Application Security – a standards approach 应用安全: 一个标准的方法 Dr Meng-Chow Kang, CISSP Director and CISO, APCJ, Cisco Systems November 9, 2011 © 2010 Cisco and/or.

Report
Application Security – a standards approach
应用安全: 一个标准的方法
Dr Meng-Chow Kang, CISSP
Director and CISO, APCJ, Cisco Systems
November 9, 2011
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
ISO/IEC 27034 – yet another
standard?
ISO/IEC 27034 approach to
application security
(ISC)2 CSSLP
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
• ISC)2 – International Information Systems Security Certification
Consortium 国际信息系统安全认证联盟
• Mr Luc Poulin, Editor for ISO/IEC 27034 and President of Cogentas,
Canada;国际标准ISO/IEC 27034 编辑
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
ISO/IEC JTC 1/SC 27
Security Techniques
Chair: Walter Fumy
Vice Chair: Marijke de Soete
Secretariat
Krystyna
Passia
WG 1 Security
Management
Convener: Ted
Humphreys
Vice
Convener:
Dale
Johnstone
© 2010 Cisco and/or its affiliates. All rights reserved.
WG 2
Cryptography
and Security
Mechanisms
Convener:
Takeshi
Chikazawa
WG 3 Security
Assurance
Convener:
Miguel Bañón
WG 4 Security
Controls and
Services
Convener:
Meng-Chow
Kang
WG 5 Identity
Management
and Privacy
Technology
Convener: Kai
Rannenberg
Cisco Confidential
4
Prepare to respond;
continuous monitoring;
eliminate or reduce
risks and impacts
Unknown or emerging
information security issues
未知和新兴信息安全问题
Risk manage; Prevent
occurrence; Reduce
impact of occurrence
Known information security
issues
已知信息安全问题
Investigate to establish
facts about breaches;
identify who done it and
what went wrong
© 2010 Cisco and/or its affiliates. All rights reserved.
Information security breaches
and compromises
违反信息安全规律事件
信息泄漏事件
Cisco Confidential
5
ICT Readiness for Business Continuity (27031)
Cybersecurity (27032)
Information security incident management (27035)
Selection, Deployment, and Operation of IDS (27039)
Unknown or emerging
information security
issues
ICT Disaster Recovery Services (24762)
Network Security (27033 Parts 1 to 6)
Application Security (27034 Parts 1 to 6)
Security Info-Objects for Access Control (TR 15816)
Information Security for Supplier Relationships (27036)
Digital Redaction (27038); Storage Security (27040)
Known information
security issues
TTP Services Security (TR 14516; 15945)
Time Stamping Services (TR 29149)
Identification, collection and/or acquisition, and
preservation of digital evidence (27037)
© 2010 Cisco and/or its affiliates. All rights reserved.
Information security
breaches and compromises
Cisco Confidential
6
• Web 2.0 & social networking
• Social engineering
• Vulnerability exploitations
• Mobility
• Beyond Windows
• Escalating concerns over data losses
© 2010 Cisco and/or its affiliates. All rights reserved.
“Just landed in Baghdad”
- Rep. Peter Hoekstra,
R-Mich Tweets
Secret delegation led by House
Minority Leader John A. Boehner is not
so secret…
Cisco Confidential
7
• A critical element of “baked-
in” security
• Insecure development
practices result in
Vulnerabilities created in software
Brittleness (脆化) of overall
application and systems
Exponential cost of detection,
repair, and patching
Questionable trust; customers’
confidence; more regulations
© 2010 Cisco and/or its affiliates. All rights reserved.
• Relative cost of fixing defects
in production is 30 to 100
times more expensive
Cisco Confidential
8
• Addressing secure software needs
IEEE: CSDA and CSDP (Software
development)
SANS: GSSP-C, GSSP-J (Language
specific/secure coding)
ISSECO: International Secure Software
Engineering Council
CSSE (Entry level education program with
certificate of completion given by International
Software Quality Institute (iSQI)
DHS (国土安全部): Software Assurance
Initiative (Awareness Program/Forum)
Vendor-Specific (e.g., Cisco, Microsoft) based
on internal lifecycle processes/technology
specific and industry best practices
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Issues
to Application Security
Lack of a global
vision 缺乏远见
Security depends on
environment
Lack of standardized
reference model
安全依赖于
应用的环境
缺乏标准参考模式
And we still don’t
know if we can trust
an application that
is secure enough for
our needs
组织自创方法, Personalized methods,
tools, and solutions
工具,解决方
案
© 2010 Cisco and/or its affiliates. All rights reserved.
