Application Security

Application Security – a standards approach应用安全：一个标准的方法 Dr Meng-Chow Kang, CISSP Director and CISO, APCJ, Cisco Systems November 9, 2011

Agenda ISO/IEC 27034 – yet another standard? ISO/IEC 27034 approach to application security (ISC)2 CSSLP

Acknowledgements 鸣谢 • ISC)2 – International Information Systems Security Certification Consortium 国际信息系统安全认证联盟 • Mr Luc Poulin, Editor for ISO/IEC 27034 and President of Cogentas, Canada；国际标准ISO/IEC 27034 编辑

ISO/IEC JTC 1/SC 27 Organization

WG 4 Roadmap Framework 路线图框架 Unknown or emerging information security issues 未知和新兴信息安全问题 Known information security issues 已知信息安全问题 Information security breaches and compromises 违反信息安全规律事件信息泄漏事件

WG 4 Projects & Study Periods Unknown or emerging information security issues Known information security issues Information security breaches and compromises

Increasing complexity and sophistication of attacks 网络攻击增强复杂性 • Web 2.0 & social networking • Social engineering • Vulnerability exploitations • Mobility • Beyond Windows • Escalating concerns over data losses “Just landed in Baghdad” - Rep. Peter Hoekstra,R-MichTweets Secret delegation led by House Minority Leader John A. Boehner is not so secret…

Needs for Application Security • A critical element of “baked-in” security • Insecure development practices result in • Vulnerabilities created in software • Brittleness (脆化) of overall application and systems • Exponential cost of detection, repair, and patching • Questionable trust; customers’ confidence; more regulations • Relative cost of fixing defects in production is 30 to 100 times more expensive

Industry Responses • Addressing secure software needs • IEEE:CSDA and CSDP (Software development) • SANS:GSSP-C, GSSP-J (Language specific/secure coding) • ISSECO: International Secure Software Engineering Council • CSSE (Entry level education program with certificate of completion given by International Software Quality Institute (iSQI) • DHS (国土安全部): Software Assurance Initiative (Awareness Program/Forum) • Vendor-Specific (e.g., Cisco, Microsoft) based on internal lifecycle processes/technology specific and industry best practices

IssuesRelatedto Application Security 安全依赖于应用的环境 And we still don’t know if we can trust an application that is secure enough for our needs 缺乏标准参考模式组织自创方法，工具，解决方案

Application security means different thing to different groups

Application Security (ISO/IEC 27034) • Multi-parts security standard focusing on needs for application security from enterprise perspective, covering all relevant aspects of application life-cycle • Part 1 – Overview and Concepts • Part 2 – Organization Normative Framework • Part 3 – Application Security Management Process • Part 4 – Application Security Validation • Part 5 – Protocols and Application Security Controls Data Structure • Part 6 – Security Guidance for Specific Applications

ConclusionISO/IEC 27034 Benefits • 27034 help to attach many standards, methodology and practices to implement Application Security

Security Model proposed by ISO/IEC 27034Application Security Key Principles • Security is a requirement • Application security is context-dependent • Appropriate investment for application security • Application security must be demonstrated Security Management (Governance) Information Security Information Security Technology (Acquisition, Maintenance, and Contingency) Applications, Information System(Development and Evolution) Critical Information Verification and Control (Conformity)

Legal Context Technological Context Business Context 1..* 1..* 1..* Organisation 1..* Information Business needs People 1..* Process Business processes Application Technology Systems *..* 1..* Hardware Level of trust Software Data • Security Model proposed by ISO/IEC 27034 Contexts that have an influence on Security Critical Critical Critical Critical

Security Model proposed by ISO/IEC 27034 Definitions • Application security • Provides elements to securely define, design, develop, implement, manage, and securely dispose an application and its information. • Application • IT solution, including application software, designed to help users perform particular tasks or handle particular types of IT problems that helps an organization to automate a business process or function.

Security Model proposed by ISO/IEC 27034 Definitions • Target environment目标环境 • is the technological, business and legal context in which the application will be used. • Level of trust (LoT) 可信度 • TargetedLoT: 可信度的目标label of a set of ASCs deemed necessary by the application owner for bringing the risk of a specific application down to an acceptable level. • ActualLoT: 实际可信度result of a verification process that confirms, by providing evidences, that all ASCs required by the application’s targeted LoT were correctly implemented, correctly verified and produced the expected result.

