Paco Hope Florence Mo ay <fmo 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware

Size: px

Start display at page:

Lorena Campbell
8 years ago
Views:

1 Paco Hope Florence Moay 2012 Cigital. All Rights Reserved. SecAppDev 1 Objectives Define third party soware What it is, why we use it Define the risks from third party soware Idenfy tools and techniques for addressing the risk Connect tools with the right situaons Explore one possible approach 2012 Cigital. All Rights Reserved. SecAppDev 2 1

2 Software Ecosystem Software As a Service (SaaS) Specify Design Build Test Operate Support Cloud 2012 Cigital. All Rights Reserved. SecAppDev 3 Also Known As: Software Supply Chain Risk Studied by Soware Engineering Instute (SEI) and University of Maryland Who supplies code? Who supplies labour? Who operates soware? 2012 Cigital. All Rights Reserved. SecAppDev 7 2

3 Kinds of Third Parties 1. Staff augmentaon they work on your premises, they follow your orders 2. Integrated Project Teams they provide a team; you provide management 3. Contractual You write contracts; they deliver 4. Service Provider You buy what they sell 2012 Cigital. All Rights Reserved. SecAppDev 8 The Problem You can outsource activities, but you cannot outsource liability Risk introduced by soware How do we idenfy it? How do we quanfy/qualify it? Various acvies address that risk How do we conduct those acvies in someone else's lifecycle? How do we hold the right people accountable? You acknowledge that Licensed Soware is not designed or intended for use in the design, construcon, operaon or maintenance of any nuclear facility. Sun Microsystems, Inc. disclaims any express or implied warranty of fitness for such uses Cigital. All Rights Reserved. SecAppDev 10 3

4 Risks from Software Brand and reputaon damage Non- compliance Failures in business logic Lost sales Unauthorised disclosure of data Unavailability Actual back doors or vulnerabilies 2012 Cigital. All Rights Reserved. SecAppDev 11 IANAL, But (I am not a lawyer) Popular Open Source Licenses Apache Arsc License BSD GNU General Public License GNU Lesser GPL Possible Implicaons Releasing source code Perming derivave works Disclosing origin of soware hp:// Cigital. All Rights Reserved. SecAppDev 12 4

5 Thinking About the Actors Them Do our vendors have a clue? When designing When coding When operang Do they do their jobs well? Are their products suitable for us? Us Do we have a clue? Requirements Operaons Support Are we doing our part well? Integraon Compliance 2012 Cigital. All Rights Reserved. SecAppDev 14 Tools for the Problem Assessing capabilies Deliverable- based security gates Security requirements Security test plan Threat model Code Scan results w/ defect tracking Security test results mapping to requirements Penetraon test results Contract- based hooks 2012 Cigital. All Rights Reserved. SecAppDev 15 5

6 Build Security In Maturity Model BSIMM For Us What do we do? How mature are we? Where might we put more effort? For Vendors: vbsimm Quick / crude measure 15 acvies Very low bar Vendors sll score poorly hp:// Cigital. All Rights Reserved. SecAppDev 16 Learning What Others Do idenfy gates unify regulaons know PII obligaons publish policy awareness training data classificaon idenfy features security standards review security features stac analysis tool QA boundary tesng external pen testers good network security incident response close ops bugs loop Config. Mgmt.&Vuln. Mgmt. Sw. Env. Pen. Tesng Sec. Tesng Code Review Strategy&Metrics Compliance&Policy Training Standards&Req'ts Aack Models Sec. Features&Design Arch. Analysis * ( everybody = 20 out of 30 firms) BSIMM EARTH AVG (30) BSIMM TOP TEN AVG (10) 2012 Cigital. All Rights Reserved. SecAppDev 17 6

7 Alternatives to Consider Microso SDL OpenSAMM CLASP Etc. Tend to be prescripve not descripve Don t help you measure yourself or others 2012 Cigital. All Rights Reserved. SecAppDev 18 Tools and Situations We can oen apply security requirements Very applicable when we specify Harder to enforce in SaaS limited by vendor s flexibility Code scanning is very good evidence Only works when you have code Binary scanning is a poor substute Security tesng always possible in UAT Pen tesng requires cooperaon, oen limited scope 2012 Cigital. All Rights Reserved. SecAppDev 20 7

