Presentation SecSWEngineering
Download
Report
Transcript Presentation SecSWEngineering
SECURE SOFTWARE ENGINEERING
FOR SPACE MISSIONS
Daniel Fischer
CCSDS Fall Meetings
10/11/2014
ESA UNCLASSIFIED – Releasable to the Public
Security: A Strategic Objective
•
ESA is responsible for assets of very high tangible and
intangible value
•
Security has emerged as a strategic objective for ESA
New European Space Programmes
Stringent security requirements, mainly due to
safety and/or dual aspects (Galileo, Copernicus,
SSA..)
Changing Security Environment
Strong executive commitment by ESA towards security
Agency level endorsement of security best engineering
practices
Enforced top level requirements in the form of security
regulations and directives
Commitment to improving security practice throughout
the Agency
Security certification
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 2
ESA UNCLASSIFIED – Releasable to the Public
Importance of Ground Systems Security
•
•
At the core of any ground segment there are many software systems
Large, complex, distributed
Multiple technologies, languages, generations
Different operational environments
Ground systems are subject to various security threats
Direct exploitation of implementation flaws
Viruses/ Malware
Denial-of-Service
Others
•
The more complex the system, the more susceptible to attacks
•
Application-level threats can never be completely eliminated however
•
Technology and tooling addressing these risks have emerged
Secure system and software engineering can reduce the risk and minimize
the impact of attack
Increased reliability and availability
Increased robustness
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 3
ESA UNCLASSIFIED – Releasable to the Public
Facts and Key Principles
•
•
Facts
Security imposes extra engineering burden
Security requires specialised knowledge
Security is costly
Key Principles
Security should not be “patched” into systems
Application
Network
It must be considered from the outset and at each step of the
Software Development Lifecycle (SDLC)
Secure software engineering should complement other security
mechanisms
Part of an “onion” approach
Other layers imply the criticality of the application layer
Avoids unnecessary redundancies and reduced overhead for
security
Physical
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 4
ESA UNCLASSIFIED – Releasable to the Public
Facts and Key Principles (Cont.)
•
Key Principles (Cont.)
Security is a system concern
Levels interdependencies
Standardised approaches to security engineering essential for
Enforcement of good security engineering practices
Security is often “the least concern”
Consistency of results at different levels e.g.
Agency Level
Missions of the same type
Systems of the same type
Reduction of burden of security engineering practices on individual projects
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 5
ESA UNCLASSIFIED – Releasable to the Public
Secure Software Engineering
Standardisation Initiative
at ESA
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 6
ESA UNCLASSIFIED – Releasable to the Public
Secure Software Engineering
Standardization Initiative
•
ESA and the European Space Sector applies the European Cooperation
for Space Standardisation (ECSS) system of standards
•
In 2013 the ESA Standardisation Board endorsed an initiative aimed at
addressing Secure Software Engineering at Agency Level
•
Main objective is to provide standardised support to effective SSE
practices in the form of:
Gap Analysis: Assessment of security coverage in ECSS against
external standards and industry best practices
ESA Internal Secure SW Engineering Standard: Complements
the ECSS standards for software security aspects
Companion Secure SW Engineering Handbook: Non-normative
guidelines and recommendations on the implementation of the
requirements in the standard
Security Requirements Repository: An exhaustive set of
generic software security requirements to be tailored for specific
applications
Change Requests to the ECSS Sofware Engineering and PA
Standards
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 7
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis
•
•
The gap analysis answers the following concerns:
Do the ECSS standards adequately cover secure software engineering
practices and to which extent?
Can external standards and industry best practises be used to propose
solutions for filling identified gaps?
