Post on 06-Jul-2015
description
transcript
6 Steps for Securing Offshore Development
Agile Outsourcing Conference 2014
@
Delft, Netherlands
Marudhamaran Gunasekaran
• Security Expert @ Prowareness, Bangalore
• Information Security
• Secure Programming Practices
• Compliance (ISO 27001)
• Ec-Council Certified Security Analyst (Ethical hacker), Professional Scrum
Master
• Open source enthusiast - Writes a lot of code, hacks applications
• OWASP Zed Attack Proxy contributer
Who’s presenting?
Security?
Security
FeelingReality
WisdomNo panacea /silver bullet solution
Trade offsIgnorance is no excuse
Security – Lion and Rabbit Analogy
Security – Rabbit’s Good trade off
Security – Rabbit’s Good trade off– Make family
Security – Bad trade off : RIP rabbit
Threat = Potential violation of security
Risk = Perceived threat X value of asset X loss incurred
Threat / Risk
Set of activities undertaken to protect systems from known/unknown threats
and attacks
State of being protected from known/unknown threats and attacks
Security
Perfect Security?
http://infosanity.files.wordpress.com/2010/06/dilbert-securitycia.gif
Security Triangle
• Unlimited access
• Physical security & Data lossLoss of Control
• Exposing intranet to internet
• IntrusionsNetwork complexity
• Uncomprehensive security policies
• Procedures & no audits
Policies and Procedures
6 Risks categories - Outline
• Data breaches
• Breach of confidentiality
Intellectual Property Issues
• Security bugs
• Legacy softwareSoftware Quality
• Malicious Insiders
• Social Engineering BaitsInsider Threats
6 Risks categories - Outline
Loss of control
Unlimited privileged to access internal systems
• Apply principle of least privilege for development teams offshore and for
everybody else as well
• Just in time and time bound access for critical production/deployment
systems intercepted with manual approval [more workflow?]
Unrestricted data access
• Identify roles, define accesses for roles
• Implement Access control lists for file systems, directory access protocols
and other assets
Loss of control
Physical security breaches
• Audit the offshore premises for poor security controls
• Access cards and preferably biometric access - regularly audited by IT
• Securing the trashes – shredders to combat dumpster diving
Data loss
• Ensure data is backed up every night – at secure locations
• Apply snapshot technologies for virtual machine operating systems and
network
• RAID or deduplication backup
Overreacting to Risk
I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible.
- Bruce Schneier
https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
Network complexity
Exposing intranet to the internet
• Implement a Virtual Private Network
• State of the art / status quo encryption and hashing for VPN
passphrase and tunnels
• Plan and implement a DMZ (demilitarized zone) for offshore
connections
• SSL/TLS everywhere to prevent MiTM (Man in the Middle) attacks
and sniffing
Network complexity
Network intrusions
• Assume a breach, implement network controls with intrusion
isolations and containment
• Strict intrusion prevention rules and firewall traffic monitoring
• [IDS/IPS]
• Implement strict password policies with good complexity and
expiry
Linked password attack and hashes
Security policies and procedures
Uncomprehensive security policies and no audits
• Review the security policies and conduct a review, hire a consultant if
required
• Outline and require custom security policies at offshore. Base it on ISO
27001, HIPAA, PCI-DSS or other standards pertaining to the field of
operation.
• In case of doubt, ask the offshoring partner for security recommendations
• Verify if the offshoring partner has a dedicated team or a Center Of
Excellence for Information Security with certified professionals [CEH,
OSCP, CISSP, and similar certifications]
Security policies and procedures
No Malware protection
• Ensure presence of a client-server based malware protection system
with updated rule sets
• Ensure Intrusion Prevention Systems/Intrusion Detection Systems are
updated with latest rule sets
• Ensure the systems at offshore are updated regularly with security
patches for software and operating systems both
Intellectual property issues
Data breaches
• Identify data that needs to be protected and claim responsibility for
data
• Ensure removable drives/media are disabled at offshore
• Filter/Anonymize production data before transferring to development
teams offshore
• Sanitize/Shred all media before disposing of
Intellectual property issues
Breach of trust and confidentiality
• Sign Non Disclosure Agreements with the offshoring partner
• Define levels of access based on the confidentiality level of data
• Ensure a clean desk policy
Software Quality
Security bugs
• Train the developers/QAs to write secure code
• Write guidelines for writing secure code
• Integrate security tools at development builds for early feedback
Security bugshttp
://ne
ws.te
chw
orld
.co
m/s
ecu
rity/3
33
12
83/b
arc
lays-9
7-p
erc
ent-o
f-da
ta-b
reache
s-s
till-due-to
-sq
l-inje
ctio
n/
Security bugs
Software Quality
Legacy Software
• Rewrite/Migrate/Refresh the technology
• Keeps your systems up to date with patches
Sony PSN hack
Insider threats
Malicious Insiders
• Conduct rigorous background checks on offshore employees
• Trust employees only with enough access to perform the tasks
they are supposed to do
• Strict transparent monitoring of new employee activities, and
limited access during probation period [blacklisting later in case of
an incident]
Insider threats
Social Engineering Baits
• Educate employees on information security policies and security risks
• Provide email access without requiring VPNs
• Educate employees on configuring personal wifi networks
• Educate employees on social engineering aided attacks like email
phishing, phone phishing, baiting, tailgating, clickjacking and similar
attacks
• Converse with employees offshore to gauge and improve security
awareness
1000% secure?
Evolution of technology
=
Evaluation of threats
=
Risks increases
How good are we at Mitigate the risks
Is it worth the trade off?
Prowareness Security Labs
{find}
• Penetration testing applications and networks
{fix}
• Security Consulting
{comply}
• Secure development practices
{prevent}
• Security training and development
Thanks!
Presentation Brochures are close by!