1 Secure Product Development Overview Dr. Panayotis Kikiras INFS133 March 2015
2 Why Worry About Security We are a Security Company Embarrassment. Damage in reputation. Direct or Indirect loss of revenue.
3 Definition of Secure Secure product is one that protects the confidentiality, integrity, and availability of the customers information, and the integrity and availability of processing resources under control of the system s owner or administrator. -- Source: Writing Secure Code (Microsoft.com)
4 Why Security is still a problem? Security is hard to design!!!! Security is harder to implement. Main reasons: Lack of Education Lack of priority No liability enforcement by law. Security is non-functional -> Nobody pays for it
5 Security is mainly a software problem Depending on the source, an estimated 70% to 92% of security breaches result from vulnerabilities in software. Network Security Layer is adequately addressed (firewalls, IDS, IPS, Antivirus). A new star is raising though The end user
6 Software Vulnerabilities Trends Reported Vulnerabilities per Year Vulnerabilities Source: U.S CERT
7 Why Software Induces Vulnerabilities? Design Goals Security Issues Feature Richness The more feature rich the application is, the more bugs it is likely to have. Reliability Writing error-handling code increases the chance of introducing security bugs. When error handlers fail, the application fails. In this case, how will you ensure application security? Performance Security code can slow down apps performance Usability Running every process as admin/root is convenient for both developer and user; however that creates a security nightmare.
8 Famous disasters
9 Bad Algorithms USS Vincennes shot down Iran Air Flight 655, killing 290 civilian passengers and crew, who may have been the first known victims of artificial intelligence. According to senior military officials, computer generated Mistakes (the civilian Airbus categirized as an F-4 fighting aircraft) were the cause of the disaster. human-supervisory-control-of-automated-systems-spring- 2004/projects/vincennes.pdf
10 Feature Richness Without Careful Security Audits On May 4, 2000, the Love virus struck. According to Computer Economics, the worldwide economic impact of the Love Bug was $8.75 billion. The fact that Microsoft Outlook was designed to execute programs that were mailed to it made the virus possible. The Love virus event shows that feature richness without careful security audits for each feature is a dangerous combination. You should question every feature and remove those that aren t required
11 Still Much to Be Done: The Pain of "Blaster" Two lines of C code in RPCSS while (*pwsztemp!= L'\\') *pwszservername++ = *pwsztemp++; Led to >1,500,000 infected computers 3,370,000 Product Support Services (PSS) calls in September 2003 (normal virus volume is 350,000) Plenty of negative commentary " This [is] going to raise the level of frustration to the point where a lot of organizations will seriously contemplate alternatives to Microsoft" Gartner "There's definitely caution warranted here. [Microsoft's security] efforts were sincere, but I am not sure if they were sincere enough" Forrester
12 The Horrible Truth No matter how much effort we expend, we will never get code 100 percent correct This is an asymmetric problem We must be 100 percent correct, 100 percent of the time, on a schedule, with limited resources, only knowing what we know today Oh, and the product has to be reliable, supportable, compatible, manageable, affordable, accessible, usable, global, doable, deployable They can spend as long as they like to find one bug, with the benefit of future research We re human and our tools are far from perfect There s still a business case for improving security now
13 The Horrible Truth (continued) Tools make it easy to build exploit code Reverse engineering tools Structural Comparison of Executable Objects, Halvar Flake PCT Bug: "Detecting and understanding the vulnerability took less than 30 minutes" H.323 ASN.1 Bug: "The total analysis took less than three hours time" Exploit payloads
15 Incentives to Improve Source: Fundamentals of Secure Architecture online available at
16 Software Quality 2000s Today & Tomorrow 1980s 1990s Time to Market Total Cost of Ownership Security & Privacy Feature Richness Next Differentiator?
