The Need For Open Software Security Standards In A Mobile And Cloudy World
-
Upload
denim-group -
Category
Technology
-
view
1.797 -
download
3
description
Transcript of The Need For Open Software Security Standards In A Mobile And Cloudy World
© Copyright 2011 Denim Group - All Rights Reserved
The Need for Open Source Security
Standards in a Mobile and Cloudy World
Dan Cornell
CTO, Denim Group
@danielcornell
© Copyright 2011 Denim Group - All Rights Reserved
Bio: Dan Cornell
• Founder and CTO, Denim Group
• Software developer by background (Java, .NET)
• OWASP
– San Antonio Chapter Leader
– Open Review Project Leader
– Chair of the Global Membership Committee
• Speaking
– RSA, SOURCE Boston
– OWASP AppSec, Portugal Summit, AppSecEU Dublin
– ROOTS in Norway
1
© Copyright 2011 Denim Group - All Rights Reserved 2
Denim Group Background
• Secure software services and products company
– Builds secure software
– Helps organizations assess and mitigate risk of in-house developed and third party
software
– Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix, Sprajax
– OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI
– World class alliance partners accelerate innovation to solve client problems
© Copyright 2011 Denim Group - All Rights Reserved
The World Is Mobile and Cloudy
• And Will Be Getting More So
• Deal With It
3
© Copyright 2011 Denim Group - All Rights Reserved
What Are Executives Actually Scared Of?
• Fuel Price Changes
• Physical Security
• Global economy
• Cross-Site Scripting(?)
• Security needs to be
aware of this when
they weigh in
4
© Copyright 2011 Denim Group - All Rights Reserved
Mobile: Risk and Value
• Mobile applications can create tremendous value for organizations
– New classes of applications utilizing mobile capabilities: GPS, camera, etc
– Innovating applications for employees and customers
• Mobile devices and mobile applications can create tremendous risks
– Sensitive data inevitably stored on the device (email, contacts)
– Connect to a lot of untrusted networks (carrier, WiFi)
• Most developers are not trained to develop secure applications
– Fact of life, but slowing getting better
• Most developers are new to creating mobile applications
– Different platforms have different security characteristics and capabilities
5
© Copyright 2011 Denim Group - All Rights Reserved
Generic Mobile Application Threat Model
6
© Copyright 2011 Denim Group - All Rights Reserved
What Mobile Users Are You Concerned About?
Mobile Application Users
Enterprise Users
Employees Partners
Customer Users
Paid Application Users
Convenience Users
7
© Copyright 2011 Denim Group - All Rights Reserved
Cloud
• Cost Savings
• Ease of Deployment
• Flexibility
• Security?
8
© Copyright 2011 Denim Group - All Rights Reserved
This is (was) Your Threat Model
9
© Copyright 2011 Denim Group - All Rights Reserved
This is Your Threat Model on “Cloud”
10
© Copyright 2011 Denim Group - All Rights Reserved
Security Team’s First Concern…
11
• Stay in the Conversation
• Identify these initiatives
• Make sure you get to
participate
• This means you have to
add value
© Copyright 2011 Denim Group - All Rights Reserved
Innovation Pressure Leads to Rogue Mobile
Efforts
• “We‟re thinking about doing some mobile applications”
• “Actually your iPhone app went live 6 months ago and your Android
app went live last week…”
• Initiatives being driven from “Office of the CTO”, R&D, and Marketing
12
© Copyright 2011 Denim Group - All Rights Reserved
Cost and Ease of Use Pressures Lead to Rogue
Cloud Deployments
• “What do you mean the CEO‟s IT trouble tickets are handled by a
SaaS provider?”
• “When did we start using BaseCamp and Google Docs to manage
customer projects?”
• Any employee with a $500/month corporate credit card can now be
their own purchasing officer
13
© Copyright 2011 Denim Group - All Rights Reserved
Procurement Challenges
• How do we better
judge risk?
• How can we make the
decision process
simpler?
14
© Copyright 2011 Denim Group - All Rights Reserved
What Are App Stores Promising Stakeholders?
• What does Apple do?
• What does Google
do?
• What does your
enterprise do?
15
© Copyright 2011 Denim Group - All Rights Reserved
Challenges for Both Suppliers and Consumers
• Did you want an automated
scan or a full design
assessment with manual source
code review?