Security Model proposed by ISO/IEC 27034 Definitions Secure application 安全的应用：实际可信度＝可信度目标 application for which the Actual Level of Trust is equal to the Targeted Level of Trust, as defined by the organization using the application. Within this concept, a secure application must comply with these criteria: • properly covers security needs from the management, IT, development and audit points of view; • according to the level of trust desired; • taking into account the type of information; • the target environment, and • that can be proven by supporting evidence to have reached and maintained the target level of trust.

Security Model proposed by ISO/IEC 27034 Application Security Control (ASC) 安全需求应用可信度的目标安全议案验证测量应用安全生命周期参考模型

Security Model proposed by ISO/IEC 27034 The ASCs Library 应用安全措施库 Source of specifications and constraints Specificationsand constraints Approved

Security Model proposed by ISO/IEC 27034 Application Security LC Reference Model

Security Model proposed by ISO/IEC 27034 The ONF 组织规范框架 Approved by the Organisation’s ONF Committee

Security Model proposed by ISO/IEC 27034 The ASMP Application Security Management Process Organization Management Processes

Implementing security实施安全 • Success of a software assurance program within an organization is directly proportional to the support of executive management. • Security has to be ensured throughout the entire lifecycle. • All stakeholders in the software development process must be aware of common security tenets and threats. • Building secure software is a result of all the stakeholders having the appropriate levels of participation, and a security mindset in the design, development, and deployment of the software. Stakeholders must be educated and certified in how to build security within every phase of the lifecycle. “All of the policy and process control security measures are totally futile without the first line of defense – people.”

The (ISC)²® Approach – The CSSLPCM As of November 2009, 900 CSSLPs in 42 countries Worldwide Certified Secure Software Lifecycle Professional (CSSLP) 安全软件生命周期专业认证 Base credential (no other certification is required as a prerequisite) 基本凭据 Professional certification program 专业认证项目 Takes a holistic approach to security in the software lifecycle 全面性的方法 Tests candidates knowledge, skills and abilities to significantly mitigate the security concerns测试考生的知识，技术以及解决安全问题的能力

Purpose • Addresses building security throughout the entire software lifecycle – from concept and planning through operations and maintenance, to the ultimate disposal. • Provides a credential that speaks to the individual’s ability to contribute to the delivery of secure software through the use of standards and best practices. • The target professionals for this certification includes all stakeholders involved in the Software Lifecycle.

Software Lifecycle Stakeholder (利益相关者) Chart Top Management Auditors Business Unit Heads Client Side PM IT Manager Industry Group Delivery Heads Security Specialists Software LifecycleStakeholders Business Analysts Application Owners Developers/ Coders Quality Assurance Managers Project Managers/ Team Leads Architects

CSSLPCM Industry Supporters • Microsoft • Cisco • Xerox • SAFECode • Symantec • BASDA • SANS • DSCI (NASSCOM) • SRA International • ISSA “As the global dependence on information and communications technology has grown, users have become increasingly concerned over the security of software, especially those in the government, critical infrastructure and enterprise sectors. By offering software professionals a means to increase and validate their knowledge of best practices in securing applications throughout the development lifecycle, (ISC)²’s CSSLP is helping the industry take an important step forward in addressing the ‘people’ part of the solution.” Paul Kurtz, executive director, SAFECode

Certified Secure Software Lifecycle Professional (CSSLPCM) Domains (ISC)²® CSSLP CBK Domains 共同知识体质知识域 • Secure Software Concepts概念 • Secure Software Requirements 需求 • Secure Software Design 设计 • Secure Software Implementation/Coding 实施／编码 • Secure Software Testing 测试 • Software Acceptance 验收 • Software Deployment, Operations, Maintenance, and Disposal部署，操作，维护和处置

Software Community (ISC)2® Whitepapers • Check out the series of Whitepapers created that discuss: • The need for secure software • What to consider when building secure software • How to design, develop and deploy secure software • Best practices for ensuring security throughout the process • Exploiting insecure code and, in turn, using that to write code that is not exploitable https://www.isc2.org/csslp-whitepaper

Final Remarks

Thank You 谢谢 http://mengchow.wordpress.com/ @mengchow

Application Security – a standards approach 应用安全：一个标准的方法