Software Security My Other Marathon Harold Toomey Past
- Slides: 32
Software Security – My Other Marathon Harold Toomey Past President, ISSA North Texas, 2013 Principal Product Security Architect & PSIRT Manager Intel Security April 24, 2015 @NTXISSA
Introduction • Responsibilities • • • PSIRT Manager Manage a team of 50+ Sr. Security Architects (PSCs) Manage the SDL, policies and PSG program Training program Metrics • Experience • • 4 Years: 2 Years: 11 Years: 10 Years: Eng. Software Security IT Operational Security Product Management Software Development (C++) • ISSA North Texas Chapter, Past President • CISSP, CISA, CISM, CRISC, CGEIT, ITIL, … • CVSS Special Interest Group (SIG) NTX ISSA Cyber Security Conference – April 24 -25, 2015 Harold Toomey Principal Product Security Architect @NTXISSA 2
Agenda • Plot #1: Developing Secure Software • Plot #2: Running a 100 Mile Ultra Marathon Which is easier? vs. NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 3
Scenario #1 – Secure Software • 110+ Enterprise and consumer security products • 4, 000+ software engineers • 200 M+ customers • Someone reports a vulnerability • Now what? • How did this happen? NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 4
Scenario #2 – 100 M Ultra Run • You gained 50 pounds over the past 10 years • You hear running gets you healthy again • You sign up for a 100 mile ultra marathon • Are you crazy? (yes, of course) • How long will it take for you to pull this off? NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 5
#1 The Development Team • • Executive Support Software Engineering Teams Product Security Group / PSIRT Product Security Champions (PSCs) Tier III Technical Support Knowledgebase Team Extended Team • IT, PR, Legal, Training NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 6
#2 Your Running Crew • • Supportive spouse Trainer Running buddies Your dog (Roxy) Facebook running friends Marathon Maniacs Race volunteers Pacers NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 7
#1 PSIRT Process • • Contact engineering network (PSCs) Verify the vulnerability Score the vulnerability’s severity (CVSS) Communicate fix schedule to the discoverer Develop and publish the patch Publish Security Bulletin Next week: “lather, rinse, repeat” NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 8
#2 Ultra Training • • Start running Sign up for weekend races (milestones) Set goals Read about it Friend like minded runners Learn by experience (pain) Build up to it NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 9
#2 Possible Training Goals • Year 1 • Run a 5 K to see how out of shape you are • Run a half marathon after 6 months • Run a full marathon after 1 year • Year 2 • Run a half marathon or farther every weekend • Year 3 • Run an ultra every month, with 2 x 100 M by end of year • Try Sprint and Olympic Ironman Triathlons • Year 4 • Run a 100 miler every month (Jun – Feb) NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 10
#1 Named Vulnerabilities Date Description 8 Apr 2014 2 Jun 2014 24 Sep 2014 14 Oct 2014 27 Jan 2015 4 Mar 2015 19 Mar 2015 Summer 2015 Heartbleed II Shellshock/BASH POODLE 3 SSLv 3 CVEs GHOST FREAK 14 Open. SSL CVEs Open. SSL Security Audit # Vuln. Products 19 22 23 28 15 28 3 22 SB 10071 SB 10075 SB 10085 SB 10090 SB 10091 SB 10100 SB 10108 SB 10110 TBD SB “Open. SSL: The gift that keeps on giving. ” NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 11
#2 Popular/Local Races • • • Boston Marathon (20 Apr 2015) Badwater 135 (28 -30 July 2015) Big Cedar 100 M (30 -31 Oct 2015) Brazos Bend 100 M (11 -12 Dec 2015) Rocky Raccoon 100 M (1 -2 Feb 2016) NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 12
#1 Doing the Basics 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Minimum SDL activities Compile with security flags set Remove banned C/C++ functions Fix high severity vulnerabilities Complete Static/Dynamic Analysis/Fuzzing Manual code reviews Validate inputs Build in privacy/protect PII Remove debugging code Scan for viruses/malware Don’t implement backdoors NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 13
#2 Doing the Basics • You can’t outrun a bad diet • 15% Exercise • 85% Diet • • • Sleep Regular run schedule Buy good equipment Positive attitude (“Never give up”), but Never run on an injury NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 14
#1 Proactive Measures – Waterfall 0 1 2 3 4 5 Concept Planning Design & Development Readiness Release & Launch Support & Sustain Security Assessment Architecture Ship Post-Release, Legacy, & M&A S 0 S 1 S 4 S 5 • SDL Design & Development S 2 S 3 • Product security team is looped in early (Product Security Group & Product Security Champions) • S 1 Security Plan • S 2 Security Plan • S 3 Security Plan • S 4 Security Plan • SDL policy assessment & scoping • Security test case execution • Final security review • Product security team hosts a discovery meeting • Threat modeling / architecture security analysis • Security test plan composition • Static analysis • Vulnerability scan • Threat model updating • Dynamic analysis • Penetration test • Product security team creates an SDL project plan (states what further work will be done) • Privacy information gathering and analysis • Fuzz testing • Open source licensing review • Product team initiates a Privacy Impact Assessment (PIA) • Design security analysis & review • Secure coding • Privacy implementation assessment • Manual code review • Privacy validation and remediation NTX ISSA Cyber Security Conference – April 24 -25, 2015 • Final privacy review • External vulnerability disclosure response (PSIRT) • Reviews by 3 rd party service contractors • Post-release certifications • Internal review for new product combinations or cloud deployment • Security architectural reviews & tool-based assessments of legacy and M&A products @NTXISSA 15
