Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Similar documents
Software Assurance: Enabling Enterprise Resilience through Security Automation and Software Supply Chain Risk Management

U.S. Cyber Security Readiness

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

CDM Vulnerability Management (VUL) Capability

Software Assurance: Enabling Security Automation and Software Supply Chain Risk Management. Commerce. National Defense. Today Everything s Connected

External Supplier Control Requirements

SAFECode Security Development Lifecycle (SDL)

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Adding a Security Assurance Dimension to Supply Chain Practices

TUSKEGEE CYBER SECURITY PATH FORWARD

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals

IBM Security Strategy

2015 TRUSTWAVE GLOBAL SECURITY REPORT

DoD Software Assurance (SwA) Overview

Software Assurance in Acquisition and Contract Language

Cyberspace Situational Awarness in National Security System

IT Risk Management: Guide to Software Risk Assessments and Audits

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Reducing Application Vulnerabilities by Security Engineering

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Implementing Program Protection and Cybersecurity

Is Penetration Testing recommended for Industrial Control Systems?

Software Development: The Next Security Frontier

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

How To Ensure Your Software Is Secure

Vulnerability Analysis of Energy Delivery Control Systems

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Protecting Your Organisation from Targeted Cyber Intrusion

Software & Supply Chain Assurance: A Historical Perspective of Community Collaboration

Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach.

ICT Supply Chain Risk Management

SAST, DAST and Vulnerability Assessments, = 4

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Information Technology Risk Management

Application Security in the Software Development Lifecycle

Cybersecurity Resources

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Recommended Practice Case Study: Cross-Site Scripting. February 2007

FFIEC Cybersecurity Assessment Tool

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Management (CSM) Capability

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

How To Manage Risk On A Scada System

Reducing risks in the Software Acquisition Life Cycle

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

IoT & SCADA Cyber Security Services

Cyber Security Risk Management: A New and Holistic Approach

Information Security Services

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Juniper Networks Secure

Supply Chain Attack Patterns: Framework and Catalog

Cybersecurity for the C-Level

Metasploit The Elixir of Network Security

Adobe Systems Incorporated

A Systems Engineering Approach to Developing Cyber Security Professionals

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

Security Control Standard

Securing the Microsoft Cloud

Developing Secure Software in the Age of Advanced Persistent Threats

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Cyber Security Considerations in the Development of I&C Systems for Nuclear Power Plants

WEB 2.0 AND SECURITY

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Transcription:

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Cyber Security & Communications Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Homeland Security National Defense Commerce & Standards General Services Public-Private Collaboration Efforts for Security Automation, Software Assurance, and Supply Chain Risk Management Next SSCA WG 2-4June 2015 at MITRE in McLean, Virginia

Gaining confidence in ICT/software-based cyber technologies Dependencies on technology are greater then ever Possibility of disruption is greater than ever because hardware/ software / services vulnerable Loss of confidence alone can lead to stakeholder actions that disrupt critical business activities Railroad Tracks Highway Bridges Pipelines Ports Cable Fiber Services Managed Security Information Services Control Systems SCADA PCS DCS Agriculture and Food Energy Transportation Chemical Industry Postal and Shipping Hardware Database Servers Networking Equipment Software Financial Systems Internet Human Resources Domain Name System Web Hosting Cyber Infrastructure Water Public Health Telecommunications Banking and Finance Key Assets Critical Infrastructure / Key Resources Reservoirs Treatment plants Farms Food Processing Plants Hospitals Power Plants Production Sites Physical Infrastructure FDIC Institutions Chemical Plants Delivery Sites Nuclear power plants Government Facilities Dams

Interdependencies Between Physical & Cyber Capabilities Convergence of Safety, Security and Resilience Considerations In an era riddled with asymmetric cyber attacks, claims about system reliability and safety must include provisions for built-in security of the enabling software High Reliance on ICT/Software Built-in Security enables Resilience Critical security controls aligned with mission Automated continuous diagnostics and mitigation

Assurance relative to Trust Managing Effects of Unintentional Defects in Component or System Integrity Managing Consequences of Unintentional Defects Quality Safety TRUST Security Managing Consequences of Attempted/Intentional Actions Targeting Exploitable Constructs, Processes & Behaviors

Security Feature Cross-site Scripting (XSS) Attack (CAPEC-86) Improper Neutralization of Input During Web Page Generation (CWE-79) SQL Injection Attack (CAPEC-66) Improper Neutralization of Special Elements used in an SQL Command (CWE-89) Exploitable Software Weaknesses (CWEs) are exploit targets/vectors for future Zero-Day Attacks 2012 MITRE 7

Software Assurance Addresses Exploitable Software: Outcomes of non-secure practices and/or malicious intent Exploitation potential of vulnerability is independent of intent Defects EXPLOITABLE SOFTWARE Unintentional Vulnerabilities Malware Intentional Vulnerabilities High quality can reduce security flaws attributable to defects; yet traditional S/W quality assurance does not address intentional malicious behavior in software *Intentional vulnerabilities: spyware & malicious logic deliberately imbedded (might not be considered defects) Software Assurance (SwA) is the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the life cycle.* From CNSS Instruction 4009 National Information Assurance Glossary (26APR2010)