17 Where are we at the moment
18 Where are we know? SCRUM basic principles Early and continuous delivery of valuable software Welcome changing requirements, even late in development Build projects around motivated individuals and trust them to get the job done. Working software as the primary measure of progress Continuous attention to technical excellence and good design Simplicity maximizing the amount of work not done 15 days The best architectures, requirements, and designs emerge from self-organizing teams At regular intervals, the team reflects on, tunes, and adjusts its behavior
19 Where are we know? We trust that our teams are doing their best for security. Do they? No specific care in designing for security unless the customer requires that Does it happens now? No malicious user stories No specific controls for common security flaws
20 PO view on security Security is NOT a functional Requirement
21 Agile vs. Sec Worlds Agile Teams: More responsive to business concerns Increasing the frequency of stable releases Security Teams: More aggressive regulatory environment Increasing focus on need for security Decreasing the time it takes to deploy new features Traditional approaches are top-down, document centric
22 Security in SDLC
23 Waterfall VS. Agile Waterfall Agile
24 The Challenge: Lightweight Security Processes In SCRUM security processes iterated over and over again (comparing to Waterfall) Adjust weight of security processes to distinct scrum controls to keep efforts reasonable
25 Securing SCRUM an IT Sec Approach
26 Traditional Security + Agile Process
27 Designing a secure product
28 Designing a Secure Product Security by Design Attack Surface reduction, Threat Modeling Octave (Operationally Critical Threat, Asset, and Vulnerability Evaluation) Microsoft s Security Development Lifecycle Threat Modeling tool Secure by Default Clear Security requirements (Customer - Internal) Risk Assessment Defense in Depth (applied to software and supporting infrastructure) Compliance with standards (whenever and if needed) Which?
29 Security by Design Secure by design, in software engineering, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input.
30 Attack Surface Reduction (ASR) The Attack Surface Reduction Process Look at all of your entry points Network I/O File I/O Rank them Authenticated versus anonymous Administrator only versus user Network versus local UDP versus TCP
31 It s Not Just About Turning Stuff Off! Higher Attack Surface Lower Attack Surface Executing by default Off by default Open socket Closed socket UDP TCP Anonymous access Authenticated access Constantly on Intermittently on Admin access User access Internet access Local subnet access SYSTEM Not SYSTEM! Uniform defaults User-chosen settings Large code Small code Weak ACLs Strong ACLs
32 Attack Surface Reduction is as important as trying to get the code right
33 Threat Modeling Threat Analysis Secure software starts with understanding the threats Threats are not vulnerabilities Threats live forever; they are the attacker's goal
34 Thread Modeling Process
35 Thread Modeling Process Whiteboard Your Architecture Start with person, processes, data flows, data stores Unique shape per item Data flows should be one way each Label them with data, not read/write Draw attack surfaces/trust boundaries Tell a story to see if your picture is ok External Entity Process Data Flow Data Store Trust Boundary People Other systems Microsoft.com DLLs EXEs COM object Components Services Web Services Assemblies Function call Network traffic Remote Procedure Call (RPC) Database File Registry Shared Memory Queue / Stack Process Boundary File system
36 Find Threats: Use STRIDE per Element Start with items connected to dangerous data flows (those crossing boundaries) Use the chart to help you think of attacks Keep a running list Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
37 Mitigating Threats For each threat, decide how to stop it Redesign and eliminate Use standard threat mitigations Invent new mitigation (not recommended) Accept risk in File a work item in your bug tracking DB Treat threats as bugs, mitigations as features
38 Validate Check threat model diagrams Do they match the design docs or code?
39 Potential Methodologies - Tools Octave (Operationally Critical Threat, Asset, and Vulnerability Evaluation) : is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. Free family of tools not automated Part of the US Cert tool chain. Hard to Implement. Microsoft s Security Development Lifecycle (SDL)Threat Modeling tool Based on MS SDL methodology Adopted to Scrum processes Integrated to Visual Studio
40 Secure by Default Security by default, in software, means that the default configuration settings are the most secure settings possible, which are not necessarily the most user friendly settings. Allow only those functionalities that are explicitly need and with the less privileges.
