project Managers/Team LeadsTechnical

Architects

QualityAssuranceManagers

Business Analysts

Industry GroupDelivery Heads

Client Side PM

Auditors

Primary TargetInfluencers

Secondary Target

(ISC)2 CSSLP CBK Domains

• Secure Software Concepts• Secure Software Requirements• Secure Software Design• Secure Software Implementation/Coding• Secure Software Testing• Software Acceptance• Software Deployment, Operations, Maintenance,

and Disposal

Secure Software Concepts

• fundamental knowledge for understanding the security implications of software development, and the mechanisms to impose security constraints on the behavior, use, and content of a software system. This includes security design and information assurance principles, risk management, software architectures, legal issues, standards, acquisition methods, information security and software maturity models.

Secure Software Requirements• the overall software specification should include both

functional and nonfunctional requirements. The nonfunctional requirements of secure software address issues such as how the software application will: remain dependable under hostile operating conditions; resist compromise by an attacker through the exploitation of vulnerabilities or insertion of malicious code; and be resilient enough to recover quickly, containing damage to itself, data, resources, and external components on which it relies.

Secure Software Design

• fundamental activities that approach the definition of the software from a security perspective in order to decrease the likelihood that the design specification will contain flaws. These activities include identifying and minimizing the software's attack surface, performing threat modeling, and following security design principles.

Secure Software Implementation/Coding

• software developers should follow secure coding best practices and standards, understand and avoid common vulnerabilities and implement countermeasures, and use tools and techniques such as static analysis and code review to avoid introducing flaws that can lead to security vulnerabilities.

Secure Software Testing• activities for evaluating a software application in a runtime

environment that most closely resembles its production environment. Many testing activities require the application to be functionally complete and follow standards and methodologies such as ISO 9126, the SSE-CMM, and the Open Source Security Testing Methodology Manual (OSSTMM). Security testing should assess the security properties and behaviors of the software application as it interacts with external entities and as its own components interact with each other. An analysis of test results forms the basis for assessing risk and means of remediation.

Software Acceptance

• is concerned with ensuring that the software is ready to be released. This involves pre-release or pre-deployment activities such as generating test data that shows that all prescribed tests have been executed and accepted; and post-release activities such as an independent review of the software conducted by a third-party or by an independent security team of the organization.

Software Deployment, Operations, Maintenance, Disposal

• is concerned with maintaining information assurance during installation, deployment, operation, maintenance, and disposal of secure software systems.

Information Assurance

CISSP CBK

Software Assurance

Where is the CSSLP? First Attempt.

CSSLP CBK

CISSP Application Development Security Domain

Information Assurance

Where is the CSSLP? Second Attempt.

CSSLP Certification Requirements• Roughly:

Examination registration form Signed candidate agreement and adherence to (ISC)2 Code of ethics Proof of 4 years of FT experience in the Software Development Life Cycle

(SDLC) process or 3 years plus 1 year waiver of experience for degree in an IT related field

$599 Candidate will have to pass the official (ISC)2 CSSLP certification examination

and complete the endorsement process An Associate of (ISC)2 Program will apply to those who have passed the

exam but still need to acquire the necessary minimum experience requirements

• See http://www.isc2.org/csslp-certification.aspx for updated requirements

Key Players

• While there is no indication that other organizations in this space are addressing the knowledge areas in the same manner as the CSSLP, the following are addressing software development and/or security in the software lifecycle: IEEE: CSDA and CSDP (Software Development) SANS: GSSP-C, GSSP-J (Language specific secure coding) ISSECO: CSSE (Entry level education program with certificate of completion) DHS: Software Assurance Initiative (Awareness Program/Forum) Vendor-Specific: Sun Microsystems SCJP, Microsoft MCSD, Symantec -

based on internal lifecycle process or technology specific

Source: (ISC)2 – CSSLP Launch Presentation

CSSLP(ISC)²

Professional Certification Program

CSDA

(IEEE)

Associate LevelStatus

CSDP

(IEEE)

ProfessionalCertification Program

GSSP-C

(SANS)

Software CoderCertification Program

GSSP-J

(SANS)

Software CoderCertification Program

SoftwareAssuranceInitiative

(DHS)

Awareness Effort

CSSE(ISSECO)

Entry-levelEducation Program

Certificate of Completion

Vendor-Specific Credentials

Source: (ISC)2 – CSSLP Launch Presentation

CSSLP CBK Overlap with other Certifications/Programs

State of the CSSLP

• International Marketing Efforts• ANSI/ISO/IEC 17024 accreditation• DoD 8570.1 directive• CSSLP Education Seminars: (ISC)2 held one

from January 11-15, 2010 in Ashburn, VA• The first prep guide is for sale: The CSSLP

Prep Guide.

