Secure software development in the Russian IT Security Certification Scheme. Alexander Barabanov, Alexey Markov, Valentin Tsirlov

Similar documents

Russian IT Security Certification Scheme: Steps Toward Common Criteria Approach

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Global Endpoint Security Market

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

TURKISH COMMON CRITERIA CERTIFICATION SCHEME TSE-CCCS TURKISH NATIONAL UPDATE, 2013

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

IT Security Evaluation in China

Access FedVTE online at: fedvte.usalearning.gov

PROACTIVE PROTECTION MADE EASY

Information Security Officer (# 1773) Salary: Grade 25 ($81,808-$102,167) / Grade 27 ($90,595 to $113,141) Summary of Duties. Minimum Qualifications

22 July, 2010 IT Security Center (ISEC) Information-technology Promotion Agency (IPA) Copyright 2010 Information-Technology Promotion Agency, Japan 1

Real Performance? Ján Vrabec David Harley

Information Security Attack Tree Modeling for Enhancing Student Learning

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

John P Zelsnack CISSP/CISM/CRISC/Securty+/ITILv3 Senior Technical Manager/Cyber Security Engineer General Dynamics - Advanced Information Systems

Korea IT Security Evaluation and Certification Scheme

Information Security Specialist Training on the Basis of ISO/IEC 27002

State of Montana Information Technology Managers Advisory Council

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

InfoSec Academy Pen Testing & Hacking Track

PCSL. PCSL IT Consulting Institute 机安全软件病毒检测率测试

Africa Cyber Security Market by Solution, by Service, by Verticals, by Country - Global forecast to 2020

Click to edit Master title style. How To Choose The Right MSSP

BMS Consulting Cyber Security and IT Technology Team

Big 4 Information Security Forum

Manually Add Programs to Your Firewall or Anti-Virus Programs Trusted List. ZoneAlarm

ENTERPRISE EPP COMPARATIVE REPORT

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Information Blue Valley Schools FEBRUARY 2015

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Penetration Testing. Request for Proposal

How to choose the right NGFW for your organization: Independent 3 rd Party Testing

Goals. Understanding security testing

World-class security solutions for your business. Kaspersky. OpenSpaceSecurity

HP Cyber Security Control Cyber Insight & Defence

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

TCS Managed Security Services

THE BEST WAY TO CATCH A THIEF. Patrick Bedwell, Vice President, Product Marketing

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

INDEPENDENT VALIDATION OF FORTINET SOLUTIONS. NSS Labs Real-World Group Tests

Global Security Software Market

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Security Industry Market Share Analysis

Five ways to simplify the vulnerability management lifecycle. Scott Sidel, CISSP, CEH, ETC May 2005

Malaysian Common Criteria Evaluation & Certification (MyCC) Scheme Activities and Updates. Copyright 2010 CyberSecurity Malaysia

Are you prepared to be next? Invensys Cyber Security

QRadar SIEM 6.3 Datasheet

Prinect. Is Your Prinect Workflow Safe from a Cyber Attack?

S-Terra CSP: the future champion of the Russian network security market

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification

Why The Security You Bought Yesterday, Won t Save You Today

Foregenix Incident Response Handbook. A comprehensive guide of what to do in the unfortunate event of a compromise

Application Security Best Practices. Wally LEE Principal Consultant

FIA Protection Against Mileage Fraud by Common Criteria

Evolution of Penetration Testing

How To Perform An External Security Vulnerability Assessment Of An External Computer System

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Report on CAP Cybersecurity November 5, 2015

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Securely Yours LLC Top Security Topics for Sajay Rai, CPA, CISSP, CISM

Learning objectives for today s session

Cisco ICM/IPCC Enterprise and Hosted Anti-Virus Software Guidelines

Interaction between State and Private Healthcare in Russia

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Kevin Hayes, CISSP, CISM MULTIPLY SECURITY EFFECTIVENESS WITH SIEM

Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report

Security Industry Market Share Analysis

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Data Driven Security Framework to Success

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals

SUSE Linux Enterprise 12 Security Certifications Common Criteria, EAL, FIPS, PCI DSS,... What's All This About?

