Your SlideShare is downloading. ×
  • Like
[EMC] Source Code Protection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

[EMC] Source Code Protection

  • 163 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
163
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1  Source Code Protection:Evaluating Source Code SecurityStephanie Woiciechowski, GSECPrincipal Software EngineerProduct Security OfficeEMC Corporation
  • 2. 2  Goals•  Understand application ofbasic security concepts•  Collaborative security•  Iterative securityimprovements aroundsource codeIf  you  have  built  castles  in  the  air,  your  work  need  not  be  lost;  that  is  where  they  should  be.  Now  put  the  founda;ons  under  them.        -­‐-­‐  Thoreau  
  • 3. 3  Why should we care?Threats to source code
  • 4. 4  Source Code Threats“Consider that no organization isimpenetrable. Assume thatyour organization mightalready be compromised andgo from there.”Security for Business Innovation Council(2011)Security  takes  a  new  role  in  working  with  source  code.  
  • 5. 5  Claims  by  Anonymous  about  Symantec  -­‐-­‐Symantec  •  Theft of product-relatedintellectual property to underminethe security of our customers.•  Or to seek competitive advantage•  Exposure of vulnerabilities•  Exposure of trade/governmentsecretsSource Code ThreatsSecurity  takes  a  new  role  in  working  with  source  code.  AMSC  Taking  Sinovel  Infringement  Suit  to  China’s  Supreme  Court      -­‐-­‐  Bloomberg  Ex-­‐NASA  contractor  arrested  on  plane  to  China  -­‐-­‐Associated  Press  
  • 6. 6  Claims  by  Anonymous  about  Symantec  -­‐-­‐Symantec  •  Theft of product-relatedintellectual property to underminethe security of our customers.•  Or to seek competitive advantage•  Exposure of vulnerabilities•  Exposure of trade/governmentsecretsSource Code ThreatsSecurity  takes  a  new  role  in  working  with  source  code.  AMSC  Taking  Sinovel  Infringement  Suit  to  China’s  Supreme  Court      -­‐-­‐  Bloomberg  Ex-­‐NASA  contractor  arrested  on  plane  to  China  -­‐-­‐Associated  Press  
  • 7. 7  Source Code Threats•  Insertion of malicious code intoproducts during developmentcycle that can undermine productintegrity and operations incustomer environments.Security  takes  a  new  role  in  working  with  source  code.  phpMyAdmin
  • 8. 8  What can we do?Define objective
  • 9. 9  What can we do?•  Prerequisites & Assumptions•  IT is doing their part for corporatesecurity•  Security is not #1 for SCM, Build,Release, QE, and Dev•  Security goals often support SCMgoals of traceability,reproducibility, and auditability•  Approach: Collaboration•  Define security criteria•  Understand current environment•  Review tools in use against criteria•  Include input from SCM and securityexperts•  Manage change•  Provide recommendations forpreferred solutions•  Provide a framework to assessimplementations & evaluate newsolutionsImprove  security  in  the  source  code  environment  to  defend  against  threats.  
  • 10. 10  •  Policy: What needs to be done toprotect source code.•  Strong passwords to access sourcecode•  Transactions will be logged andprotected•  Standards: How to implement policy.•  Source code systems are integratedwith organization’s identitymanagement system and use networkpassword.•  Transactions are logged to syslog andexported every 20 minutes to a logaggregation system.•  Achievable &Maintainable:Consistent approach toimplementation•  Measureable:Evaluation if a control isin place and how it isfunctioning•  Threat model: How might yourenvironment be attacked?•  Business case•  What could happen if yoursource code is modified?•  What could happen if yoursource code is stolen?•  How would you recover and atwhat cost?•  Actionable intelligenceEstablish Goals & Team•  Initial Goals: Call toaction•  Who should be involved?•  Policies & Standards•  Procedures &AssessmentsRISK  REDUCTION  Task  Force  IT  Security  Source  Code  Admin  Legal  Development  RISK  REDUCTION  
  • 11. 11  •  Threat model: How might yourenvironment be attacked?•  Business case•  What could happen if yoursource code is modified?•  What could happen if yoursource code is stolen?•  How would you recover and atwhat cost?•  Actionable intelligenceEstablish Goals & Team•  Initial Goals: Call toactionRISK  REDUCTION  
  • 12. 12  Establish Goals & Team•  Initial Goals: Call toaction•  Who should be involved?Task  Force  IT  Security  Source  Code  Admin  Legal  Development  
  • 13. 13  •  Policy: What needs to be done toprotect source code.•  Strong passwords to access sourcecode•  Transactions will be logged andprotected•  Standards: How to implement policy.•  Source code systems are integratedwith organization’s identitymanagement system and use networkpassword.•  Transactions are logged to syslog andexported every 20 minutes to a logaggregation system.Establish Goals & Team•  Initial Goals: Call toaction•  Who should be involved?•  Policies & Standards
  • 14. 14  •  Achievable &Maintainable:Consistent approach toimplementation•  Measureable:Evaluation if a control isin place and how it isfunctioningEstablish Goals & Team•  Initial Goals: Call toaction•  Who should be involved?•  Policies & Standards•  Procedures &AssessmentsRISK  REDUCTION  
