Application Security – a standards approach 应用安全: 一个标准的方法 Dr Meng-Chow Kang, CISSP Director and CISO, APCJ, Cisco Systems November 9, 2011 © 2010 Cisco and/or.
Download ReportTranscript Application Security – a standards approach 应用安全: 一个标准的方法 Dr Meng-Chow Kang, CISSP Director and CISO, APCJ, Cisco Systems November 9, 2011 © 2010 Cisco and/or.
Application Security – a standards approach 应用安全: 一个标准的方法 Dr Meng-Chow Kang, CISSP Director and CISO, APCJ, Cisco Systems November 9, 2011 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 ISO/IEC 27034 – yet another standard? ISO/IEC 27034 approach to application security (ISC)2 CSSLP © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 • ISC)2 – International Information Systems Security Certification Consortium 国际信息系统安全认证联盟 • Mr Luc Poulin, Editor for ISO/IEC 27034 and President of Cogentas, Canada;国际标准ISO/IEC 27034 编辑 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 ISO/IEC JTC 1/SC 27 Security Techniques Chair: Walter Fumy Vice Chair: Marijke de Soete Secretariat Krystyna Passia WG 1 Security Management Convener: Ted Humphreys Vice Convener: Dale Johnstone © 2010 Cisco and/or its affiliates. All rights reserved. WG 2 Cryptography and Security Mechanisms Convener: Takeshi Chikazawa WG 3 Security Assurance Convener: Miguel Bañón WG 4 Security Controls and Services Convener: Meng-Chow Kang WG 5 Identity Management and Privacy Technology Convener: Kai Rannenberg Cisco Confidential 4 Prepare to respond; continuous monitoring; eliminate or reduce risks and impacts Unknown or emerging information security issues 未知和新兴信息安全问题 Risk manage; Prevent occurrence; Reduce impact of occurrence Known information security issues 已知信息安全问题 Investigate to establish facts about breaches; identify who done it and what went wrong © 2010 Cisco and/or its affiliates. All rights reserved. Information security breaches and compromises 违反信息安全规律事件 信息泄漏事件 Cisco Confidential 5 ICT Readiness for Business Continuity (27031) Cybersecurity (27032) Information security incident management (27035) Selection, Deployment, and Operation of IDS (27039) Unknown or emerging information security issues ICT Disaster Recovery Services (24762) Network Security (27033 Parts 1 to 6) Application Security (27034 Parts 1 to 6) Security Info-Objects for Access Control (TR 15816) Information Security for Supplier Relationships (27036) Digital Redaction (27038); Storage Security (27040) Known information security issues TTP Services Security (TR 14516; 15945) Time Stamping Services (TR 29149) Identification, collection and/or acquisition, and preservation of digital evidence (27037) © 2010 Cisco and/or its affiliates. All rights reserved. Information security breaches and compromises Cisco Confidential 6 • Web 2.0 & social networking • Social engineering • Vulnerability exploitations • Mobility • Beyond Windows • Escalating concerns over data losses © 2010 Cisco and/or its affiliates. All rights reserved. “Just landed in Baghdad” - Rep. Peter Hoekstra, R-Mich Tweets Secret delegation led by House Minority Leader John A. Boehner is not so secret… Cisco Confidential 7 • A critical element of “baked- in” security • Insecure development practices result in Vulnerabilities created in software Brittleness (脆化) of overall application and systems Exponential cost of detection, repair, and patching Questionable trust; customers’ confidence; more regulations © 2010 Cisco and/or its affiliates. All rights reserved. • Relative cost of fixing defects in production is 30 to 100 times more expensive Cisco Confidential 8 • Addressing secure software needs IEEE: CSDA and CSDP (Software development) SANS: GSSP-C, GSSP-J (Language specific/secure coding) ISSECO: International Secure Software Engineering Council CSSE (Entry level education program with certificate of completion given by International Software Quality Institute (iSQI) DHS (国土安全部): Software Assurance Initiative (Awareness Program/Forum) Vendor-Specific (e.g., Cisco, Microsoft) based on internal lifecycle processes/technology specific and industry best practices © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Issues to Application Security Lack of a global vision 缺乏远见 Security depends on environment Lack of standardized reference model 安全依赖于 应用的环境 缺乏标准参考模式 And we still don’t know if we can trust an application that is secure enough for our needs 组织自创方法, Personalized methods, tools, and solutions 工具,解决方 案 © 2010 Cisco and/or its affiliates. All rights reserved. 