Insecurity in Security Software

ISSECO Syllabus Public Version v1.0

Global Antivirus Software Package Market

Transcription:

Secure software development in the Russian IT Security Certification Scheme Alexander Barabanov, Alexey Markov, Valentin Tsirlov

Agenda Brief overview Current status of the Russian IT Security Certification Scheme Steps Toward Common Criteria Approach and Secure Software Development Final Remarks 2

Brief overview: Historical Perspective Establishment of Russian IT Security Certification Scheme Mandatory requirements for source code analysis Mandatory requirements for antiviruses (based on CC) Mandatory requirements for trusted boot loader (based on CC) 1995 1997 1999 2003 2012 2013 2014 Mandatory requirements for firewall and access control systems Guidance based on CC v.2.1 Mandatory requirements for IPS/IDS (based on CC) Mandatory requirements for removable storage protection tools (based on CC) 3

Brief overview: who takes part in the certification process? 4

Brief overview: typical timeline Obtaining FSTEC ID Normally 1 month Evaluation provided by Laboratory 3-4 months Certification by Certification Body 1 month and more Obtaining a certificate from FSTEC of Russia Normally 1 month 5

Brief overview: Accredited Evaluation Laboratories 6

Brief overview: Accredited Certification Bodies 7

Brief overview: Classical Major Approaches to Evaluation Evaluation of the security functionality Black box testing to ensure that TOE works as it should Evaluation for the absence of non-declared functions Testing of source code for the absence of software vulnerabilities 8

Current status of the Russian Scheme: Products Evaluations 9

Current status of the Russian Scheme: Certified Products by Types 2011-2014 Evaluation Timeline 10

Current status of the Russian Scheme: Russian vs. Non-Russian Developers 11

Current status of the Russian Scheme: Non-Russian Developers (2) 2011-2014 Evaluation Timeline 12

Current status of the Russian Scheme: Russian Developers 2011-2014 Evaluation Timeline 13

Steps Toward Common Criteria Approach: Step #1 (1) 14

Steps Toward Common Criteria Approach: Step #1 (2) 15

Steps Toward Common Criteria Approach: Step #1 (3) 2004-2014 Evaluation Timeline 16

Steps Toward Common Criteria Approach: Step #2 (1) 17

Steps Toward Common Criteria Approach: Step #2 (2) 18

Steps Toward Common Criteria Approach: Step #2 (3) FSTEC of Russia Approved Protection Profiles PP for IPS/IDS PP for Antiviruses PP for Trusted Boot Loaders PP for Removable Storage Protection Protection Profiles in Development PP for Firewalls PP for Operating System PP for DBMS 19

Steps Toward Common Criteria Approach: Step #2 (4) http://fstec.ru 20

Certifications against new FSTEC of Russia requirements: projects summary Number of certifications Summary: TOE Types: IDS/IPS, Antivirus, Trusted boot loader Vendors: HP, McAfee, ESET, Trend Micro, PineApp, Kaspersky Lab, Cisco, Echelon, Altx-Soft, Secure Code Number of active labs: 4 21

Certifications against new FSTEC of Russia requirements: Russian vs. non-russian TOE 22

Steps Toward Secure Software Development Russian standard «Information protection. Secure Software Development. General requirements» (draft) Proposed Secure Software Development Controls: information security threats modeling source code static/dynamic analysis source code review penetration testing... 23

Final Remarks 1. First certifications according to the new requirements were provided for non-russian products. 2. More and more leading non-russian developers provide the Russian Evaluations Laboratories with access to their source code, and this tendency shall be observed in the future. 3. Efficiency in detection of vulnerabilities in software submitted for certification will advance. 4. Russian developers will pay more for certification. 5. The number of actively working Evaluations Laboratories will degrade. 24

Contact Information Alexander Barabanov, Ph.D., CISSP, CSSLP NPO Echelon ab@cnpo.ru Alexey Markov, Dr.Sc., CISSP, Member of IEEE NPO Echelon am@cnpo.ru Valentin Tsirlov, Ph.D., CISSP, CISM NPO Echelon z@cnpo.ru 25

Thank you for your attention! 26