  • 15. 15  Source  Code  Backups  Hardware  Storage  EncrypMon  DLP  Network  IsolaMon  Physical  IsolaMon  Virtual  IsolaMon  Virtual  Containment  Preven;ve  Detec;ve  Correc;ve  •  Authentication is a way toprove your identity such that noone can later say it wasn’t youIdentity + Secret = Authentication•  Centralized authenticationmechanisms•  Why local accounts causeproblemsValue of and risk tothe data informsappropriate securitysolutionsDefining Security Criteria•  Defense-in-depth•  Data Classification•  Identity/Authentication•  Access Controls•  Isolation•  Data Protection•  Hardening•  Avoiding Malicious Code•  LoggingLayers of ProtectionServices  Ports  Security  Patches  ConfiguraMon  Code  Changes  •  Chain  of  Custody  •  Code  reviews  •  Reputable  sourcing  •  Integrity  checks  Environment  •  Servers  •  WorkstaMons  •  Malware  •  Rootkits  Principle of Least Privilege•  The Apache Way …Reduce vulnerable surfacearea of a servereGRC Compliance monitoringForensics  Log  protecMon  Regular  reviews  AcMve  monitoring  • Restricted  access  • Storage  monitors  • Log  aggregaMon  • One  of  the  most  common  ways  insiders  detect  breaches  
  • 16. 16  Define Security Criteria•  We have a team•  We have basic Defense-in-Depth securitysolutions•  Now … draft Source Code Security Policies andStandards to document expectations
  • 17. 17  What can we do?Understand the current environment
  • 18. 18  Establish a baselineWhere are we?•  Scope yourenvironment•  Environment diagrams
  • 19. 19  Establish a baselineWhere are we?•  Scope yourenvironment•  Environment diagrams•  Engineering practices
  • 20. 20  Establish a baselineWhere are we?•  Scope yourenvironment•  Environment diagrams•  Engineering practices•  Data classification:where is the important“stuff”?•  Threat Modeling
  • 21. 21  Establish a baselineWhere are we?•  Scope yourenvironment•  Environment diagrams•  Engineering practices•  Data classification:where is the important“stuff”?•  Threat Modeling•  Tools•  Are they working securely?•  Simple solutions?•  Turn on functionality•  Add-ons•  Cost/benefit•  Change tools•  Reinforce environmentDon’t throw the baby out with thebathwater!
  • 22. 22  Where are we?•  Scope your environment•  Environment diagrams•  Engineering practices•  Data classification: whereis the important “stuff”?•  Threat Modeling•  Tools•  Usability!!!
  • 23. 23  What did EMC find?
  • 24. 24  2011 EMC Summary of 5 Common BrandsAnalysis of product features, notexisting implementationsRepository 1 Repository 2 Repository 3 Repository 4 Repository 5OutofBoxAddOnOutofBoxAddOnOutofBoxAddOnOutofBoxAddOnOutofBoxAddOnCorporate  authenMcaMon   ü ü ü ü üLogs  of  transacMons  against  access  controls  can  be  exported  to  a  monitoring  tool.   ü PARTIAL ü PARTIAL ü ü PARTIAL üGranular  access  controls   PARTIAL x PARTIAL x PARTIAL ü x üSupport  for  code  review  workflow   PARTIAL ü x ü x ü ü x ü11 High level policy criteria and 31 controls (not weighted)
  • 25. 25  2011 EMC Summary of 5 Common Brands11 High level policy criteria and 31 controls (not weighted)0%  10%  20%  30%  40%  50%  60%  70%  80%  90%  100%  Overall  Risk  Assessment  Percentages  Add-­‐On  Out  of  Box    Repository  1   Repository  2   Repository  3   Repository  4   Repository  5  Out-­‐of-­‐Box   Add-­‐On    Out-­‐of-­‐Box   Add-­‐On    Out-­‐of-­‐Box   Add-­‐On    Out-­‐of-­‐Box   Add-­‐On    Out-­‐of-­‐Box   Add-­‐On    TOTAL200 210 160 210 160 210 220 220 170 220(out  of  220)Percentage 91% 95% 73% 95% 73% 95% 100% 100% 77% 100%Difference:   5%   23%   23%   0%   23%Analysis ofproductfeatures, notexistingimplementations
  • 26. 26  EMC’s Observations•  Most major Source Code Repository systems can be madeacceptable•  All existing solutions can be made better•  Newer SCMs have more security built–in or added as features•  Source code is highly visible to many people regardless ofwhether the SCM is distributed (like Git) or not•  A poorly configured underlying platform or poor practices canundermine strength of any application controls that may exist
  • 27. 27  Managing change …… to steady state
  • 28. 28  ActionLike most organizational projects …•  Team•  Policies & Standards•  Evaluate•  Plan•  Implement… except this must be a continuous process.
  • 29. 29  Continuous Monitoring and ImprovementObserve  &  Orient  •  Minimize new options•  Until you get a handle on yourenvironment•  Don’t chase a moving target•  Assessments•  Security awareness trainingneeds to emphasize securesource code
  • 30. 30  Continuous Monitoring and ImprovementObserve  &  Orient  Decide  •  Minimize new options•  Until you get a handle on yourenvironment•  Don’t chase a moving target•  Assessments•  Security awareness trainingneeds to emphasize securesource code•  How will you evaluate newsolutions?•  Expand scope: other build-related tools and infrastructure
  • 31. 31  Triage  eGRC  Threat  Model  Assessment  Continuous Monitoring and ImprovementObserve  &  Orient  Decide  
  • 32. 32  Continuous Monitoring and ImprovementObserve  &  Orient  Decide  AcMon  •  Test•  Deploy•  Implementation guidance
  • 33. 33  Summary
  • 34. 34  Summary•  Evolving threats change how we need to think about source code security•  Collaboration: Expanding security awareness involves more stakeholders•  Policies & Standards: define security goals based on common securitystrategies•  Measure: Baseline environment•  Implement & manage change•  Expand frameworksImprove  security  in  the  source  code  environment  to  defend  against  threats  
  • 35. 35  Thank youStephanie Woiciechowski, GSECEMC Product Security Officestephanie.woiciechowski@emc.com