41 Designing a Secure Product Clear Security requirements (Customer - Internal) Difficult at the moment to have customer s requirements Must decide internal baseline security requirements
42 Risk Assessment Designing a Secure Product Part of the Treat Modeling process RA Methodologies Microsoft SDL: STRIDE (Identification of threats) DREAD (quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat) Others
43 Designing a Secure Product Defense in Depth: is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
44 Designing a Secure Product Defense in Depth: is an information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited which can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
45 Designing a Secure Product Compliance with standards (whenever and if needed) Which? Where? When? There a lot of different security standards from different bodies ITU has more than 50 ICT related standards ( Same condition in ISO ISA NIST We must decide
46 Developing Secure products
47 Developing a Secure Product Threat Risk Mitigation Adopt and follow Principles Education and Training Learn from mistakes Think like an adversary
48 Developing a Secure Product Risk Mitigation Techniques Threat Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Mitigation Feature Authentication Integrity Nonrepudiation Confidentiality Availability Authorization
49 Developing a Secure Product Adopt and follow Principles Best Practices Top 10 Secure Coding Practices Validate input. Heed compiler warnings. Architect and design for security policies. Keep it simple. Default deny. Adhere to the principle of least privilege. Sanitize data sent to other systems. Practice defense in depth. Use effective quality assurance techniques. Adopt a secure coding standard.
50 Developing a Secure Product Education and Training At a minimum, train all Product Owners. Scrum team autonomy: Trust, but verify. Train two persons in every team to act as the security conscience. Repeat training periodically adjust to new threats.
51 Developing a Secure Product Learn from mistakes Use Scrum Controls to propagate lessons learned Scrum of Scrums Retrospectives
52 Developing a Secure Product Think like an adversary
53 Releasing a Secure Product Allocate time for Security Testing Test for common flaws Security Code reviews Infrastructure and software penetration testing. Security in Deployment Think like an adversary
54 Maintaining a Secure Product Fix security issues correctly Infrastructure and software penetration testing Adjust to changes of the supporting infrastructure (patches to OS, libs, etc.)
55 Product Security Lifecycle 1. Define Requirements (Threat Profile) 7. Feedback 6. Deploymen t Each of the lifecycle steps are integral to producing a consistently secure 2. Design 3. Threat Solution Model 5. Outcome Assessment product. 4. Implementation Review
56 Immediate steps to current Product s line Develop Threat Model Identify Risk Plan evil Use Cases Develop risk mitigation controls Calculate residual Risk Outcome Assessment Feedback Continues Improvement
57 Next Steps Educate/Train the PO s Develop/Adopt a Threat analysis model Create process to map threat model to User stories Create Unit Security Tests Identify and Use standard security controls
58 Next Steps Develop procedures for the correct use of secure coding standards Develop/Adopt a Threat analysis model Provide security training to developers (security awareness and proper use of controls) Leverage Security experts Appoint Security Officers within SCRUM teams.
Cultivation of Microalgae According to the different nutrient modes of microalgae, the culture modes can be divided into photoautotrophic culture, mixed culture and heterotrophic culture. Photoautotrophic
Greek God Muscle Building Program ROAD MAP by Greg O Gallagher Greek God Muscle Building Program Greg O Gallagher Page 1 Greek God Program Road Map Phase One - Strength & Density Routines I recommend spending
Doreen Virtue, Ph.D. Charles Virtue C o n t e n t s...7... 15 1. Acceptance... 17 2. Allow Love... 19 3. Apologize... 21 4. Archangel Metatron... 23 5. Archangel Michael... 25 6. Ask for a Sign... 27 7.
Rebar Couplers Heng Xiang Rebar Connection Equipment Factory Attn: Mr. Leo Hao Tel: 86-0318-6662348 E-mail: email@example.com Add: The north industrial park, Hengshui City, Hebei Province, China 053000
The Ultimate Guide to Creating a Mobile Strategy that Works in 2017 Coming up with a mobile strategy for any company, big or small, is a daunting task. There are so many considerations to take into account,
