Upload
barny
View
171
Download
0
Embed Size (px)
DESCRIPTION
Application Security – a standards approach 应用安全 : 一个标准的方法. Dr Meng-Chow Kang, CISSP. Director and CISO, APCJ, Cisco Systems. November 9, 2011. Agenda. ISO/IEC 27034 – yet another standard?. ISO/IEC 27034 approach to application security. (ISC) 2 CSSLP. Acknowledgements 鸣谢. - PowerPoint PPT Presentation
Citation preview
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Application Security – a standards approach应用安全: 一个标准的方法Dr Meng-Chow Kang, CISSPDirector and CISO, APCJ, Cisco Systems
November 9, 2011
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda
ISO/IEC 27034 approach to application security
ISO/IEC 27034 – yet another standard?
(ISC)2 CSSLP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Acknowledgements 鸣谢• ISC)2 – International Information Systems Security Certification
Consortium 国际信息系统安全认证联盟• Mr Luc Poulin, Editor for ISO/IEC 27034 and President of Cogentas,
Canada ;国际标准 ISO/IEC 27034 编辑
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
ISO/IEC JTC 1/SC 27Security Techniques
SecretariatKrystyna Passia
Chair: Walter FumyVice Chair: Marijke de Soete
WG 1 Security
ManagementConvener:
Ted Humphreys
Vice Convener:
Dale Johnstone
WG 2 Cryptography and Security MechanismsConvener:
Takeshi Chikazawa
WG 3 Security
AssuranceConvener:
Miguel Bañón
WG 4 Security
Controls and Services
Convener: Meng-Chow
Kang
WG 5 Identity Management and Privacy Technology
Convener: Kai Rannenberg
ISO/IEC JTC 1/SC 27 Organization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Prepare to respond; continuous monitoring;
eliminate or reduce risks and impacts
Risk manage; Prevent occurrence; Reduce impact of occurrence
Investigate to establish facts about breaches;
identify who done it and what went wrong
Unknown or emerging information security issues未知和新兴信息安全问题
Known information security issues 已知信息安全问题
Information security breaches and compromises违反信息安全规律事件信息泄漏事件
WG 4 Roadmap Framework 路线图框架
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
ICT Readiness for Business Continuity (27031)
Cybersecurity (27032)
Information security incident management (27035)Selection, Deployment, and Operation of IDS (27039)
ICT Disaster Recovery Services (24762)
Network Security (27033 Parts 1 to 6)
Application Security (27034 Parts 1 to 6)Security Info-Objects for Access Control (TR 15816)
Information Security for Supplier Relationships (27036)Digital Redaction (27038); Storage Security (27040)
TTP Services Security (TR 14516; 15945)Time Stamping Services (TR 29149)
Identification, collection and/or acquisition, and preservation of digital evidence (27037)
Unknown or emerging information security issues
Known information security issues
Information security breaches and compromises
WG 4 Projects & Study Periods
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Increasing complexity and sophistication of attacks 网络攻击增强复杂性• Web 2.0 & social networking
• Social engineering
• Vulnerability exploitations
• Mobility
• Beyond Windows
• Escalating concerns over data losses
“Just landed in Baghdad”- Rep. Peter Hoekstra,
R-Mich Tweets
Secret delegation led by House Minority Leader John A. Boehner is not
so secret…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Needs for Application Security
• A critical element of “baked-in” security
• Insecure development practices result in
Vulnerabilities created in softwareBrittleness (脆化 ) of overall application and systemsExponential cost of detection, repair, and patchingQuestionable trust; customers’ confidence; more regulations
• Relative cost of fixing defects in production is 30 to 100 times more expensive
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Industry Responses
• Addressing secure software needsIEEE: CSDA and CSDP (Software development)SANS: GSSP-C, GSSP-J (Language specific/secure coding)ISSECO: International Secure Software Engineering Council
CSSE (Entry level education program with certificate of completion given by International Software Quality Institute (iSQI)
DHS (国土安全部 ): Software Assurance Initiative (Awareness Program/Forum)Vendor-Specific (e.g., Cisco, Microsoft) based on internal lifecycle processes/technology specific and industry best practices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Issues Related to Application SecurityLack of a global vision 缺乏远见
Security depends on environment
Lack of standardized reference model
Personalized methods, tools, and solutions
10
And we still don’t know if we can trust an application that is secure enough for
our needs
安全依赖于应用的环境缺乏标准参考模式
组织自创方法,工具,解决方案
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Application security means different thing to different groups
Differing Needs
Managers
Project & Operation