#1 Proactive Measures – Agile User/abuser stories (chewable design bites) Sprint NTX ISSA Cyber Security Conference – April 24 -25, 2015 Potentially Shippable Increments (PSI) @NTXISSA 16
#2 Proactive Measures • • • Heart Rate Muscle Fatigue Pain Killers Breathing Timing NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 17
#1 Learn from Pain • Lessons Learned from Heartbleed • • New “Crisis Scenario” policy Updated security bulletin template Product buckets Customer communication policy Shared technology inventory Early notification expectations PSIRT process training NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 18
#2 Learn from Pain • Countermeasures • • Advil Bandages Body Glide Mustard • Weather • Sun screen • Mosquito repellant • Course Review NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 19
#1 Do it Better Level of Maturity • All releases threat modeled • Frequent attacks • No reviews • No constraints • Email tracking None • Major releases threat modeled • All primary tools • Defect rates used • Major attack decreasing vectors • Fuzzing scripts addressed written • Freeware tools • Accept risks of used open source • Standard • Tracking DB • Black. Duck awareness w/dashboard • Standards adopted • PSIRT XLS Initial Basic Acceptable NTX ISSA Cyber Security Conference – April 24 -25, 2015 • Preventive measures modeling • Defect rates near 0 • Best-in-class tools • All products pen tested • Open source SLAs • Standards adapted to environment • Metrics integrated into risk mgt. tools Mature PSMM Phase @NTXISSA 20
#1 PS Maturity Model Parameters Operational 1. Program 2. Process 3. Resources 4. Training 5. Security Reviews 6. Tools 7. PSIRT 8. SDL 9. Policy 10. Privacy 11. Certification 12. M&A 13. Extended Team Technical 14. Threat Modeling / Architecture Reviews 15. Static Analysis 16. Dynamic Analysis (Web Apps) 17. Fuzz Testing 18. Vulnerability Scans / Penetration Testing 19. Manual Code Reviews 20. Secure Coding Standards 21. Open Source / 3 rd Party Libraries 22. Tracking Tools NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 21
#2 Push Farther / Faster • Distance 1. 2. 3. 4. 5. 6. 7. 8. 9. 5 K (3. 1) 10 K (6. 2) ½ Marathon (13. 1) Marathon (26. 2) 50 K (31. 1) 50 M 100 K (62. 2) 100 M 72 Hour Endurance • Speed 6: 00 Marathon Limit (US) 5: 00 Marathon Limit (EU) 4: 00 Marathon (25%) 3: 30 Boston Qualifier 2: 00 Marathon Glass Ceiling (2: 03: 23) • 12: 00 100 M USA Record (11: 59: 28) • • • NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 22
#1 Metrics NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 23
#2 Measuring Progress NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 24
Continual Evolution • There is always a better way – find it NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 25
#1 The Reward • • Secure code = Less fire stomping (PSIRT) Customer satisfaction = Increased business Protects the brand Meets compliance requirements NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 26
#2 The Reward NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 27
Finishing the Hawk Hundred 13 Sep 2014 Finish Time: 31: 38 NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 28
Finishing the Brazos Bend 100 13 Dec 2014 Finish Time: 28: 22 NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 29
Conclusion • Plot #1: Developing Secure Software • Plot #2: Running a 100 Mile Ultra Marathon Which is easier? vs. NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 30
Q&A Harold Toomey Principle Product Security Architect Product Security Group Intel Security Harold_Toomey@Intel. Security. com (801) 830 -9987 NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 31
The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA (Information Systems Security Association) Thank you NTX ISSA Cyber Security Conference – April 24 -25, 2015 @NTXISSA 32
- Stella ting toomey
- Private securty
- Software security building security in
- Tumulus marathon
- Alma cummings dance marathon
- What happened at the battle of marathon
- Sun moon lake marathon
- Essprotokoll app
- Boston marathon
- Marathon family health team
- Kati mori
- Boston marathon
- Marathon objectives
- An overheated marathon runner accepts cups
- Karen samuel marathon
- Kati mori
- Hasselbalch equation
- Battle of marathon
- Rfid marathon tracking
- Boston marathon
- Collectd to hdfs
- Upower marathon 21 review
- Pragmatisk validitet
- Self-initiated other-repair
- Simple past and past progressive
- Past simple past continuous present perfect
- Exercise past simple past continuous and past perfect
- Past continuous past perfect
- Past simple past continuous past perfect таблица
- Narrative tenses past simple
- Czas past simple i past continuous
- Past continuous vs past perfect continuous