Upload
denim-group
View
1.798
Download
3
Tags:
Embed Size (px)
DESCRIPTION
The security landscape is changing and the security industry must adapt to stay relevant. The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment. New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices. Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation. This presentation discusses the need for open software security standards to support this evolution. Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers. In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems. Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance. The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.
Citation preview
© Copyright 2011 Denim Group - All Rights Reserved
The Need for Open Source Security
Standards in a Mobile and Cloudy World
Dan Cornell
CTO, Denim Group
@danielcornell
© Copyright 2011 Denim Group - All Rights Reserved
Bio: Dan Cornell
• Founder and CTO, Denim Group
• Software developer by background (Java, .NET)
• OWASP
– San Antonio Chapter Leader
– Open Review Project Leader
– Chair of the Global Membership Committee
• Speaking
– RSA, SOURCE Boston
– OWASP AppSec, Portugal Summit, AppSecEU Dublin
– ROOTS in Norway
1
© Copyright 2011 Denim Group - All Rights Reserved 2
Denim Group Background
• Secure software services and products company
– Builds secure software
– Helps organizations assess and mitigate risk of in-house developed and third party
software
– Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix, Sprajax
– OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI
– World class alliance partners accelerate innovation to solve client problems
© Copyright 2011 Denim Group - All Rights Reserved
The World Is Mobile and Cloudy
• And Will Be Getting More So
• Deal With It
3
© Copyright 2011 Denim Group - All Rights Reserved
What Are Executives Actually Scared Of?
• Fuel Price Changes
• Physical Security
• Global economy
• Cross-Site Scripting(?)
• Security needs to be
aware of this when
they weigh in
4
© Copyright 2011 Denim Group - All Rights Reserved
Mobile: Risk and Value
• Mobile applications can create tremendous value for organizations
– New classes of applications utilizing mobile capabilities: GPS, camera, etc
– Innovating applications for employees and customers
• Mobile devices and mobile applications can create tremendous risks
– Sensitive data inevitably stored on the device (email, contacts)
– Connect to a lot of untrusted networks (carrier, WiFi)
• Most developers are not trained to develop secure applications
– Fact of life, but slowing getting better
• Most developers are new to creating mobile applications
– Different platforms have different security characteristics and capabilities
5
© Copyright 2011 Denim Group - All Rights Reserved
Generic Mobile Application Threat Model
6
© Copyright 2011 Denim Group - All Rights Reserved
What Mobile Users Are You Concerned About?
Mobile Application Users
Enterprise Users
Employees Partners
Customer Users
Paid Application Users
Convenience Users
7
© Copyright 2011 Denim Group - All Rights Reserved
Cloud
• Cost Savings
• Ease of Deployment
• Flexibility
• Security?
8
© Copyright 2011 Denim Group - All Rights Reserved
This is (was) Your Threat Model
9
© Copyright 2011 Denim Group - All Rights Reserved
This is Your Threat Model on “Cloud”
10
© Copyright 2011 Denim Group - All Rights Reserved
Security Team’s First Concern…
11
• Stay in the Conversation
• Identify these initiatives
• Make sure you get to
participate
• This means you have to
add value
© Copyright 2011 Denim Group - All Rights Reserved
Innovation Pressure Leads to Rogue Mobile
Efforts
• “We‟re thinking about doing some mobile applications”
• “Actually your iPhone app went live 6 months ago and your Android
app went live last week…”
• Initiatives being driven from “Office of the CTO”, R&D, and Marketing
12
© Copyright 2011 Denim Group - All Rights Reserved
Cost and Ease of Use Pressures Lead to Rogue
Cloud Deployments
• “What do you mean the CEO‟s IT trouble tickets are handled by a
SaaS provider?”
• “When did we start using BaseCamp and Google Docs to manage
customer projects?”
• Any employee with a $500/month corporate credit card can now be
their own purchasing officer
13
© Copyright 2011 Denim Group - All Rights Reserved
Procurement Challenges
• How do we better
judge risk?
• How can we make the
decision process
simpler?
14
© Copyright 2011 Denim Group - All Rights Reserved
What Are App Stores Promising Stakeholders?
• What does Apple do?
• What does Google
do?
• What does your
enterprise do?