The gap analysis followed a formal, structured approach:
Identification of relevant inputs
Cross mapping of identified standards
Gap Identification
Gap Analysis
Documentation and proposed way forward
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 8
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Inputs: Internal
ESA Security Directives
Relevant ECSS Standards
M-Series
Space Project Management
E-Series
Space Engineering: System and Software
Q-Series
Space Product Assurance
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 9
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Inputs:
Industry Best Practise
ITSG-33: IT Security Risk Management, A lifecycle approach
Primary source for product lifecycle (PLC) approach to system security
engineering
Includes concepts of integrated use of Threat and Risk Assessment
(TRA) in the PLC, identification of relevant security activities per phase,
security controls catalogue, security controls profiles, security
assurance and security robustness
Common Criteria for information technology security evaluation
Detailed consideration for security assurance concepts and criteria
OWASP Secure Coding Practice Quick Reference Guide
Software specific practices applicable to implementation phase
Harmonized TRA Methodology, TRA-1
A basic TRA method used as a process benchmark
Clear integration of TRA processes in PLC
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 10
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Reference Inputs:
Industry Best Practise
NIST SP 800-37, Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach
NIST SP 800-53, Security and Privacy Controls for Federal Information
Systems and Organizations
CCSDS 350.1-G-1, Report Concerning Space Data Systems Standards,
Security Threats Against Space Missions
ISO-IEC 27001:2013, Information Technology – Security techniques –
Information security management systems – Requirements
ISO/IEC 27005:2011, Information technology – Security techniques –
Information security risk management
ENISA, Inventory of risk assessment and risk management methods
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 11
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Findings:
Agency and System Level
•
•
At Agency level the following enhancements are recommended:
Establish a standard Threat and Risk Assessment (TRA) methodology
Establish corporate perspective on security by mission type security
categorisation profiles for missions
At System level the following enhancements are recommended:
Include security aspects more explicitly in system engineering,
management and PA
Address Security Objectives and Requirements explicitly and
systematically (provide catalogues where possible)
Integrate information Security Threat and Risk Assessment (TRA)
concepts in the product lifecycle (PLC)
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 12
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Findings:
Software Engineering Level
•
Information Security Threat and Risk Assessment concepts are not
integrated in the Software Development Lifecycle (SDLC)
•
Security considerations are high-level and imlicit in all processes
•
Security requirements concepts (e.g. controls catalogue, assurance
and strength of function concepts) are not explicitly covered
Security processes for security architecture, design and
implementation are not explicit
Security processes for secure operations, maintenance and disposal
are not explicit
Software verification processes encompass security however:
Generally high-level and with gaps
Missing guidance for methods or mechanisms for security verification
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 13
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Findings:
Software Engineering Level (Cont.)
•
Need to complement existing Software Engineering and PA standards with
Iterative use of a cyber-security TRA in SDLC
Security requirements engineering using a security requirements
catalogue
Derivation of security assurance and security strength of function
requirements
Security design activities (high-level design, detailed design) and
development
Security verification and validation activities
Operational security activities
Use of penetration testing
Continuous security monitoring and modifications in response to
evolving threats
Secure disposal of security sensitive systems and data
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 14
ESA UNCLASSIFIED – Releasable to the Public
Gap Analysis Findings:
Software Engineering Level (Cont.)
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 15
ESA UNCLASSIFIED – Releasable to the Public
Secure Software Engineering
Standard
•
Delta to ECSS E40C and Q80C documents
•
Provides additional information or new requirements where necessary
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 16
ESA UNCLASSIFIED – Releasable to the Public
Secure Software Engineering
Handbook
•
The equivalent to a CCSDS Green Book
•
Provides additional information and guidance on specific requirements
from the standard
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 17
ESA UNCLASSIFIED – Releasable to the Public
Secure Software Engineering
Requirements Catalogue
•
Will be an informal supplement to the standard
•
Provides a full catalogue of security requirements applicable to
software development from well known sources
•
Covers different aspects of software development
•
Contractual Requirements
•
“Statement of Work” Requirements
•
Functional Security Requirements
•
Documentation Requirements
•
Requirements are organised hierarchically
•
For example: Requirement 133:
•
The system shall be able to verify the integrity of executable
code at start up and before loading it into memory.