• „Cause that has an impact on
scope and price…
• Consumers of software and
services must be able to
articulate the level of security
assurance they require
– Otherwise it is a financial race
to the bottom
– RFPs: Garbage in, garbage out
16
© Copyright 2011 Denim Group - All Rights Reserved
Service Provider Dilemma
• Certain customers
want some sort of
assurance, but are not
necessarily
sophisticated and do
not know what to ask
for
• Other customers
require deeper
assurance
17
© Copyright 2011 Denim Group - All Rights Reserved
We Need a Better Way To Communicate
• Processes
• Results
18
© Copyright 2011 Denim Group - All Rights Reserved
What Have We Tried in the Past?
• Common Criteria
• PCI-DSS
19
© Copyright 2011 Denim Group - All Rights Reserved
Common Criteria
20
or
© Copyright 2011 Denim Group - All Rights Reserved
Payment Card Industry Data Security Standards
• Initially based on
OWASP Top 10
• Now more open, but
still based on
vulnerability lists
21
© Copyright 2011 Denim Group - All Rights Reserved
Recent Developments
22
• Process:
– OpenSAMM
– BSIMM
• Results:
– Penetration Testing
Execution Standard
(PTES)
– OWASP Application
Security Verification
Standard (ASVS)
© Copyright 2011 Denim Group - All Rights Reserved
Geekonomics by David Rice
• Great insight into
economic and legal
issues for software
security and reliability
• Calls for better
software construction
and testing standards
23
© Copyright 2011 Denim Group - All Rights Reserved
Comparing Software to Food
• Jeff Williams and
nutrition labels for
software
• John Dickson and
restaurant cleanliness
ratings
24
© Copyright 2011 Denim Group - All Rights Reserved
OpenSAMM and BSIMM
• Externally look very similar
– Both are three-level maturity models
– Both have 12 different major areas of concern
• Methodology is very different
– BSIMM based on data from industry leaders
– OpenSAMM based on general industry consensus
25
© Copyright 2011 Denim Group - All Rights Reserved
Penetration Testing Execution Standard
• Emerging standard for
penetration testers
• Suitable for
operational
environments
26
© Copyright 2011 Denim Group - All Rights Reserved
Application Security Verification Standard
• Defines multiple levels
to correspond with the
degree of inspection
• Currently available for
web applications, but
other derivatives in the
works
27
© Copyright 2011 Denim Group - All Rights Reserved
A Case Study
• Service provider for
financial services
industry
• Hounded by small and
large clients
28
© Copyright 2011 Denim Group - All Rights Reserved
A Case Study (continued)
• Used a combination of
OpenSAMM and OWASP
ASVS
• Extended to meet certain
special requirements
• Detailed report provided to
client
• Summary report provided
to interested parties
29
© Copyright 2011 Denim Group - All Rights Reserved
So What Does This Get Us?
• Application consumers can know what they are getting
• Applications providers can clearly communicate the security state of
their offerings
• World peace?
30
© Copyright 2011 Denim Group - All Rights Reserved
And What Are We Still Lacking?
• Is a “standard” being appropriately applied?
• Is the evaluation being done at an appropriate technical granularity?
• How do you report and communicate business risk?
• How do you avoid a “checkbox” mentality?
31
© Copyright 2011 Denim Group - All Rights Reserved
What Can You Do To Be a Winner?
• Involve yourself in these
key conversations
• Discuss your verification
requirements
• Secure your right to test
• Reward the good and
punish the bad
32
© Copyright 2011 Denim Group - All Rights Reserved
References
• Geekonomics
– http://www.geekonomicsbook.com/
• Common Criteria
– https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria
• Building Security In Maturity Model (BSI-MM)
– http://bsimm.com/
• Open Software Assurance Maturity Model (OpenSAMM)
– http://www.opensamm.org/
• Penetration Test Execution Standard (PTES)
– http://www.pentest-standard.org/
• OWASP Application Security Verification Standard (ASVS) – https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
33
© Copyright 2011 Denim Group - All Rights Reserved
Questions?
Dan Cornell
Twitter: @danielcornell
www.denimgroup.com
blog.denimgroup.com
(210) 572-4400
34