Application Security – a standards approach 应用安全：一个标准的方法

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Application Security – a standards approach应用安全：一个标准的方法Dr Meng-Chow Kang, CISSPDirector and CISO, APCJ, Cisco Systems

November 9, 2011

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Agenda

ISO/IEC 27034 approach to application security

ISO/IEC 27034 – yet another standard?

(ISC)2 CSSLP


Acknowledgements 鸣谢• ISC)2 – International Information Systems Security Certification

Consortium 国际信息系统安全认证联盟• Mr Luc Poulin, Editor for ISO/IEC 27034 and President of Cogentas,

Canada ；国际标准 ISO/IEC 27034 编辑


ISO/IEC JTC 1/SC 27Security Techniques

SecretariatKrystyna Passia

Chair: Walter FumyVice Chair: Marijke de Soete

WG 1 Security

ManagementConvener:

Ted Humphreys

Vice Convener:

Dale Johnstone

WG 2 Cryptography and Security MechanismsConvener:

Takeshi Chikazawa

WG 3 Security

AssuranceConvener:

Miguel Bañón

WG 4 Security

Controls and Services

Convener: Meng-Chow

Kang

WG 5 Identity Management and Privacy Technology

Convener: Kai Rannenberg

ISO/IEC JTC 1/SC 27 Organization


Prepare to respond; continuous monitoring;

eliminate or reduce risks and impacts

Risk manage; Prevent occurrence; Reduce impact of occurrence

Investigate to establish facts about breaches;

identify who done it and what went wrong

Unknown or emerging information security issues未知和新兴信息安全问题

Known information security issues 已知信息安全问题

Information security breaches and compromises违反信息安全规律事件信息泄漏事件

WG 4 Roadmap Framework 路线图框架


ICT Readiness for Business Continuity (27031)

Cybersecurity (27032)

Information security incident management (27035)Selection, Deployment, and Operation of IDS (27039)

ICT Disaster Recovery Services (24762)

Network Security (27033 Parts 1 to 6)

Application Security (27034 Parts 1 to 6)Security Info-Objects for Access Control (TR 15816)

Information Security for Supplier Relationships (27036)Digital Redaction (27038); Storage Security (27040)

TTP Services Security (TR 14516; 15945)Time Stamping Services (TR 29149)

Identification, collection and/or acquisition, and preservation of digital evidence (27037)

Unknown or emerging information security issues

Known information security issues

Information security breaches and compromises

WG 4 Projects & Study Periods


Increasing complexity and sophistication of attacks 网络攻击增强复杂性• Web 2.0 & social networking

• Social engineering

• Vulnerability exploitations

• Mobility

• Beyond Windows

• Escalating concerns over data losses

“Just landed in Baghdad”- Rep. Peter Hoekstra,

R-Mich Tweets

Secret delegation led by House Minority Leader John A. Boehner is not

so secret…

http://twitter.com/tahseen55


Needs for Application Security

• A critical element of “baked-in” security

• Insecure development practices result in

Vulnerabilities created in softwareBrittleness (脆化 ) of overall application and systemsExponential cost of detection, repair, and patchingQuestionable trust; customers’ confidence; more regulations

• Relative cost of fixing defects in production is 30 to 100 times more expensive


Industry Responses

• Addressing secure software needsIEEE: CSDA and CSDP (Software development)SANS: GSSP-C, GSSP-J (Language specific/secure coding)ISSECO: International Secure Software Engineering Council

CSSE (Entry level education program with certificate of completion given by International Software Quality Institute (iSQI)

DHS (国土安全部 ): Software Assurance Initiative (Awareness Program/Forum)Vendor-Specific (e.g., Cisco, Microsoft) based on internal lifecycle processes/technology specific and industry best practices


Issues Related to Application SecurityLack of a global vision 缺乏远见

Security depends on environment

Lack of standardized reference model

Personalized methods, tools, and solutions

10

And we still don’t know if we can trust an application that is secure enough for

our needs

安全依赖于应用的环境缺乏标准参考模式

组织自创方法，工具，解决方案


Application security means different thing to different groups

Differing Needs

Managers

Project & Operation

TeamsUsers

Auditors


Application Security (ISO/IEC 27034)• Multi-parts security standard focusing on needs for

application security from enterprise perspective, covering all relevant aspects of application life-cycle

