The Need For Open Software Security Standards In A Mobile And Cloudy World

2,128 views

Published on

The security landscape is changing and the security industry must adapt to stay relevant. The economic and scale benefits of the cloud are causing organizations to move sensitive business processes and data outside of the safety of the corporate environment. New business models and other opportunities to create value through innovation are moving sensitive data and code onto untrusted mobile devices. Organizations are going to adopt these new cloud and mobile technologies and information security practitioners will be forced to evolve current models for risk management and mitigation. This presentation discusses the need for open software security standards to support this evolution. Being required to trust cloud service providers leads to a need for increased visibility into the software security practices of those providers. In addition, reliance on these providers’ software as well as the requirement to place software in untrusted environments such as mobile devices creates a demand for better standards for evaluating the security state of complicated systems. Many previous efforts have been focused on proprietary models that failed to provide sufficient insight or on models that lacked a level of technical rigor required to provide assurance. The solutions to these issues are open standards that are based on the real risks organizations encounter when adopting cloud and mobile technologies and the presentation outlines potential paths forward that can provide risk managers with the assurances they need while also freeing up businesses to intelligently consume emerging technologies.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,128
On SlideShare
0
From Embeds
0
Number of Embeds
756
Actions
Shares
0
Downloads
40
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Need For Open Software Security Standards In A Mobile And Cloudy World