10 Cisco Confidential 10 Project & Operation Teams Users Managers Auditors Differing Needs © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • Multi-parts security standard focusing on needs for application security from enterprise perspective, covering all relevant aspects of application life-cycle • Part 1 – Overview and Concepts • Part 2 – Organization Normative Framework • Part 3 – Application Security Management Process • Part 4 – Application Security Validation • Part 5 – Protocols and Application Security Controls Data Structure • Part 6 – Security Guidance for Specific Applications © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Source of controls for Application Security Conclusion ISO/IEC 15408 Evaluation Criteria for IT Security ISO/IEC 21827 ISO/IEC 29193 Benefits ISO/IEC 27002 Capability Maturity Model (SSE-CMM) ISO/IEC 15408 ISO/IEC 21827 ISO/IEC 27002 Evaluation ITIL Criteria for IT Security Information Capability CobiT Maturity Model Control (SSE-CMM) Objectives for Information and related Technology Technology Infrastructure Library S3M ITIL Modèle d’évaluation de la capacité de la maintenance du logiciel Control Objectives for Information and related Technology Information Technology Infrastructure Library ISO/IEC 29193 ISO/IEC OWASP 27001 BSIMM2 Objectives for Information and related Top Ten CobiT Technology OWASP Control Objectives for Information and related Technology All other documents PCI-DSS Control Objectives for Credit Sards electronic transactions Principles and others elements comming form standards and bests practices Top Ten Secure system Code of practice engineering for information OWASP principles and security controls Controltechniques attach many standards, methodology and practices to Quebec Canadian implement Province Privacy Law Privacy Law Application Help to identify applications to be secured Security S3M Building Security In Maturity Model Source of controls for Application Security • 27034 help to Modèle d’évaluation de la capacité de la maintenance du logiciel BSIMM2 Secure system engineering principles and techniques Code of practice for information security controls on witch an Canadian Privacy Law PCI-DSS < … >Control Objectives for Credit Sards electronic transactions <…> <…> All other Quebec organization documents Province on witch an want to Privacy Law organization Testing Building Security ISMS In Maturity Model Guide Requirements Control Objectives for Information and OWASP related Testing Technology Guide Control Objectives for Information and related Technology Méthode harmonisé d’analyse de risques ISO/IEC 15443 comming form standards and bests practices ISO/IEC 27001 ISO/IEC 27005 ISO/IEC 15026 ISO/IEC 15443 Information security risk management System and Software Assurance A framework for IT security assurance IEEE 1028 Generic process for formal reviews IEEE 1028 Generic process for formal reviews demonstratrewant a to <…> demonstratre a conformance Provides processes and ASCs to integrate in conformance Help to implement / enforce Help to implement / enforce Provides controls for the ASC Octave EBIOS ISO/IEC 27034 NIST 800-30 ISO/IEC 12207 Application Risk Software security Operationally Critical Threat, Asset, and Vulnerability Evaluation ISO/IEC 15026 Information System and A framework for security risk Software IT security management Principles Assurance assurance and others elements ISMS Requirements Provides controls for the ASC Mehari ISO/IEC 27005 Expression des besoins et identification des Management objectifs de Guide Help to identify applications to be secured sécurité Life Cycle Processes AGILE development Traditional ISO/IEC 15288 methodology development Scrum, TDD, System methodology Crystal, Agile Life Cycle RUP, Open UP, DSDM, ProcessesProvides processes and ASCs to integrate UP, in Water fall, etc. DDD, Kanban, etc. Octave EBIOS Méthode harmonisé d’analyse de risques Operationally Critical Threat, Asset, and Vulnerability Evaluation Expression des besoins et identification des objectifs de sécurité All others Security Risk analysis methods All others information classification methods <…> <…> Mehari All others Security Risk analysis methods <…> All others information classification methods <…> NIST 800-30 Risk Management Guide Organization’s specific development methodology <…> ISO/IEC 12207 ISO/IEC 15288 Software Life Cycle Processes System Life Cycle Processes development methodology All other processes in witch you want to integrate ASCs. All other processes in witch you want to Organization’s specific integrate ASCs. <…> Traditional development methodology RUP, Open UP, Water fall, etc. AGILE development methodology Scrum, TDD, Crystal, Agile UP, DSDM, DDD, Kanban, etc. 13 Existing processes inprocesses applications life life cycles Organizational security Organizational risk analysis methods and tools Existing in applications cycles security risk analysis methods and tools © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Security Model proposed by ISO/IEC 27034 Application Security Key Principles • Security is a requirement • Application security is context- Security Management (Governance) dependent • Appropriate investment for application security • Application security must be demonstrated Technology (Acquisition, Maintenance, and Contingency) Critical Information Applications, Information System (Development and Evolution) Verification and Control (Conformity) 14 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Security Model proposed by ISO/IEC 27034 Contexts that have an influence on Security Legal Context 1..