• Part 1 – Overview and Concepts

• Part 2 – Organization Normative Framework

• Part 3 – Application Security Management Process

• Part 4 – Application Security Validation

• Part 5 – Protocols and Application Security Controls Data Structure

• Part 6 – Security Guidance for Specific Applications


• 27034 help to attach many standards, methodology and practices to implement Application Security

ConclusionISO/IEC 27034 Benefits

Source of controls for Application Security

ISO/IEC 15408 Evaluation

Criteria for IT Security

Provides controls for the ASC

ISO/IEC 21827 Capability MaturityModel

(SSE-CMM)

ISO/IEC 27002 Code of practice for information

security controls

ISO/IEC 29193 Secure system

engineering principles and

techniques

ITILInformation Technology

Infrastructure Library

CobiTControl

Objectives for Information and

related Technology

Top Ten OWASPControl


related Technology

OWASP Testing GuideControl


related Technology

PCI-DSSControl

Objectives for Credit Sards

electronic transactions

S3MModèle

d’évaluation de la capacité de la maintenance du

logiciel

BSIMM2Building Security In Maturity Model

Canadian Privacy Law

< … >

Quebec Province

Privacy Law

< … >

All other documents on witch an organization

want to demonstratre a conformance

13

ISO/IEC 27034Application

security

Source of controls for Application Security

ISO/IEC 15408 Evaluation

Criteria for IT Security

Provides controls for the ASC

ISO/IEC 21827 Capability MaturityModel

(SSE-CMM)

ISO/IEC 27002 Code of practice for information

security controls

ISO/IEC 29193 Secure system

engineering principles and

techniques

ITILInformation Technology

Infrastructure Library

CobiTControl


related Technology

Top Ten OWASPControl


related Technology

OWASP Testing GuideControl


related Technology

PCI-DSSControl

Objectives for Credit Sards

electronic transactions

S3MModèle

d’évaluation de la capacité de la maintenance du

logiciel

BSIMM2Building Security In Maturity Model

Canadian Privacy Law

< … >

Quebec Province

Privacy Law

< … >

All other documents on witch an organization

want to demonstratre a conformance

Principles and others elements comming form standards and bests practices

ISO/IEC 27001 ISMS

Requirements

ISO/IEC 27005 Information security risk management

ISO/IEC 15026 System and

Software Assurance

ISO/IEC 15443 A framework for

IT security assurance

Help to implement / enforce

IEEE 1028 Generic process

for formal reviews

Existing processes in applications life cycles

ISO/IEC 12207 Software Life Cycle Processes

ISO/IEC 15288 System

Life Cycle Processes

Provides processes and ASCs to integrate in

AGILE development methodology Scrum, TDD, Crystal, Agile UP, DSDM,

DDD, Kanban, etc.

Traditional development methodology RUP, Open UP, Water fall, etc.

Organization’s specific

development methodology

< … >

All other processes in witch you

want to integrate ASCs.

Organizational security risk analysis methods and tools

MehariMéthode

harmonisé d’analyse de

risques

Help to identify applications to be secured

EBIOSExpression des

besoins et identification des

objectifs de sécurité

OctaveOperationally

Critical Threat, Asset, and

Vulnerability Evaluation

NIST 800-30 Risk

Management Guide

All others Security Risk

analysis methods

< … >

All others information

classification methods

< … >

Organizational security risk analysis methods and tools

MehariMéthode

harmonisé d’analyse de

risques

Help to identify applications to be secured

EBIOSExpression des

besoins et identification des

objectifs de sécurité

OctaveOperationally

Critical Threat, Asset, and

Vulnerability Evaluation

NIST 800-30 Risk

Management Guide

All others Security Risk

analysis methods

< … >

All others information

classification methods

< … >

Principles and others elements comming form standards and bests practices

ISO/IEC 27001 ISMS

Requirements

ISO/IEC 27005 Information security risk management

ISO/IEC 15026 System and

Software Assurance

ISO/IEC 15443 A framework for

IT security assurance

Help to implement / enforce

IEEE 1028 Generic process

for formal reviews

Existing processes in applications life cycles

ISO/IEC 12207 Software Life Cycle Processes

ISO/IEC 15288 System

Life Cycle Processes

Provides processes and ASCs to integrate in

AGILE development methodology Scrum, TDD, Crystal, Agile UP, DSDM,

DDD, Kanban, etc.

