Requirements for secure development
and procurement Peter Panholzer
Security Forum 2013, Hagenberg
16.04.2013 Copyright 2013, Limes Security GmbH 1
We are not dealing with fruits …
16.04.2013 2
Source: Evan Amos/ CC0 1.0
/lʌɪmz/
… but with protecting the business of our customers
16.04.2013 3
Source: Gate Porolissum by Emi Cristea / CC-BY-2.5
/ˈliː.mes/
Limes Security Improving Cyber Security
16/04/2013 4
Discover Improve
Avoid
Limes Security
How can I avoid vulnerabilities
from the beginning?
Which vulnerabilities do I have and which threats does my system face? How can I arm my system
against hacking attacks and how should I deal with
security incidents?
Agenda
• The Need for Secure Development
• The Big-Picture
• Sample Practices for Secure Development
• Making security “stick” in the Organization
• Making the next move
16.04.2013 5
The early bird catches the bug
Identifying and fixing a defect in the phase it is introduced is considerably cheaper then testing for it at the very end
16.04.2013 6
Source: Software Security Engineering: A Guide for Project Managers, ISBN 9780321509178
Example: A missing/weak security requirement
16.04.2013 7
Missing Security Requirement
Affects various design elements
Affects X LoC
Imagine a missing/incomplete role concept
Neglecting security means building up security debt
• Sometimes time to market is more important than security
• But we build up a debt that needs to be repaid with interests
• Operators also pay the interests (i.e. by patching costs)
16.04.2013 8
Source: Software Security Engineering: A Guide for Project Managers, ISBN 9780321509178
Security defects can occur in every lifecycle phase
16.04.2013 9
Operation Definition Implementation
Source: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1163
Source: Securityweek, http://www.securityweek.com/authentication-vulnerability-enables-attackers-access-sap-systems-says-expert
Source: The H, http://www.h-online.com/security/news/item/Worth-reading-Pass-the-hash-attacks-on-Windows-946174.html
Source: cyber arms, http://cyberarms.wordpress.com/2013/03/19/worldwide-map-of-internet-connected-scada-systems/
What is necessary to develop secure products?: The big picture
16.04.2013 10
Security Awareness / Security Trainings
Secure Development Process
Threat & Risk Analysis
Security Standards Compliance
Secure Design
Security Acceptance Testing
Security Requirements Engineering
Security Testing
Hardening Security Assessment /
Penetration Test
Operation Definition Implementation
Ensure the development of security requirements
16.04.2013 11
Security Requirements
Customer Requirements
Applicable Standards
Threat and Risk Analysis
Baseline Requirements
• PCI • IEC 62433 • BDEW White Paper
• Maintain your own • Stored Knowledge • Use Sources like OWASP
Top 10 as input
Analyse the threats to your system
16.04.2013 12
• Usually done in a workshop • Involving stakeholders with different views, e.g. product management, architect,
service, operator
Define Risk Parameters
• Likelihood Levels
• Impact Levels
• Risk Matrix
• Escalation Paths
System Decomposition
• Interfaces
• Data Flows
• Work Flows
• Depen-dencies
Threat Analysis and Evaluation
• Identify vulnerabi-lities and threats
• Rate according to defined levels
Plan Mitigation
• Security Require-ments
• Architec-tural Changes
• Documentation
• Operator require-ments
Provide Guidance for a Secure Implementation
• Secure Coding – Coding Guidelines
– Code Checker
• Hardening – Secure (default)
configuration
– Overlapping responsibility of vendor and operator
16.04.2013 13
Operating System
Application Server
App 1
App 2
DB
App 3
Verify and Validate Security
• Verify that the defined security requirements and guidelines are implemented correctly
• Validate that the security expectations of customers are fulfilled
16.04.2013 14
Operation Definition Implementation
Sec Verifi-cation
Sec Requi-rements / Guidelines
Sec Valida-
tion
Verify against requirements
Add learnings to baseline requirements
Integrate Security into the Organization: “Make it Stick”
16.04.2013 15
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
Processes
• stored knowledge of the organization‘s way to get things done
• if you want security being part of all your projects, integrate it in your processes!
Integrate Security into the Organization: “Make it Stick”
16.04.2013 16
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
Roles
• Provide Responsibility
• Provide Power
Integrate Security into the Organization: “Make it Stick”
16.04.2013 17
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
Trainings
• Basic training for everybody
• Specialised training where needed, e.g. • (Lead) Architect • (Lead) Developer • Security Tester
Integrate Security into the Organization: “Make it Stick”
16.04.2013 18
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
Resources
• What good is a role when you don‘t have time to live it?
• Also tools, e.g. for • Coding • Testing
Integrate Security into the Organization: “Make it Stick”
16.04.2013 19
Processes
Roles
Trainings
Resources
Guidelines
Lasting Security
Guidelines
• Provide technical details, e.g. for • Architecture • Coding • Hardening
• Store the lessons
learned from former projects
Cigital’s Touchpoints
Survey of security practices
Version for vendor monitoring available
www.bsimm.com
OpenSAMM
Open community practice collection
www.opensamm.org/
Microsoft SDL
Methods from a leading secure development
organization
ww.microsoft.com/sdl
There is guidance out there
16.04.2013 20
But don‘t follow them blindly: It is „just“ what others do
So … what should be my next move?
• Start with identifying your – Current Status
– Needs
– Weaknesses
• Make a Roadmap
• Get support when you’re uncertain
16.04.2013 21
Chess players in Dupont Circle by Davd / CC-BY-2.0
OK, but I meant the very next move
Analyse the status quo
21/02/13 22
Result: • Knowledge on where to start and on what to focus on • Awareness and potential ”red alarms” to obtain support from the organization And as a bonus: • Awareness and involvement from organizations started emerging automatically
Risk Analysis
Technical Assessments („Hacking“)
Regulatory Benchmarks