* Business Context 1..* Organisation Technological Context 1..* Business needs 1..* Level of trust 1..* Business processes Application *..* Information People © 2010 Cisco and/or its affiliates. All rights reserved. Systems 1..* Hardware Process Software Technology Data Cisco Confidential 15 15 Security Model proposed by ISO/IEC 27034 Definitions • Application security Provides elements to securely define, design, develop, implement, manage, and securely dispose an application and its information. • Application IT solution, including application software, designed to help users perform particular tasks or handle particular types of IT problems that helps an organization to automate a business process or function. 16 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Security Model proposed by ISO/IEC 27034 Definitions • Target environment 目标环境 is the technological, business and legal context in which the application will be used. • Level of trust (LoT) 可信度 Targeted LoT: 可信度的目标 label of a set of ASCs deemed necessary by the application owner for bringing the risk of a specific application down to an acceptable level. Actual LoT: 实际可信度 result of a verification process that confirms, by providing evidences, that all ASCs required by the application’s targeted LoT were correctly implemented, correctly verified and produced the expected result. 17 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Security Model proposed by ISO/IEC 27034 Definitions Secure application 安全的应用: 实际可信度=可信度目标 application for which the Actual Level of Trust is equal to the Targeted Level of Trust, as defined by the organization using the application. Within this concept, a secure application must comply with these criteria: properly covers security needs from the management, IT, development and audit points of view; according to the level of trust desired; taking into account the type of information; the target environment, and that can be proven by supporting evidence to have reached and maintained the target level of trust. 18 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Security Model proposed by ISO/IEC 27034 Application Security Control (ASC) 安全需求 Security Requirements 应用可信度的目标 Application Target Level of Trust · · · · (why) 安全议案 Security Activity (what, how, where, who, when, how much) ASC Application specifications, Compliance to regulations, Standards and best practices, Etc. (why) 验证测量 Verification Measurement (what, how, where, who, when, how much) Application Security Life Cycle Reference Model 应用安全生命周期参考模型 19 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Security Model proposed by ISO/IEC 27034 The ASCs Library Organisation ASC Library 应用安全措施库 Source of specifications and constraints Application specifications Application levels of trust used by the organisation Specifications and constraints 0 Secure Log ASC Online payment Business context Regulatory context 1 2 3 ... 9 10 ASC ASC ASC Aeronautics ASC PCI-DSS ASC Privacy Laws ASC SSL Connection ASC ASC ASC ASC ASC ASC ASC ASC Technological context Wireless © 2010 Cisco and/or its affiliates. All rights reserved. ASC ASC ASC 20 Cisco Confidential 20 Security Model proposed by ISO/IEC 27034 Application Security LC Reference Model Application Security Life Cycle Reference Model Layers Application management Application provisionning management Application operation management Outsourcing Application provisionning and operation Development Preparation Transition Utilization Archival Destruction Acquisition Infrastructure management Application provisionning infrastructure management Application audit Application provisioning audit Preparation Realization Provisioning stages Transition Application operation infrastructure management Disposal Application operation audit Utilization and maintenance Archival Destruction Operation stages Actors Role 1 © 2010 Cisco and/or its affiliates. All rights reserved. Role 2 Role 3 Role 4 Role n Cisco Confidential 21 Security Model proposed by ISO/IEC 27034 The ONF Organization Normative Framework 组织规范框架 Business context Regulatory context Technological context Application specifications repository Roles, responsibilities and qualifications repository Application Life Cycle Processes ASC Library Application Life Cycles Application Life Cycle Security Reference Model ASC Processes Related to Application Security ONF Management Processes ONF Conformance Processes 22 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Application Security Management Process 2 Security Model proposed by ISO/IEC 27034 The ASMP Assessing the application security risks 3 Is used for Determines Creating and maintaining the Application Normative Framework Application targeted level of trust Identifies