Traditional development methodology RUP, Open UP, Water fall, etc.

Organization’s specific

development methodology

< … >

All other processes in witch you

want to integrate ASCs.


• Security is a requirement

• Application security is context-dependent

• Appropriate investment for application security

• Application security must be demonstrated

Security Model proposed by ISO/IEC 27034

Application Security Key Principles

14

Critical Information

Verification and Control(Conformity)

Security Management (Governance)

Applications, Information System

(Development and Evolution)

Technology(Acquisition,

Maintenance, and Contingency)


15


Contexts that have an influence on Security

1..*

Organisation

1..*

Business needs

*..*

Business processes

1..*

Technological Context

Level of trust

1..*People

Process

Technology

Information

Application

1..*

Business ContextLegal Context

1..*

Critical

Critical

Critical

Hardware

Systems

Software

Data

Critical



Definitions

• Application securityProvides elements to securely define, design, develop, implement, manage, and securely dispose an application and its information.

• ApplicationIT solution, including application software, designed to help users perform particular tasks or handle particular types of IT problems that helps an organization to automate a business process or function.

16



Definitions

• Target environment 目标环境is the technological, business and legal context in which the application will be used.

• Level of trust (LoT) 可信度Targeted LoT: 可信度的目标 label of a set of ASCs deemed

necessary by the application owner for bringing the risk of a specific application down to an acceptable level.

Actual LoT: 实际可信度 result of a verification process that confirms, by providing evidences, that all ASCs required by the application’s targeted LoT were correctly implemented, correctly verified and produced the expected result.

17



Definitions

Secure application 安全的应用：实际可信度＝可信度目标application for which the Actual Level of Trust is equal to the Targeted Level of Trust, as defined by the organization using the application.

Within this concept, a secure application must comply with these criteria:

properly covers security needs from the management, IT, development and audit points of view; according to the level of trust desired; taking into account the type of information;the target environment, and that can be proven by supporting evidence to have reached and maintained the target level of trust.

18



Application Security Control (ASC)

19

Application Target Level of Trust

(why)

Security Requirements· Application specifications, · Compliance to regulations,· Standards and best practices,· Etc.

(why)

Security Activity(what, how, where, who, when, how much)

Verification Measurement(what, how, where, who, when, how much)

ASC

Application Security Life Cycle Reference Model

验证测量

安全需求应用可信度的目标

安全议案

应用安全生命周期参考模型


20


The ASCs Library

...0

Organisation ASC Library

1 32 9 10

Application levels of trust used by the organisation Source of

specifications and constraints

Specifications and constraints

ASC

ASC

ASCASC

ASCApplication

specificationsOnline payment

Secure Log

ASC

ASCASC

ASCBusiness context

PCI-DSS

Aeronautics

ASC ASCASCRegulatory context Privacy Laws

ASC

ASC ASC

ASC

ASC

ASC

Technological context

Wireless

SSL Connection

Approved

应用安全措施库


Actors

Role 1 Role 2 Role 3 Role 4 Role n


Application Security LC Reference Model

Application Security Life Cycle Reference Model

Provisioning stages

Preparation Realization Transition

Operation stages

Utilization and maintenance Archival Destruction

Layers

Application management Application provisionning management Application operation management

Application provisionning and operation

Preparation Utilization Archival Destruction

Outsourcing

Development

Acquisition

Transition

Infrastructuremanagement Application provisionning infrastructure management Application operation