TeamsUsers
Auditors
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Application Security (ISO/IEC 27034)• Multi-parts security standard focusing on needs for
application security from enterprise perspective, covering all relevant aspects of application life-cycle
• Part 1 – Overview and Concepts
• Part 2 – Organization Normative Framework
• Part 3 – Application Security Management Process
• Part 4 – Application Security Validation
• Part 5 – Protocols and Application Security Controls Data Structure
• Part 6 – Security Guidance for Specific Applications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• 27034 help to attach many standards, methodology and practices to implement Application Security
ConclusionISO/IEC 27034 Benefits
Source of controls for Application Security
ISO/IEC 15408 Evaluation
Criteria for IT Security
Provides controls for the ASC
ISO/IEC 21827 Capability MaturityModel
(SSE-CMM)
ISO/IEC 27002 Code of practice for information
security controls
ISO/IEC 29193 Secure system
engineering principles and
techniques
ITILInformation Technology
Infrastructure Library
CobiTControl
Objectives for Information and
related Technology
Top Ten OWASPControl
Objectives for Information and
related Technology
OWASP Testing GuideControl
Objectives for Information and
related Technology
PCI-DSSControl
Objectives for Credit Sards
electronic transactions
S3MModèle
d’évaluation de la capacité de la maintenance du
logiciel
BSIMM2Building Security In Maturity Model
Canadian Privacy Law
< … >
Quebec Province
Privacy Law
< … >
All other documents on witch an organization
want to demonstratre a conformance
13
ISO/IEC 27034Application
security
Source of controls for Application Security
ISO/IEC 15408 Evaluation
Criteria for IT Security
Provides controls for the ASC
ISO/IEC 21827 Capability MaturityModel
(SSE-CMM)
ISO/IEC 27002 Code of practice for information
security controls
ISO/IEC 29193 Secure system
engineering principles and
techniques
ITILInformation Technology
Infrastructure Library
CobiTControl
Objectives for Information and
related Technology
Top Ten OWASPControl
Objectives for Information and
related Technology
OWASP Testing GuideControl
Objectives for Information and
related Technology
PCI-DSSControl
Objectives for Credit Sards
electronic transactions
S3MModèle
d’évaluation de la capacité de la maintenance du
logiciel
BSIMM2Building Security In Maturity Model
Canadian Privacy Law
< … >
Quebec Province
Privacy Law
< … >
All other documents on witch an organization
want to demonstratre a conformance
Principles and others elements comming form standards and bests practices
ISO/IEC 27001 ISMS
Requirements
ISO/IEC 27005 Information security risk management
ISO/IEC 15026 System and
Software Assurance
ISO/IEC 15443 A framework for
IT security assurance
Help to implement / enforce
IEEE 1028 Generic process
for formal reviews
Existing processes in applications life cycles
ISO/IEC 12207 Software Life Cycle Processes
ISO/IEC 15288 System
Life Cycle Processes
Provides processes and ASCs to integrate in
AGILE development methodology Scrum, TDD, Crystal, Agile UP, DSDM,
DDD, Kanban, etc.
Traditional development methodology RUP, Open UP, Water fall, etc.
Organization’s specific
development methodology
< … >
All other processes in witch you
want to integrate ASCs.
Organizational security risk analysis methods and tools
MehariMéthode
harmonisé d’analyse de
risques
Help to identify applications to be secured
EBIOSExpression des
besoins et identification des
objectifs de sécurité
OctaveOperationally
Critical Threat, Asset, and
Vulnerability Evaluation
NIST 800-30 Risk
Management Guide
All others Security Risk
analysis methods
< … >
All others information
classification methods
< … >
Organizational security risk analysis methods and tools
MehariMéthode
harmonisé d’analyse de
risques
Help to identify applications to be secured
EBIOSExpression des
besoins et identification des
objectifs de sécurité
OctaveOperationally
Critical Threat, Asset, and
Vulnerability Evaluation
NIST 800-30 Risk
Management Guide
All others Security Risk
analysis methods
< … >
All others information
classification methods
< … >
Principles and others elements comming form standards and bests practices
ISO/IEC 27001 ISMS
Requirements
ISO/IEC 27005 Information security risk management
ISO/IEC 15026 System and
Software Assurance
ISO/IEC 15443 A framework for
IT security assurance
Help to implement / enforce
IEEE 1028 Generic process
for formal reviews
Existing processes in applications life cycles
ISO/IEC 12207 Software Life Cycle Processes
ISO/IEC 15288 System
Life Cycle Processes
Provides processes and ASCs to integrate in
AGILE development methodology Scrum, TDD, Crystal, Agile UP, DSDM,
DDD, Kanban, etc.