Application contexts and specifications used for Provides 5 1 Identifying the application requirements and environment Application actual level of trust Verifying the security of the application Provides Application Normative Framework used for Mandates security adjustments used for 4 Provides Implemented required ASCs used for used for Provides Application project artefacts and ANP used for Realising and operating the application Organization Management Processes ONF Management Process Organization Normative Framework © 2010 Cisco and/or its affiliates. All rights reserved. Provides Components and processes related to Application Security Provides Feedback to 23 Cisco Confidential 23 • Success of a software assurance program within an organization is directly proportional to the support of executive management. • Security has to be ensured throughout the entire lifecycle. • All stakeholders in the software development process must be aware of common security tenets and threats. • Building secure software is a result of all the stakeholders having the appropriate levels of participation, and a security mindset in the design, development, and deployment of the software. Stakeholders must be educated and certified in how to build security within every phase of the lifecycle. “All of the policy and process control security measures are totally futile without the first line of defense – people.” © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 • Certified Secure Software Lifecycle Professional (CSSLP) 安全软件生命周期专业认证 • Base credential (no other certification is required as a prerequisite) 基本凭据 • Professional certification program 专业认证项目 • Takes a holistic approach to security in the software lifecycle 全面性的方法 • Tests candidates knowledge, skills and abilities to significantly mitigate the security concerns测试考生 的知识,技术以及解决安全问题的能力 As of November 2009, 900 CSSLPs in 42 countries Worldwide © 2010 Cisco and/or its affiliates. All rights reserved. © Copyright 1989 – 2011, (ISC)2 All Rights Reserved Cisco Confidential 25 • Addresses building security throughout the entire software lifecycle – from concept and planning through operations and maintenance, to the ultimate disposal. • Provides a credential that speaks to the individual’s ability to contribute to the delivery of secure software through the use of standards and best practices. • The target professionals for this certification includes all stakeholders involved in the Software Lifecycle. © 2010 Cisco and/or its affiliates. All rights reserved. © Copyright 1989 – 2011, (ISC)2 All Rights Reserved Cisco Confidential 26 Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Business Analysts Architects © 2010 Cisco and/or its affiliates. All rights reserved. Application Owners Developers/ Coders Quality Assurance Managers © Copyright 1989 – 2011, (ISC)2 All Rights Reserved Security Specialists Software Lifecycle Stakeholders Project Managers/ Team Leads Cisco Confidential 27 CSSLP • • • • • Microsoft Cisco Xerox SAFECode Symantec CM Industry Supporters • • • • • BASDA SANS DSCI (NASSCOM) SRA International ISSA “As the global dependence on information and communications technology has grown, users have become increasingly concerned over the security of software, especially those in the government, critical infrastructure and enterprise sectors. By offering software professionals a means to increase and validate their knowledge of best practices in securing applications throughout the development lifecycle, (ISC)²’s CSSLP is helping the industry take an important step forward in addressing the ‘people’ part of the solution.” Paul Kurtz, executive director, SAFECode © 2010 Cisco and/or its affiliates. All rights reserved. © Copyright 1989 – 2011, (ISC)2 All Rights Reserved Cisco Confidential 28 (ISC)²® CSSLP CBK Domains 共同知识体质知识域 • Secure Software Concepts概念 • Secure Software Requirements 需求 • Secure Software Design 设计 • Secure Software Implementation/Coding 实施/编码 • Secure Software Testing 测试 • Software Acceptance 验收 • Software Deployment, Operations, Maintenance, and Disposal部署,操作,维护和处置 © 2010 Cisco and/or its affiliates. All rights reserved. © Copyright 1989 – 2011, (ISC)2 All Rights Reserved Cisco Confidential 29 • Check out the series of Whitepapers created that discuss: The need for secure software What to consider when building secure software How to design, develop and deploy secure software Best practices for ensuring security throughout the process Exploiting insecure code and, in turn, using that to write code that is not exploitable https://www.isc2.org/csslp-whitepaper © 2010 Cisco and/or its affiliates. All rights reserved. © Copyright 1989 – 2011, (ISC)2 All Rights Reserved Cisco Confidential 30 Changing Risks © 2010 Cisco and/or its affiliates. All rights reserved. Changing Practices Cisco Confidential 31 http://mengchow.wordpress.com/ @mengchow © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32