Do you need the CSSLP?• Certification vs. Legion Against Meaningless Certifications (LAMN)

• “Anyone who believes that a credential automatically conveys some magical knowledge that you didn't have before is just as overly-simplistic as someone who disparages all credentials equally. It just isn't a black and white world. – Paco Hope“

• “Because academia can't produce enough surgeons to satisfy all security demands (and indeed because entire armies of less specialized `healthcare professionals’ are necessary), the idea of a certification makes plenty of practical sense. – Gary McGraw” In reference to the CISSP - http://www.darkreading.com/document.asp?doc_id=123606

• “A second term CISSP demonstrates more value than a first year CISSP”• Are you a stakeholder in the SDLC?• Is the CSSLP going to be part of your lifelong learning program?• Is it important to your career to be recognized as a CSSLP?

You are the CEO of YOU INC• How should the CSSLP be pronounced?

C.SLIP; C.S.S.L.P, CIS.LIP (sis-lip) Where is the (ISC)2 guidance?

• Why not the Certified Software (Security) Assurance Professional C.SWAP? Building Security In is Implied

• “Effective career management is going to be critical to your personal success and attainment of your individual career goals.” – Lee Kushner http://www.owasp.org/images/a/af/The_Entrepreneurs_Guide_to_Career_Management-Lee_Kushner.pdf

The CSSLP Prep Guide• The first and only (for a few more months) prep

guide for the CSSLP• Broad coverage of all seven domains of the CSSLP

CBK• A software security assurance text book disguised

as a certification prep guide• Uses the attacker’s perspective to teach some of

the security concepts• Almost 700 pages, lots of references to other tools

and resources, end of chapter practice questions, testing engine on CD, comprehensive glossary

Additional Topics

• Software Security Risk• Recent Threats• 3rd Party Software• Addressing Risk for 3rd Party

Software

Software Security Risk• Need to follow a risk-driven approach to improving the security of

software. • Applications come from: in-house, outsourced, commercial, open

source or a combination, e.g., commercial but customized in-house, open source libraries in in-house applications

• For existing legacy applications, do you deploy real-time protections or take off-line and fix?

• Compliance should be leveraged to build/acquire more secure applications

• Use the attacker’s perspective to determine risk, e.g., threat modeling, understanding the deployment environment(s)

• Security problems will emerge! To keep up with emerging threats, you need to perform regular maintenance, periodically test, and continuously monitor applications.

Recent Threats• “Symantec is grappling with a date-stamp problem that

has seen all its security updates dated 2010 rejected by its own servers.” - http://news.zdnet.co.uk/security/

• “Adobe Zero-Day Attack Solution: Disable JavaScript” – No patch available: Many corporate applications use JavaScript in PDFs for important functions like forms processing and it’s used by Google Docs for printing support. http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214

• “NIST-certified USB Flash drives with hardware encryption cracked” – FIPS 140-2 Level 2 drives AES 256-bit. http://bit.ly/6X281y

3rd Party Software• Lack of visibility into the third party software

development lifecycle.• Unknown level of software assurance.• Little or no access to source code.• Limited internal resources to address this

risk.• Don’t want to introduce vulnerabilities into

the organization.• Want to be proactive instead of reactive.

Addressing Risk for 3rd Party Software• “Contract language should specify that security assurance will be provided

as a condition for accepting deliverable applications.” – Gartner • DHS Build Security In Web Site: “Software Assurance (SwA) in

Acquisition: Mitigating Risks to the Enterprise”• OWASP Legal Project: Contract Annex

• For a commercial vendor that does not have the required assurance evidence, use an expert consultant or a Software as a service (SaaS) solution that supports static and dynamic testing:• Fortify on Demand: any 3rd party development team can test and score

the security of their application, review results, and then publish a report back to their customer.

• Veracode: uses binary analysis (doesn’t require source code) to allow transparency into the security of COTS or outsourced applications.

• Open source software: Fortify Open Review Project identifies and reports bugs and security vulnerabilities in widely used open source software. Have the developers submit the software. https://opensource.fortify.com

Open Web Application Security Project

• Focused on improving the security of application software. Mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. All materials are available under a free and open software license

• I’m a member of the Global Industry Committee at OWASP: http://www.owasp.org/index.php/Global_Industry_Committee

• Has monthly meetings like ISSA and hosts worldwide conferences like OWASP App Sec DC 2009 – slides from the presentations are available at http://www.owasp.org

Communications• Web Site: http://strongcrypto.com• Twitter: http://twitter.com/alexanderjfry• Facebook: http://facebook.com/alexander.j.fry• LinkedIn: http://linkedin.com/in/alexanderfry