infrastructure management Disposal

Application audit Application provisioning audit Application operation audit



The ONF

22

Organization Normative Framework

Technological context

Business context

Regulatory context

Application specifications

repository

Roles, responsibilities

and qualifications repository

ASC Library

ASC

Application Life Cycle Processes

Application Life Cycles

Application Life Cycle Security Reference Model

ONF Management Processes

Processes Related to Application Security

ONF Conformance Processes

Approved by t

he

Organisa

tion’s

ONF Committ

ee

组织规范框架



The ASMP

23

Identifying the application

requirements and environment

1

Assessing the application security

risks

Identifies Application contexts

and specificationsused for

2

5Verifying the security

of the application

ProvidesImplemented required ASCs

used for

Provides Application project artefacts

and ANP used for

Mandates security adjustments

used for

Organization Management Processes

4Realising and operating

the application

ProvidesApplication Normative

Frameworkused for

Application Security Management Process

Application targeted level of trust

Determines

3Creating and maintaining

the Application Normative Framework

Is used for

Application actual level of trust

Provides

used for

Organization Normative Framework

ONF Management Process

Components and processes related to

Application SecurityProvides Provides

Feedback to


Implementing security 实施安全• Success of a software assurance program within an organization is

directly proportional to the support of executive management.

• Security has to be ensured throughout the entire lifecycle.

• All stakeholders in the software development process must be aware of common security tenets and threats.

• Building secure software is a result of all the stakeholders having the appropriate levels of participation, and a security mindset in the design, development, and deployment of the software.

Stakeholders must be educated and certified in how to build security within every phase of the lifecycle.

“All of the policy and process control security measures are totally futile without the first line of defense – people.”

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25© Copyright 1989 – 2011, (ISC)2 All Rights Reserved

• Certified Secure Software Lifecycle Professional (CSSLP) 安全软件生命周期专业认证

• Base credential (no other certification is required as a prerequisite) 基本凭据

• Professional certification program 专业认证项目• Takes a holistic approach to security in the software

lifecycle 全面性的方法• Tests candidates knowledge, skills and abilities to

significantly mitigate the security concerns 测试考生的知识，技术以及解决安全问题的能力

The (ISC)²® Approach – The CSSLPCM

As of November 2009, 900 CSSLPs in 42 countries Worldwide


• Addresses building security throughout the entire software lifecycle – from concept and planning through operations and maintenance, to the ultimate disposal.

• Provides a credential that speaks to the individual’s ability to contribute to the delivery of secure software through the use of standards and best practices.

• The target professionals for this certification includes all stakeholders involved in the Software Lifecycle.

Purpose


Software Lifecycle Stakeholder ( 利益相关者 ) ChartTop Management

IT Manager

Business Unit Heads

Developers/Coders

Client Side PM

Industry GroupDelivery Heads

Business Analysts

QualityAssuranceManagers

Architects

Project Managers/Team Leads

Software Lifecycle

Stakeholders Application Owners

Security Specialists

Auditors


CSSLPCM Industry Supporters• Microsoft• Cisco• Xerox• SAFECode• Symantec

• BASDA• SANS• DSCI (NASSCOM)• SRA International• ISSA

“As the global dependence on information and communications technology has grown, users have become increasingly concerned over the security of

software, especially those in the government, critical infrastructure and enterprise sectors. By offering software professionals a means to increase

and validate their knowledge of best practices in securing applications throughout the development lifecycle, (ISC)²’s CSSLP is helping the

industry take an important step forward in addressing the ‘people’ part of the solution.”

Paul Kurtz, executive director, SAFECode


(ISC)²® CSSLP CBK Domains 共同知识体质知识域• Secure Software Concepts 概念• Secure Software Requirements 需求• Secure Software Design 设计• Secure Software Implementation/Coding 实施／编码• Secure Software Testing 测试• Software Acceptance 验收• Software Deployment, Operations, Maintenance,

and Disposal 部署，操作，维护和处置

Certified Secure Software Lifecycle Professional (CSSLPCM) Domains


• Check out the series of Whitepapers created that discuss:

The need for secure softwareWhat to consider when building secure softwareHow to design, develop and deploy secure softwareBest practices for ensuring security throughout the processExploiting insecure code and, in turn, using that to write code that is not exploitable

https://www.isc2.org/csslp-whitepaper

Software Community (ISC)2®

Whitepapers


Final Remarks

Changing Risks

Changing Practices

Evolving Security Approach不断进步的安全方法

Responsible Behaviors负责的行为

Standards Guiding Desired Change标准指导所需的改变

New Technology新技术

New Attacks新攻击


Thank You 谢谢http://mengchow.wordpress.com/

@mengchow

http://mengchow.wordpress.com/

Documents

Application Security – a standards approach 应用安全 ： 一个标准的方法

Application Security – a standards approach 应用安全：一个标准的方法