Traditional development methodology RUP, Open UP, Water fall, etc.
Organization’s specific
development methodology
< … >
All other processes in witch you
want to integrate ASCs.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Security is a requirement
• Application security is context-dependent
• Appropriate investment for application security
• Application security must be demonstrated
Security Model proposed by ISO/IEC 27034
Application Security Key Principles
14
Critical Information
Verification and Control(Conformity)
Security Management (Governance)
Applications, Information System
(Development and Evolution)
Technology(Acquisition,
Maintenance, and Contingency)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
15
Security Model proposed by ISO/IEC 27034
Contexts that have an influence on Security
1..*
Organisation
1..*
Business needs
*..*
Business processes
1..*
Technological Context
Level of trust
1..*People
Process
Technology
Information
Application
1..*
Business ContextLegal Context
1..*
Critical
Critical
Critical
Hardware
Systems
Software
Data
Critical
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Security Model proposed by ISO/IEC 27034
Definitions
• Application securityProvides elements to securely define, design, develop, implement, manage, and securely dispose an application and its information.
• ApplicationIT solution, including application software, designed to help users perform particular tasks or handle particular types of IT problems that helps an organization to automate a business process or function.
16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Security Model proposed by ISO/IEC 27034
Definitions
• Target environment 目标环境is the technological, business and legal context in which the application will be used.
• Level of trust (LoT) 可信度Targeted LoT: 可信度的目标 label of a set of ASCs deemed
necessary by the application owner for bringing the risk of a specific application down to an acceptable level.
Actual LoT: 实际可信度 result of a verification process that confirms, by providing evidences, that all ASCs required by the application’s targeted LoT were correctly implemented, correctly verified and produced the expected result.
17
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Security Model proposed by ISO/IEC 27034
Definitions
Secure application 安全的应用: 实际可信度=可信度目标application for which the Actual Level of Trust is equal to the Targeted Level of Trust, as defined by the organization using the application.
Within this concept, a secure application must comply with these criteria:
properly covers security needs from the management, IT, development and audit points of view; according to the level of trust desired; taking into account the type of information;the target environment, and that can be proven by supporting evidence to have reached and maintained the target level of trust.
18
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Security Model proposed by ISO/IEC 27034
Application Security Control (ASC)
19
Application Target Level of Trust
(why)
Security Requirements· Application specifications, · Compliance to regulations,· Standards and best practices,· Etc.
(why)
Security Activity(what, how, where, who, when, how much)
Verification Measurement(what, how, where, who, when, how much)
ASC
Application Security Life Cycle Reference Model
验证测量
安全需求应用可信度的目标
安全议案
应用安全生命周期参考模型
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
20
Security Model proposed by ISO/IEC 27034
The ASCs Library
...0
Organisation ASC Library
1 32 9 10
Application levels of trust used by the organisation Source of
specifications and constraints
Specifications and constraints
ASC
ASC
ASCASC
ASCApplication
specificationsOnline payment
Secure Log
ASC
ASCASC
ASCBusiness context
PCI-DSS
Aeronautics
ASC ASCASCRegulatory context Privacy Laws
ASC
ASC ASC
ASC
ASC
ASC
Technological context
Wireless
SSL Connection
Approved
应用安全措施库
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Actors
Role 1 Role 2 Role 3 Role 4 Role n
Security Model proposed by ISO/IEC 27034
Application Security LC Reference Model
Application Security Life Cycle Reference Model
Provisioning stages
Preparation Realization Transition
Operation stages
Utilization and maintenance Archival Destruction
Layers
Application management Application provisionning management Application operation management
Application provisionning and operation
Preparation Utilization Archival Destruction
Outsourcing
Development
Acquisition
Transition
Infrastructuremanagement Application provisionning infrastructure management Application operation
infrastructure management Disposal
Application audit Application provisioning audit Application operation audit
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Security Model proposed by ISO/IEC 27034
The ONF
22
Organization Normative Framework
Technological context
Business context
Regulatory context
Application specifications
repository
Roles, responsibilities
and qualifications repository
ASC Library
ASC
Application Life Cycle Processes
Application Life Cycles
Application Life Cycle Security Reference Model
ONF Management Processes
Processes Related to Application Security
ONF Conformance Processes
Approved by t
he
Organisa
tion’s
ONF Committ
ee
组织规范框架
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Security Model proposed by ISO/IEC 27034
The ASMP
23
Identifying the application
requirements and environment
1
Assessing the application security
risks
Identifies Application contexts
and specificationsused for
2
5Verifying the security
of the application
ProvidesImplemented required ASCs
used for
Provides Application project artefacts
and ANP used for
Mandates security adjustments
used for
Organization Management Processes
4Realising and operating
the application
ProvidesApplication Normative
Frameworkused for
Application Security Management Process
Application targeted level of trust
Determines
3Creating and maintaining
the Application Normative Framework
Is used for
Application actual level of trust
Provides
used for
Organization Normative Framework
ONF Management Process
Components and processes related to
Application SecurityProvides Provides
Feedback to
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Implementing security 实施安全• Success of a software assurance program within an organization is
directly proportional to the support of executive management.