8 Touchpoints for Third Party Development 2012 Cigital. All Rights Reserved. SecAppDev 21 Architecture Deliverables Architecture risk analysis Threat model Test strategy and test plan with security 2012 Cigital. All Rights Reserved. SecAppDev 22 8

9 Use the Source, Luke Stac analysis Defect tracking Patch management OSS analysis Idenfy accidental / unknown usage Idenfy legal obligaons Stac Analysis tools Commercial Forfy Coverity AppScan Source Free CppCheck Findbugs OSS Analysis Black Duck Palamida 2012 Cigital. All Rights Reserved. SecAppDev 23 Working with Binaries Reverse engineering Good for mobile, embedded, client/ server Not always permied Binary analysis Veracode, etc. Not always successful Simulaon Run in VM, sandbox, or simulator Observaon Eavesdropping Proxying,etc Cigital. All Rights Reserved. SecAppDev 24 9

10 Security Testing (Not Penetration Testing!) Boundary cases Negave cases Inverted cases off the RBAC matrix Idenfying undesirable behaviour Not checking Not funconal tesng Exploratory tesng is good 2012 Cigital. All Rights Reserved. SecAppDev 25 Penetration Testing Require vendor support access credenals generous me windows etc. Require vendor tracking / reporng What will they do? When will they do it? Focus on soluons, not problems Not about finding max bugs It s about fixing bugs 2012 Cigital. All Rights Reserved. SecAppDev 26 10

11 Deployment Secure configuraon Change control process Coordinaon with development team Upgrades to base plaorm Patch deployment to applicaon 2012 Cigital. All Rights Reserved. SecAppDev 27 Operations Logging, monitoring SIEM Incident response Vulnerability tracking 2012 Cigital. All Rights Reserved. SecAppDev 28 11

12 Procurement Security requirements during RFP / Tender process Security quesons during vendor selecon Periodic evaluaon of vendor security capabilies Security deliverables with funconal deliverables 2012 Cigital. All Rights Reserved. SecAppDev 29 Procurement Require source code Permit decompiling / reverse engineering Permit security tesng Require significant documentaon Escrow code if you must 2012 Cigital. All Rights Reserved. SecAppDev 30 12

13 One possible low Figure out which lifecycle stages are out of your control Figure out which deliverables are feasible Idenfy mechanisms to enforce deliverables (e.g., UAT, procurement, etc) Require deliverables at appropriate stages Add to PMO process, if possible 2012 Cigital. All Rights Reserved. SecAppDev 32 1: Identify Lifecycle Stages Which ones are owned by vendors? Where do your teams plug in? PMO Project leads Procurement Requirements Integraon UAT 2012 Cigital. All Rights Reserved. SecAppDev 33 13

14 2: Identify Practical Deliverables What? What is praccal, permissible, measurable? Threat models Code scan reports Pen test reports Defect reports Is it objecve? How much visibility do you get into its creaon? When? At major releases? At regular intervals? On- demand access? As it is generated, or aer it is reviewed by the vendor? 2012 Cigital. All Rights Reserved. SecAppDev 34 3: Promote Enforcement Lifecycle Phases Promoon Create security gates Dev à QA QA à Staging Staging à Producon Require security deliverables for promoon phase- to- phase Enforce security sign- off Be Pragmac If security always says no, then security becomes a problem Problems get fixed Choose bales carefully 2012 Cigital. All Rights Reserved. SecAppDev 35 14

15 4: Institutionalise Put Security in the PMO Make it regular Make it understood Automate as much as possible Checklists Worksheets Processes Change Takes Time Start small Minimise overhead Make everything relevant Ensure adopon of one small piece before introducing a new piece 2012 Cigital. All Rights Reserved. SecAppDev 36 Putting it Together Idenfy your vendors and sources of third party soware risk Understand your competency and theirs Determine ownership of lifecycle phases Idenfy security deliverables for each phase Gradually work them into your process 2012 Cigital. All Rights Reserved. SecAppDev 38 15

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define