  1. 1. The Need for Open Source Security Standards in a Mobile and Cloudy World Dan Cornell CTO, Denim Group @danielcornell© Copyright 2011 Denim Group - All Rights Reserved
  2. 2. Bio: Dan Cornell • Founder and CTO, Denim Group • Software developer by background (Java, .NET) • OWASP – San Antonio Chapter Leader – Open Review Project Leader – Chair of the Global Membership Committee • Speaking – RSA, SOURCE Boston – OWASP AppSec, Portugal Summit, AppSecEU Dublin – ROOTS in Norway© Copyright 2011 Denim Group - All Rights Reserved 1
  3. 3. Denim Group Background • Secure software services and products company – Builds secure software – Helps organizations assess and mitigate risk of in-house developed and third party software – Provides classroom training and e-Learning so clients can build software securely • Software-centric view of application security – Application security experts are practicing developers – Development pedigree translates to rapport with development managers – Business impact: shorter time-to-fix application vulnerabilities • Culture of application security innovation and contribution – Develops open source tools to help clients mature their software security programs • Remediation Resource Center, ThreadFix, Sprajax – OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI – World class alliance partners accelerate innovation to solve client problems© Copyright 2011 Denim Group - All Rights Reserved 2
  4. 4. The World Is Mobile and Cloudy • And Will Be Getting More So • Deal With It© Copyright 2011 Denim Group - All Rights Reserved 3
  5. 5. What Are Executives Actually Scared Of? • Fuel Price Changes • Physical Security • Global economy • Cross-Site Scripting(?) • Security needs to be aware of this when they weigh in© Copyright 2011 Denim Group - All Rights Reserved 4
  6. 6. Mobile: Risk and Value • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities© Copyright 2011 Denim Group - All Rights Reserved 5
  7. 7. Generic Mobile Application Threat Model© Copyright 2011 Denim Group - All Rights Reserved 6
  8. 8. What Mobile Users Are You Concerned About? Mobile Application Users Enterprise Customer Users Users Paid Convenience Employees Partners Application Users Users© Copyright 2011 Denim Group - All Rights Reserved 7
  9. 9. Cloud • Cost Savings • Ease of Deployment • Flexibility • Security?© Copyright 2011 Denim Group - All Rights Reserved 8
  10. 10. This is (was) Your Threat Model© Copyright 2011 Denim Group - All Rights Reserved 9
  11. 11. This is Your Threat Model on “Cloud”© Copyright 2011 Denim Group - All Rights Reserved 10
  12. 12. Security Team’s First Concern… • Stay in the Conversation • Identify these initiatives • Make sure you get to participate • This means you have to add value© Copyright 2011 Denim Group - All Rights Reserved 11
  13. 13. Innovation Pressure Leads to Rogue Mobile Efforts • “We‟re thinking about doing some mobile applications” • “Actually your iPhone app went live 6 months ago and your Android app went live last week…” • Initiatives being driven from “Office of the CTO”, R&D, and Marketing© Copyright 2011 Denim Group - All Rights Reserved 12
  14. 14. Cost and Ease of Use Pressures Lead to Rogue Cloud Deployments • “What do you mean the CEO‟s IT trouble tickets are handled by a SaaS provider?” • “When did we start using BaseCamp and Google Docs to manage customer projects?” • Any employee with a $500/month corporate credit card can now be their own purchasing officer© Copyright 2011 Denim Group - All Rights Reserved 13
  15. 15. Procurement Challenges • How do we better judge risk? • How can we make the decision process simpler?© Copyright 2011 Denim Group - All Rights Reserved 14
  16. 16. What Are App Stores Promising Stakeholders? • What does Apple do? • What does Google do? • What does your enterprise do?© Copyright 2011 Denim Group - All Rights Reserved 15
  17. 17. Challenges for Both Suppliers and Consumers • Did you want an automated scan or a full design assessment with manual source code review? • „Cause that has an impact on scope and price… • Consumers of software and services must be able to articulate the level of security assurance they require – Otherwise it is a financial race to the bottom – RFPs: Garbage in, garbage out© Copyright 2011 Denim Group - All Rights Reserved 16
  18. 18. Service Provider Dilemma • Certain customers want some sort of assurance, but are not necessarily sophisticated and do not know what to ask for • Other customers require deeper assurance© Copyright 2011 Denim Group - All Rights Reserved 17
  19. 19. We Need a Better Way To Communicate • Processes • Results© Copyright 2011 Denim Group - All Rights Reserved 18
  20. 20. What Have We Tried in the Past? • Common Criteria • PCI-DSS© Copyright 2011 Denim Group - All Rights Reserved 19
  21. 21. Common Criteria or© Copyright 2011 Denim Group - All Rights Reserved 20
  22. 22. Payment Card Industry Data Security Standards • Initially based on OWASP Top 10 • Now more open, but still based on vulnerability lists© Copyright 2011 Denim Group - All Rights Reserved 21
  23. 23. Recent Developments • Process: – OpenSAMM – BSIMM • Results: – Penetration Testing Execution Standard (PTES) – OWASP Application Security Verification Standard (ASVS)© Copyright 2011 Denim Group - All Rights Reserved 22
  24. 24. Geekonomics by David Rice • Great insight into economic and legal issues for software security and reliability • Calls for better software construction and testing standards© Copyright 2011 Denim Group - All Rights Reserved 23
  25. 25. Comparing Software to Food • Jeff Williams and nutrition labels for software • John Dickson and restaurant cleanliness ratings© Copyright 2011 Denim Group - All Rights Reserved 24
  26. 26. OpenSAMM and BSIMM • Externally look very similar – Both are three-level maturity models – Both have 12 different major areas of concern • Methodology is very different – BSIMM based on data from industry leaders – OpenSAMM based on general industry consensus© Copyright 2011 Denim Group - All Rights Reserved 25
  27. 27. Penetration Testing Execution Standard • Emerging standard for penetration testers • Suitable for operational environments© Copyright 2011 Denim Group - All Rights Reserved 26
  28. 28. Application Security Verification Standard • Defines multiple levels to correspond with the degree of inspection • Currently available for web applications, but other derivatives in the works© Copyright 2011 Denim Group - All Rights Reserved 27
  29. 29. A Case Study • Service provider for financial services industry • Hounded by small and large clients© Copyright 2011 Denim Group - All Rights Reserved 28
  30. 30. A Case Study (continued) • Used a combination of OpenSAMM and OWASP ASVS • Extended to meet certain special requirements • Detailed report provided to client • Summary report provided to interested parties© Copyright 2011 Denim Group - All Rights Reserved 29
  31. 31. So What Does This Get Us? • Application consumers can know what they are getting • Applications providers can clearly communicate the security state of their offerings • World peace?© Copyright 2011 Denim Group - All Rights Reserved 30
  32. 32. And What Are We Still Lacking? • Is a “standard” being appropriately applied? • Is the evaluation being done at an appropriate technical granularity? • How do you report and communicate business risk? • How do you avoid a “checkbox” mentality?© Copyright 2011 Denim Group - All Rights Reserved 31
  33. 33. What Can You Do To Be a Winner? • Involve yourself in these key conversations • Discuss your verification requirements • Secure your right to test • Reward the good and punish the bad© Copyright 2011 Denim Group - All Rights Reserved 32
  34. 34. References • Geekonomics – http://www.geekonomicsbook.com/ • Common Criteria – https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria • Building Security In Maturity Model (BSI-MM) – http://bsimm.com/ • Open Software Assurance Maturity Model (OpenSAMM) – http://www.opensamm.org/ • Penetration Test Execution Standard (PTES) – http://www.pentest-standard.org/ • OWASP Application Security Verification Standard (ASVS) – https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project© Copyright 2011 Denim Group - All Rights Reserved 33
  35. 35. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com (210) 572-4400© Copyright 2011 Denim Group - All Rights Reserved 34

×