SwA & SCRM Imperative Increased risk from supply chain due to: Increasing dependence on commercial ICT for mission critical systems Increasing reliance on globally-sourced ICT hardware, software, and services Varying levels of development/outsourcing controls Lack of transparency in process chain of custody Varying levels of acquisition due-diligence Residual risk passed to end-user enterprise Defective and Counterfeit products Tainted products with malware, exploitable weaknesses and vulnerabilities Growing technological sophistication among our adversaries Internet enables adversaries to probe, penetrate, and attack us remotely Supply chain attacks can exploit products and processes throughout the lifecycle

Risk Management (Enterprise <=> Project): Shared Processes & Practices Different Focuses Enterprise-Level: Regulatory compliance Changing threat environment Business Case Program/Project-Level: Cost Schedule Performance Who makes risk decisions? Who determines fitness for use for technically acceptable criteria? Who owns residual risk from tainted/counterfeit products? * Tainted products are those that are corrupted with malware, or exploitable weaknesses & vulnerabilities that put users at risk

Software-related Expectations for 2015 Major breaches will be enabled by unpatched known vulnerabilities over 2 years old; Chained attacks and attacks via third-party websites will grow; Vulnerable web applications will remain easiest way to compromise companies; SQL Injection and XSS will constitute more frequent and dangerous vector of attacks; Third-party code and plug-ins will remain the Achilles heel of web applications; Server misconfigurations will continue to be a top source of vulnerability; Many vulnerabilities will be exploited in devices and systems that cannot be patched; Most software will be composed third party & open source (often unchecked) components; o o Primary causes of exploited vulnerabilities will be software defects, bugs, & logic flaws; Application logic errors will become more frequent and critical; Mobile apps will constitute a growing source of attack vectors, especially since many (in rush to release) won t be adequately tested for known vulnerabilities prior to use; Software testing and lifecycle support will gain importance, especially with experienced teams that apply test kits of multiple tools and methods no single automated security tool or method will be effective.

SSCA Focus on Tainted Components Mitigating risks attributable to exploitable non-conforming constructs in ICT Tainted products are those that are corrupted with malware, or exploitable weaknesses & vulnerabilities that put users at risk Enable scalable detection and reporting of tainted ICT components Leverage/mature related existing standardization efforts Provide Taxonomies, schema & structured representations with defined observables & indicators for conveying information: o Tainted constructs: Malicious logic/malware (MAEC), Exploitable Weaknesses (CWE); Vulnerabilities (CVE) o Attack Patterns (CAPEC) Catalogue Diagnostic Methods, Controls, Countermeasures, & Mitigation Practices Publicly reported weaknesses and vulnerabilities with patches accessible via National Vulnerability Database (NVD) sponsored by DHS & hosted by NIST Exploitable weakness TAINTED [exploitable weakness, vulnerability, or malicious construct] Unpatched Vulnerability COUNTERFEIT Malware Exploitable weakness Unpatched Vulnerability AUTHENTIC DEFECTIVE Components can become tainted intentionally or unintentionally throughout the supply chain, SDLC, and in Ops & sustainment *Text demonstrates examples of overlap

Supplier Supplier Supplier Supplier Organization System Integrator External Service Provider Supplier External Service Provider Supplier Supplier External Service Provider Supplier External Service Provider External Service Provider Supplier Reduced Visibility, Understanding and Control National Institute of Standards and Technology

SP 800-161, Supply Chain Risk Management for Federal Information Systems and Organizations Building on existing NIST Guidance Ability to Implement and Assess System Development Life Cycle Threat Scenarios & Framework ICT SCRM Plan Security Controls SP 800-53r4 SP 800-39 SP 800-161 Multitiered Organizational Risk Management SP 800-30 Risk Assessment National Institute of Standards and Technology

Software Assurance (SwA) Pocket Guide Series SwA in Acquisition & Outsourcing Software Assurance in Acquisition and Contract Language Software Supply Chain Risk Management and Due-Diligence SwA in Development * Risk-based Software Security Testing Requirements and Analysis for Secure Software Architecture and Design Considerations for Secure Software Secure Coding and Software Construction Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses * All include questions to ask developers SwA Life Cycle Support SwA in Education, Training and Certification SwA Pocket Guides and SwA-related documents are collaboratively developed with peer review; they are subject to update and are freely available for download via the DHS Software Assurance Community Resources and Information Clearinghouse at https://buildsecurityin.us-cert.gov/swa (see SwA Resources)

https://buildsecurityin.us-cert.gov/swa Provides resources for stakeholders with interests in Software Assurance, Supply Chain Risk Management, and Security Automation https://buildsecurityin.us-cert.gov Focuses on making security a normal part of software engineering

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Cyber Security & Communications joe.jarzombek@hq.dhs.gov Mitigating Cyber-Physical Risk Exposures Attributable to External Dependencies on ICT Supply Chain Components and Services

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information