10
Cisco Confidential
10
Project &
Operation
Teams
Users
Managers
Auditors
Differing
Needs
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• Multi-parts security standard focusing on needs for
application security from enterprise perspective, covering
all relevant aspects of application life-cycle
• Part 1 – Overview and Concepts
• Part 2 – Organization Normative Framework
• Part 3 – Application Security Management Process
• Part 4 – Application Security Validation
• Part 5 – Protocols and Application Security Controls Data
Structure
• Part 6 – Security Guidance for Specific Applications
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Source of controls for Application Security
Conclusion
ISO/IEC 15408
Evaluation
Criteria for IT
Security
ISO/IEC 21827
ISO/IEC 29193
Benefits
ISO/IEC 27002
Capability
Maturity
Model
(SSE-CMM)
ISO/IEC 15408
ISO/IEC 21827
ISO/IEC 27002
Evaluation
ITIL
Criteria for IT
Security
Information
Capability
CobiT
Maturity
Model
Control
(SSE-CMM)
Objectives for
Information and
related
Technology
Technology
Infrastructure
Library
S3M
ITIL
Modèle
d’évaluation de
la capacité de la
maintenance du
logiciel
Control
Objectives for
Information and
related
Technology
Information
Technology
Infrastructure
Library
ISO/IEC 29193 ISO/IEC
OWASP
27001
BSIMM2
Objectives for
Information and
related
Top Ten
CobiT Technology
OWASP
Control
Objectives for
Information and
related
Technology
All other
documents
PCI-DSS
Control
Objectives for
Credit Sards
electronic
transactions
Principles and others elements
comming form standards and bests practices
Top Ten
Secure system
Code of practice
engineering
for information
OWASP
principles and
security controls
Controltechniques
attach many
standards,
methodology and
practices to
Quebec
Canadian
implement
Province
Privacy Law
Privacy Law
Application
Help to identify applications to be secured
Security
S3M
Building Security
In Maturity Model
Source of controls for Application Security
• 27034 help to
Modèle
d’évaluation de
la capacité de la
maintenance du
logiciel
BSIMM2
Secure system
engineering
principles and
techniques
Code of practice
for information
security controls
on witch an
Canadian
Privacy Law
PCI-DSS
< … >Control
Objectives for
Credit Sards
electronic
transactions
<…>
<…>
All other
Quebec
organization
documents
Province
on witch an
want
to
Privacy Law
organization
Testing
Building
Security
ISMS
In Maturity
Model
Guide
Requirements
Control
Objectives for
Information and
OWASP
related
Testing
Technology
Guide
Control
Objectives for
Information and
related
Technology
Méthode
harmonisé
d’analyse de
risques
ISO/IEC 15443
comming form standards and bests practices
ISO/IEC 27001
ISO/IEC 27005
ISO/IEC 15026
ISO/IEC 15443
Information
security risk
management
System and
Software
Assurance
A framework for
IT security
assurance
IEEE 1028
Generic process
for formal
reviews
IEEE 1028
Generic process
for formal
reviews
demonstratrewant
a to
<…>
demonstratre a
conformance
Provides processes and ASCs to integrate in
conformance
Help to implement
/ enforce
Help to implement / enforce
Provides controls
for the ASC
Octave
EBIOS
ISO/IEC 27034
NIST 800-30 ISO/IEC 12207
Application
Risk
Software security
Operationally
Critical Threat,
Asset, and
Vulnerability
Evaluation
ISO/IEC 15026
Information
System and
A framework for
security risk
Software
IT security
management Principles Assurance
assurance
and others elements
ISMS
Requirements
Provides controls for the ASC
Mehari
ISO/IEC 27005
Expression des
besoins et
identification des
Management
objectifs de
Guide
Help
to identify applications to be secured
sécurité
Life Cycle
Processes
AGILE
development
Traditional
ISO/IEC 15288
methodology
development
Scrum, TDD,
System
methodology
Crystal, Agile
Life Cycle
RUP, Open UP,
DSDM,
ProcessesProvides processes and ASCs to integrate UP,
in
Water fall, etc.
DDD, Kanban,
etc.
Octave
EBIOS
Méthode
harmonisé
d’analyse de
risques
Operationally
Critical Threat,
Asset, and
Vulnerability
Evaluation
Expression des
besoins et
identification des
objectifs de
sécurité
All others
Security Risk
analysis
methods
All others
information
classification
methods
<…>
<…>
Mehari
All others
Security Risk
analysis
methods
<…>
All others
information
classification
methods
<…>
NIST 800-30
Risk
Management
Guide
Organization’s
specific
development
methodology
<…>
ISO/IEC 12207
ISO/IEC 15288
Software
Life Cycle
Processes
System
Life Cycle
Processes
development
methodology
All other
processes
in witch you
want to
integrate ASCs.
All other
processes
in witch you
want to
Organization’s
specific
integrate
ASCs.