2010 年 理 工 类 AB 级 阅 读 判 断 例 题 精 选 (2) Computer mouse How does the mouse work? We have to start at the bottom, so think upside down for now. It all starts with mouse ball. As the mouse ball in the bottom
HDMI camera ARTRAY CO,. LTD Introduction Thank you for purchasing the ARTCAM HDMI camera series. This manual shows the direction how to use the viewer software. Please refer other instructions or contact
Windows XP What is Windows XP Windows is an Operating System An Operating System is the program that controls the hardware of your computer, and gives you an interface that allows you and other programs
I II III IV The theories of leadership seldom explain the difference of male leaders and female leaders. Instead of the assumption that the leaders leading traits and leading styles of two sexes are the
曲名 1234 20.30.40 5678 GOING 929 9907 A BTTER DAY ANDY BABY I'M YOUR MAN BACK HOME BAD BOY BEAUTIFUL GIRL BABY BABY BACK HOME BEAUTIFUL DAY BECAUSE OF YOU BETTER MAN CAN'T STOP LOVING YOU CALL ME CAN YOU
例 例 Agenda Popular Simulation software in PC industry * CFD software -- Flotherm * Advantage of Flotherm Flotherm apply to Cooler design * How to build up the model * Optimal parameter in cooler design
Olav Lundström MicroSCADA Pro Marketing & Sales 2005 ABB - 1 - Contents MicroSCADA Pro Portal Marketing and sales Ordering MicroSCADA Pro Partners Club 2005 ABB - 2 - MicroSCADA Pro - Portal Imagine that
We are now living happily. We are now living a happy life. He is very healthy. He is in good health. I am sure that he will succeed. I am sure of his success. I am busy now. I am not free now. May I borrow
1 * 1 * firstname.lastname@example.org 1992, p. 233 2013, p. 78 2. 1. 2014 1992, p. 233 1995, p. 134 2. 2. 3. 1. 2014 2011, 118 3. 2. Psathas 1995, p. 12 seen but unnoticed B B Psathas 1995, p. 23 2004 2006 2004 4 ah
Reflection and Serving Learning 長 庚 科 技 大 學 護 理 系 劉 杏 元 一 服 務 學 習 為 何 要 反 思 All those things that we had to do for the service-learning, each one, successively helped me pull together what I d learned.
I II III The Study of Factors to the Failure or Success of Applying to Holding International Sport Games Abstract For years, holding international sport games has been Taiwan s goal and we are on the way
Your Field Guide to More Effective Global Video Conferencing As a global expert in video conferencing, and a geographically dispersed company that uses video conferencing in virtually every aspect of its
C/C++ Table of contents 1. 2. getchar() putchar() 3. (Buffer) 4. 5. 6. 7. 8. 1 2 3 1 // pseudo code 2 read a character 3 while there is more input 4 increment character count 5 if a line has been read,
and Due Diligence M&A in China Prelude and Due Diligence A Case For Proper A Gentleman s Agreement? 1 Respect for the Rule of Law in China mandatory under law? CRITICAL DOCUMENTS is driven by deal structure:
TX-NR3030 http://www.onkyo.com/manual/txnr3030/adv/cs.html Cs 1 2 3 Speaker Cable 2 HDMI OUT HDMI IN HDMI OUT HDMI OUT HDMI OUT HDMI OUT 1 DIGITAL OPTICAL OUT AUDIO OUT TV 3 1 5 4 6 1 2 3 3 2 2 4 3 2 5
2011 SUMMER CAMPER RULES 1. No campers are allowed to leave camp after check-in. Campers should act with his/her buddy or team. 2. Please follow camp rules and instructions from your counselor at all time.
Pneumonia When you have pneumonia, the air sacs in the lungs fill with infection or mucus. Pneumonia is caused by a bacteria, virus or chemical. It is not often passed from one person to another. Signs
Building the Best Marketing Budget for Today s B2B Environment BUILDING THE BEST MARKETING BUDGET FOR TODAY S B2B ENVIRONMENT For most marketers, budgeting and planning for the next year is a substantial
Do you know these words?... 3.1 3.5 Can you do the following?... Ask for and say the date. Use the adverbial of time correctly. Use Use to ask a tag question. Form a yes/no question with the verb / not
01-2002-1996 CIP /. 2002.6 ISBN 7801155424/I77 I. II.. IV. I312.645 CIP 2002 033396 20002001 by KimHoSik All rights reserved. This Chinese Edition Published by arrangement with Poem and Society. Through
THE INSTALLING INSTRUCTION FOR CONCEALED TANK Important instuction:.. Please confirm the structure and shape before installing the toilet bowl. Meanwhile measure the exact size H between outfall and infall
2005 Research on the Lucre, Risk, and Development of Native Bankcard Business 2005 3 2003 6.5 45 18, WTO SWOT I Abstract Research on the Lucre, Risk, and Development of Native Bankcard Business Research
Long Term Recovery of Seven PWO Crystals Ren-yuan Zhu California Institute of Technology CMS ECAL Week, CERN Introduction 20 endcap and 5 barrel PWO crystals went through (1) thermal annealing at 200 o