• Security has to be ensured throughout the entire lifecycle.
• All stakeholders in the software development process must be aware of common security tenets and threats.
• Building secure software is a result of all the stakeholders having the appropriate levels of participation, and a security mindset in the design, development, and deployment of the software.
Stakeholders must be educated and certified in how to build security within every phase of the lifecycle.
“All of the policy and process control security measures are totally futile without the first line of defense – people.”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
• Certified Secure Software Lifecycle Professional (CSSLP) 安全软件生命周期专业认证
• Base credential (no other certification is required as a prerequisite) 基本凭据
• Professional certification program 专业认证项目• Takes a holistic approach to security in the software
lifecycle 全面性的方法• Tests candidates knowledge, skills and abilities to
significantly mitigate the security concerns 测试考生的知识,技术以及解决安全问题的能力
The (ISC)²® Approach – The CSSLPCM
As of November 2009, 900 CSSLPs in 42 countries Worldwide
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
• Addresses building security throughout the entire software lifecycle – from concept and planning through operations and maintenance, to the ultimate disposal.
• Provides a credential that speaks to the individual’s ability to contribute to the delivery of secure software through the use of standards and best practices.
• The target professionals for this certification includes all stakeholders involved in the Software Lifecycle.
Purpose
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Software Lifecycle Stakeholder ( 利益相关者 ) ChartTop Management
IT Manager
Business Unit Heads
Developers/Coders
Client Side PM
Industry GroupDelivery Heads
Business Analysts
QualityAssuranceManagers
Architects
Project Managers/Team Leads
Software Lifecycle
Stakeholders Application Owners
Security Specialists
Auditors
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
CSSLPCM Industry Supporters• Microsoft• Cisco• Xerox• SAFECode• Symantec
• BASDA• SANS• DSCI (NASSCOM)• SRA International• ISSA
“As the global dependence on information and communications technology has grown, users have become increasingly concerned over the security of
software, especially those in the government, critical infrastructure and enterprise sectors. By offering software professionals a means to increase
and validate their knowledge of best practices in securing applications throughout the development lifecycle, (ISC)²’s CSSLP is helping the
industry take an important step forward in addressing the ‘people’ part of the solution.”
Paul Kurtz, executive director, SAFECode
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
(ISC)²® CSSLP CBK Domains 共同知识体质知识域• Secure Software Concepts 概念• Secure Software Requirements 需求• Secure Software Design 设计• Secure Software Implementation/Coding 实施/编码• Secure Software Testing 测试• Software Acceptance 验收• Software Deployment, Operations, Maintenance,
and Disposal 部署,操作,维护和处置
Certified Secure Software Lifecycle Professional (CSSLPCM) Domains
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
• Check out the series of Whitepapers created that discuss:
The need for secure softwareWhat to consider when building secure softwareHow to design, develop and deploy secure softwareBest practices for ensuring security throughout the processExploiting insecure code and, in turn, using that to write code that is not exploitable
https://www.isc2.org/csslp-whitepaper
Software Community (ISC)2®
Whitepapers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Final Remarks
Changing Risks
Changing Practices
Evolving Security Approach不断进步的安全方法
Responsible Behaviors负责的行为
Standards Guiding Desired Change标准指导所需的改变
New Technology新技术
New Attacks新攻击
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Thank You 谢谢http://mengchow.wordpress.com/
@mengchow