<…>
Traditional
development
methodology
RUP, Open UP,
Water fall, etc.
AGILE
development
methodology
Scrum, TDD,
Crystal, Agile
UP, DSDM,
DDD, Kanban,
etc.
13
Existing processes
inprocesses
applications
life life
cycles
Organizational security Organizational
risk analysis
methods
and
tools
Existing
in applications
cycles
security
risk analysis
methods
and tools
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Security Model proposed by ISO/IEC 27034
Application Security Key Principles
• Security is a requirement
• Application security is context-
Security
Management
(Governance)
dependent
• Appropriate investment for
application security
• Application security must be
demonstrated
Technology
(Acquisition,
Maintenance, and
Contingency)
Critical
Information
Applications,
Information System
(Development
and Evolution)
Verification
and Control
(Conformity)
14
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Security Model proposed by ISO/IEC 27034
Contexts that have an influence on Security
Legal Context
1..*
Business Context
1..*
Organisation
Technological Context
1..*
Business needs
1..*
Level of trust
1..*
Business
processes
Application
*..*
Information
People
© 2010 Cisco and/or its affiliates. All rights reserved.
Systems
1..*
Hardware
Process
Software
Technology
Data
Cisco Confidential
15
15
Security Model proposed by ISO/IEC 27034
Definitions
• Application security
Provides elements to securely define, design, develop,
implement, manage, and securely dispose an application
and its information.
• Application
IT solution, including application software, designed to
help users perform particular tasks or handle particular
types of IT problems that helps an organization to
automate a business process or function.
16
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
Security Model proposed by ISO/IEC 27034
Definitions
• Target environment 目标环境
is the technological, business and legal context in which the
application will be used.
• Level of trust (LoT) 可信度
Targeted LoT: 可信度的目标 label of a set of ASCs deemed
necessary by the application owner for bringing the risk of a
specific application down to an acceptable level.
Actual LoT: 实际可信度 result of a verification process that
confirms, by providing evidences, that all ASCs required by
the application’s targeted LoT were correctly implemented,
correctly verified and produced the expected result.
17
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Security Model proposed by ISO/IEC 27034
Definitions
Secure application 安全的应用: 实际可信度=可信度目标
application for which the Actual Level of Trust is equal to the Targeted
Level of Trust, as defined by the organization using the application.
Within this concept, a secure application must comply with these
criteria:
properly covers security needs from the management, IT,
development and audit points of view;
according to the level of trust desired;
taking into account the type of information;
the target environment, and
that can be proven by supporting evidence to have reached and
maintained the target level of trust.
18
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
Security Model proposed by ISO/IEC 27034
Application Security Control (ASC)
安全需求
Security Requirements
应用可信度的目标
Application Target
Level of Trust
·
·
·
·
(why)
安全议案
Security Activity
(what, how, where, who, when, how much)
ASC
Application specifications,
Compliance to regulations,
Standards and best practices,
Etc.
(why)
验证测量
Verification Measurement
(what, how, where, who, when, how much)
Application Security Life Cycle Reference Model
应用安全生命周期参考模型
19
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Security Model proposed by ISO/IEC 27034
The ASCs Library
Organisation ASC Library
应用安全措施库
Source of
specifications
and constraints
Application
specifications
Application levels of trust used
by the organisation
Specifications
and constraints
0
Secure Log
ASC
Online payment
Business
context
Regulatory
context
1
2
3
...
9
10
ASC
ASC
ASC
Aeronautics
ASC
PCI-DSS
ASC
Privacy Laws
ASC
SSL Connection
ASC
ASC
ASC
ASC
ASC
ASC
ASC
ASC
Technological
context
Wireless
© 2010 Cisco and/or its affiliates. All rights reserved.
ASC
ASC
ASC
20
Cisco Confidential
20
Security Model proposed by ISO/IEC 27034
Application Security LC Reference Model
Application Security Life Cycle Reference Model
Layers
Application
management
Application provisionning management
Application operation management
Outsourcing
Application
provisionning
and operation
Development
Preparation
Transition
Utilization
Archival
Destruction
Acquisition
Infrastructure
management
Application provisionning infrastructure management
Application
audit
Application provisioning audit
Preparation
Realization
Provisioning stages
Transition
Application operation
infrastructure management
Disposal
Application operation audit
Utilization and
maintenance
Archival
Destruction
Operation stages
Actors
Role 1
© 2010 Cisco and/or its affiliates. All rights reserved.