15
© Copyright 2011 Denim Group - All Rights Reserved
Challenges for Both Suppliers and Consumers
• Did you want an automated
scan or a full design
assessment with manual source
code review?
• „Cause that has an impact on
scope and price…
• Consumers of software and
services must be able to
articulate the level of security
assurance they require
– Otherwise it is a financial race
to the bottom
– RFPs: Garbage in, garbage out
16
© Copyright 2011 Denim Group - All Rights Reserved
Service Provider Dilemma
• Certain customers
want some sort of
assurance, but are not
necessarily
sophisticated and do
not know what to ask
for
• Other customers
require deeper
assurance
17
© Copyright 2011 Denim Group - All Rights Reserved
We Need a Better Way To Communicate
• Processes
• Results
18
© Copyright 2011 Denim Group - All Rights Reserved
What Have We Tried in the Past?
• Common Criteria
• PCI-DSS
19
© Copyright 2011 Denim Group - All Rights Reserved
Common Criteria
20
or
© Copyright 2011 Denim Group - All Rights Reserved
Payment Card Industry Data Security Standards
• Initially based on
OWASP Top 10
• Now more open, but
still based on
vulnerability lists
21
© Copyright 2011 Denim Group - All Rights Reserved
Recent Developments
22
• Process:
– OpenSAMM
– BSIMM
• Results:
– Penetration Testing
Execution Standard
(PTES)
– OWASP Application
Security Verification
Standard (ASVS)
© Copyright 2011 Denim Group - All Rights Reserved
Geekonomics by David Rice
• Great insight into
economic and legal
issues for software
security and reliability
• Calls for better
software construction
and testing standards
23
© Copyright 2011 Denim Group - All Rights Reserved
Comparing Software to Food
• Jeff Williams and
nutrition labels for
software
• John Dickson and
restaurant cleanliness
ratings
24
© Copyright 2011 Denim Group - All Rights Reserved
OpenSAMM and BSIMM
• Externally look very similar
– Both are three-level maturity models
– Both have 12 different major areas of concern
• Methodology is very different
– BSIMM based on data from industry leaders
– OpenSAMM based on general industry consensus
25
© Copyright 2011 Denim Group - All Rights Reserved
Penetration Testing Execution Standard
• Emerging standard for
penetration testers
• Suitable for
operational
environments
26
© Copyright 2011 Denim Group - All Rights Reserved
Application Security Verification Standard
• Defines multiple levels
to correspond with the
degree of inspection
• Currently available for
web applications, but
other derivatives in the
works
27
© Copyright 2011 Denim Group - All Rights Reserved
A Case Study
• Service provider for
financial services
industry
• Hounded by small and
large clients
28
© Copyright 2011 Denim Group - All Rights Reserved
A Case Study (continued)
• Used a combination of
OpenSAMM and OWASP
ASVS
• Extended to meet certain
special requirements
• Detailed report provided to
client
• Summary report provided
to interested parties
29
© Copyright 2011 Denim Group - All Rights Reserved
So What Does This Get Us?
• Application consumers can know what they are getting
• Applications providers can clearly communicate the security state of
their offerings
• World peace?
30
© Copyright 2011 Denim Group - All Rights Reserved
And What Are We Still Lacking?
• Is a “standard” being appropriately applied?
• Is the evaluation being done at an appropriate technical granularity?
• How do you report and communicate business risk?
• How do you avoid a “checkbox” mentality?
31
© Copyright 2011 Denim Group - All Rights Reserved
What Can You Do To Be a Winner?
• Involve yourself in these
key conversations
• Discuss your verification
requirements
• Secure your right to test
• Reward the good and
punish the bad
32
© Copyright 2011 Denim Group - All Rights Reserved
References
• Geekonomics
– http://www.geekonomicsbook.com/
• Common Criteria
– https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria
• Building Security In Maturity Model (BSI-MM)
– http://bsimm.com/
• Open Software Assurance Maturity Model (OpenSAMM)
– http://www.opensamm.org/
• Penetration Test Execution Standard (PTES)
– http://www.pentest-standard.org/
• OWASP Application Security Verification Standard (ASVS) – https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
33
© Copyright 2011 Denim Group - All Rights Reserved
Questions?
Dan Cornell
Twitter: @danielcornell
www.denimgroup.com
blog.denimgroup.com
(210) 572-4400
34