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 18
ESA UNCLASSIFIED – Releasable to the Public
A Tool to Integrate SSE
into Daily Practice
-
Generic Application Security Framework
(GASF)
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 19
ESA UNCLASSIFIED – Releasable to the Public
The GASF Tool
•
Requirements Catalogue
•
Using well known security requirement sources e.g. ISO 27001, NIST,
CWE
Assists in the selection of security requirements for software
development project
Statement of Work
Contract
Security Requirements Specification
•
Export to DOORS, Word, XML
•
GASF Tool Technical Specs
Java
Client-Server architecture
GASF catalogues stored in SQLite
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 20
ESA UNCLASSIFIED – Releasable to the Public
GASF Security Requirements Catalogue
•
Security requirements catalogue
Organized in requirements categories
Hierarchically organized requirements
High level: Main security
categories
Low level: Refined security
requirements
The lower the more refined
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 21
ESA UNCLASSIFIED – Releasable to the Public
GASF Requirements Tailoring Templates
•
Not all software has the same security requirements
•
GASF implements security requirements tailoring using
templates
•
Templates are filters that are applied to the requirements base
CIA templates select requirements according to the
confidentiality, integrity, and availability level identified by the
risk assessment
Environment Templates identify requirements applicable to
well identified target deployment environments: e.g. Operational
LAN, Pre-Operational LANs, DMZ, etc.
Project-type Templates identify requirements applicable to
typologies of projects e.g. operational software, prototype etc.
Templates are re-usable
Only the first-of-a-kind system will have to go through a detailed
selection process
Systems with same characteristics can re-use existing templates
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 22
ESA UNCLASSIFIED – Releasable to the Public
GASF Requirements Specification Flow
□ .....
□ .....
□ .....
□ .....
□ .....
□
P .....
□
P .....
□ .....
□ .....
□
P .....
□ .....
□
P .....
□ .....
□
P .....
□ .....
□ .....
X
□ .....
X
Template A
Template B
Compute
recommendations
GASF Tool
Requirement Catalogue
□
P .....
□
P .....
□
P .....
□? .....
□? .....
□
X .....
Project view
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 23
ESA UNCLASSIFIED – Releasable to the Public
Requirement
engineering
□
P .....
□
P .....
□
P .....
□
P .....
□
X .....
□
X .....
Project view
Export
□
P .....
□
P .....
□
P .....
□
P .....
DOORS
GASF Best Practices Recommendations
•
GASF implements links to technology specific recommendations and
the CWE (Common Weakness Enumeration) to support developers in
the implementation of security requirements
•
CWE is
•
A unified, measurable set of software weaknesses
Community initiative that includes individual researchers and
representatives from numerous organizations
International in scope and free for public use
CWE catalogue linked to requirements. The tool provides
Weaknesses
Applicable platform
Potential mitigations
Demonstrative examples
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 24
ESA UNCLASSIFIED – Releasable to the Public
GASF Best Practices Recommendations
GASF Tool
Access control
Java
C++
Supplier
Logging
C++
PHP
□
P .....Help
□
P ..... Help
□
P ..... Help
□
P .....Help
□ .....Help
X
□ .....Help
X
Project view
Technology Specific recommendations
Data Handling
Improper input validation
Process control
Improper input validation
Pointer issues
Common Weakness Enumeration
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 25
ESA UNCLASSIFIED – Releasable to the Public
Way Forward
Finalisation of the Requirements Catalogue
Q4 2014
ESA Internal Review of Standard and Handbook
Q4 2014
Publish ESA Internal Secure SW Engineering Handbook
Q1 2015
ECSS Change Requests Submission
2015
GASF Compliance with Standards and promotion at Agency level
Current ECSS SW
Engineering Standards
Delta
Security
Processes
Software validation
process
Software related
system
requirements
Software
requirements and
architecture
engineering
process
Software verification
process
Software design
and
implementation
engineering
process
Daniel Fischer |CCSDS Fall Meetings | 11/11/2014 | Slide 26
ESA UNCLASSIFIED – Releasable to the Public
Software delivery
and acceptance
process
Software management
process
Software
operation
process
Software
maintenance
process
2015+
THANK YOU FOR YOUR ATTENTION
ESA UNCLASSIFIED – Releasable to the Public