Role 2
Role 3
Role 4
Role n
Cisco Confidential
21
Security Model proposed by ISO/IEC 27034
The ONF
Organization Normative Framework
组织规范框架
Business
context
Regulatory
context
Technological
context
Application
specifications
repository
Roles,
responsibilities
and qualifications
repository
Application Life Cycle Processes
ASC Library
Application Life Cycles
Application Life Cycle Security Reference Model
ASC
Processes Related to Application Security
ONF Management Processes
ONF Conformance Processes
22
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Application Security Management Process
2
Security Model proposed
by ISO/IEC 27034
The ASMP
Assessing the
application security
risks
3
Is used
for
Determines
Creating and maintaining
the Application
Normative Framework
Application targeted
level of trust
Identifies
Application contexts
and specifications
used for
Provides
5
1
Identifying the
application
requirements and
environment
Application actual
level of trust
Verifying the security
of the application
Provides
Application Normative
Framework
used for
Mandates security
adjustments
used for
4
Provides
Implemented required ASCs
used for
used for
Provides
Application project artefacts
and ANP used for
Realising and operating
the application
Organization Management Processes
ONF Management Process
Organization
Normative
Framework
© 2010 Cisco and/or its affiliates. All rights reserved.
Provides
Components and processes
related to
Application Security
Provides
Feedback
to
23
Cisco Confidential
23
• Success of a software assurance program within an organization is
directly proportional to the support of executive management.
• Security has to be ensured throughout the entire lifecycle.
• All stakeholders in the software development process must be aware of
common security tenets and threats.
• Building secure software is a result of all the stakeholders having the
appropriate levels of participation, and a security mindset in the design,
development, and deployment of the software.
Stakeholders must be educated and certified in how to build security
within every phase of the lifecycle.
“All of the policy and process control security
measures are totally futile without the first line
of defense – people.”
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
• Certified Secure Software Lifecycle Professional
(CSSLP) 安全软件生命周期专业认证
• Base credential (no other certification is required as a
prerequisite) 基本凭据
• Professional certification program 专业认证项目
• Takes a holistic approach to security in the software
lifecycle 全面性的方法
• Tests candidates knowledge, skills and abilities to
significantly mitigate the security concerns测试考生
的知识,技术以及解决安全问题的能力
As of November 2009, 900 CSSLPs in 42 countries Worldwide
© 2010 Cisco and/or its affiliates. All rights reserved.
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Cisco Confidential
25
• Addresses building security throughout the entire
software lifecycle – from concept and planning
through operations and maintenance, to the ultimate
disposal.
• Provides a credential that speaks to the individual’s
ability to contribute to the delivery of secure software
through the use of standards and best practices.
• The target professionals for this certification includes
all stakeholders involved in the Software Lifecycle.
© 2010 Cisco and/or its affiliates. All rights reserved.
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Cisco Confidential
26
Top Management
Auditors
Business Unit Heads
Client Side PM
IT Manager
Industry Group
Delivery Heads
Business
Analysts
Architects
© 2010 Cisco and/or its affiliates. All rights reserved.
Application Owners
Developers/
Coders
Quality
Assurance
Managers
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Security Specialists
Software
Lifecycle
Stakeholders
Project Managers/
Team Leads
Cisco Confidential
27
CSSLP
•
•
•
•
•
Microsoft
Cisco
Xerox
SAFECode
Symantec
CM
Industry Supporters
•
•
•
•
•
BASDA
SANS
DSCI (NASSCOM)
SRA International
ISSA
“As the global dependence on information and communications technology
has grown, users have become increasingly concerned over the security of
software, especially those in the government, critical infrastructure and
enterprise sectors. By offering software professionals a means to increase
and validate their knowledge of best practices in securing applications
throughout the development lifecycle, (ISC)²’s CSSLP is helping the
industry take an important step forward in addressing the ‘people’ part of
the solution.”
Paul Kurtz, executive director, SAFECode
© 2010 Cisco and/or its affiliates. All rights reserved.
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Cisco Confidential
28
(ISC)²® CSSLP CBK Domains 共同知识体质知识域
• Secure Software Concepts概念
• Secure Software Requirements 需求
• Secure Software Design 设计
• Secure Software Implementation/Coding 实施/编码
• Secure Software Testing 测试
• Software Acceptance 验收
• Software Deployment, Operations, Maintenance,
and Disposal部署,操作,维护和处置
© 2010 Cisco and/or its affiliates. All rights reserved.
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Cisco Confidential
29
• Check out the series of Whitepapers created
that discuss:
The need for secure software
What to consider when building secure software
How to design, develop and deploy secure software
Best practices for ensuring security throughout the
process
Exploiting insecure code and, in turn, using that to
write code that is not exploitable
https://www.isc2.org/csslp-whitepaper
© 2010 Cisco and/or its affiliates. All rights reserved.
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Cisco Confidential
30
Changing
Risks
© 2010 Cisco and/or its affiliates. All rights reserved.
Changing
Practices
Cisco Confidential
31
http://mengchow.wordpress.com/
@mengchow
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32

similar documents