AdaCore, profile picture
Uploaded byAdaCore
415 views

Secure software chapman

This document summarizes a presentation on secure software development given by Rod Chapman. It discusses how safety-critical systems have historically used formal methods like correctness-by-construction (CbyC) to build reliable systems. However, secure systems operate in a malicious environment and must assume arbitrary attacks. While CbyC offers confidence by verifying properties, it is not a silver bullet and still requires solid security engineering. There are also concerns that efforts focus too much on legacy code instead of prevention and that security requirements are an infinite set that cannot be fully enumerated. The future may involve combining formal verification of critical components with other techniques for less critical parts and architecting to isolate systems of differing security needs.

Embed presentation

Download to read offline
High Assurance Software Symposium Directions in Secure Software Development Rod Chapman
Contents • Some observations • Experiences with secure systems… • Trends and Concerns • A future?
Some observations • The safety-critical industry has been building remarkably reliable and high-quality systems for years… • Can we apply the same approach for secure systems? • At Altran Praxis, we first tested this hypothesis in 1999 with the MULTOS CA system. • It seems the answer is “Yes…but with a few key assumptions changed…”
Some observations • In the last ten years or so, we have seen a huge rise in interest in “security vulnerabilities” in • operating systems, • embedded systems, • SCADA systems etc. • What changed?
What changed? • In “Software Security: Building Security In…”, Gary McGraw cites three main areas of change…
What changed? • Connectivity • “Let’s network everything!”
What changed? • Extensibility • “Dynamically loadable everything!”
What changed? • Growth in complexity • More code implies more bugs
Safety and security… the difference? • Possibly the most notable difference is in the environment itself. • Safety-related systems – mostly operate in a benign environment that we can control to some extent. • Security-critical systems operate in a openly malicious environment where we might have no control over inputs, access, and so on • ..and…attackers are arbitrarily intelligent, well-funded and motivated. • “Programming Satan’s Computer” [Needham and Anderson]
Experiences with Security • In the worst-case, we must assume systems will be attacked in a way that we haven’t even thought of (let alone tested)… • Therefore any sole claim of “we’ve tested it lots”, or “we’ve tested it more…” offer limited confidence for security properties • So – why not use formal methods and sound static verification – i.e. Correctness-by-Construction? • Examples: MULTOS CA, Tokeneer, SPARKSkein, and other SPARK users.
Experiences with Security • At a technical level, strong static verification offers confidence in a number of basic areas: • Absence of “dumb bugs”… • Verification of specific program properties of interest. • But...no silver bullet. There is still a need for solid requirements engineering, security engineering, architecture and so on.
Trends and Concerns • Trend: massive resurgence in interest in static analysis in general. (How many companies selling “security vulnerability finder” tools???) • Good! Raises awareness and average maturity. • Concern: Almost all effort aimed at “low hanging fruit” of retrospective analysis of legacy code- bases. Gives the impression that this is the only thing you can do…
Trends and Concerns • Trend: lots of effort in “enumeration” of defects, vulnerabilities, etc. • Examples: SANS “Top 25” list, CVE, CWE, ISO OWGV effort etc. • Good! Provides a starting point.. • Concern: Encourages “box ticking” mentality. • Concern: Application-specific security requirements (i.e. the interesting stuff) is an infinite set. Trying to enumerate it is unlikely to terminate!
A Future? • We have shown that the CbyC/SPARK approach can yield strong results, particularly for the highest-grade secure systems. • But…many systems incorporate: • Legacy code, COTS, “SOUP”, many languages, developed by many teams… • The boundary between “safety” and “security” is becoming blurred – many systems exhibit “both”…
A Future? • Can we use architecture to isolate (sub-)systems of differing security requirements? • Can we combine verification evidence from multiple sources to gain confidence where it’s most needed? • Formal methods for the most critical components? • Test, isolate, and contain for the less critical? • What can we do to contractualize and enforce the boundary between such components?
Altran Praxis Limited 22 St. Lawrence Street, Southgate, Bath BA1 1AN United Kingdom Telephone +44 (0) 1225 466991 Facsimile +44 (0) 1225 469006 Website www.altran-praxis.com Email rod.chapman@altran-praxis.com

More Related Content

PPTX
2016 virus bulletin
byAdrian Sanabria
 
PPTX
The R.O.A.D to DevOps
bySeniorStoryteller
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
PDF
System Security Beyond the Libraries
byEoin Woods
 
PDF
Ensuring Security through Continuous Testing
byTechWell
 
PPTX
The road goes ever on and on by Ciaran Conliffe
byDevSecCon
 
PPTX
Perforce on Tour 2015 - How are You Protecting Your Source Code?
byPerforce
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
2016 virus bulletin
byAdrian Sanabria
 
The R.O.A.D to DevOps
bySeniorStoryteller
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
byAdrian Sanabria
 
System Security Beyond the Libraries
byEoin Woods
 
Ensuring Security through Continuous Testing
byTechWell
 
The road goes ever on and on by Ciaran Conliffe
byDevSecCon
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
byPerforce
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 

What's hot

PDF
Why does security matter for devops by Caroline Wong
byDevSecCon
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
PDF
Core define and_win_cmd_line gr
byFrancisco Anastácio
 
PPTX
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
PDF
Common WebApp Vulnerabilities and What to Do About Them
byEoin Woods
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PDF
The Intersection Between Open Source and Cybersecurity
byBlack Duck by Synopsys
 
PDF
Chaos engineering for cloud native security
byKennedy
 
PDF
Using security to drive chaos engineering
byDinis Cruz
 
PPTX
6 Most Common Threat Modeling Misconceptions
byCigital
 
PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
PPTX
7 Steps to Build a SOC with Limited Resources
byLogRhythm
 
PDF
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
byDevSecCon
 
PPT
The Case for Continuous Open Source Management
byBlack Duck by Synopsys
 
PDF
Building Security Controls around Attack Models
bySeniorStoryteller
 
PPTX
The path of secure software by Katy Anton
byDevSecCon
 
PPT
Baselining Logs
byAnton Chuvakin
 
PPTX
NTXISSACSC2 - Software Assurance (SwA) by John Whited
byNorth Texas Chapter of the ISSA
 
PPTX
Information Security Life Cycle
byvulsec123
 
Why does security matter for devops by Caroline Wong
byDevSecCon
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
451 and Cylance - The Roadmap To Better Endpoint Security
byAdrian Sanabria
 
Core define and_win_cmd_line gr
byFrancisco Anastácio
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
byOutpost24
 
Common WebApp Vulnerabilities and What to Do About Them
byEoin Woods
 
Turning security into code by Jeff Williams
byDevSecCon
 
The Intersection Between Open Source and Cybersecurity
byBlack Duck by Synopsys
 
Chaos engineering for cloud native security
byKennedy
 
Using security to drive chaos engineering
byDinis Cruz
 
6 Most Common Threat Modeling Misconceptions
byCigital
 
DevSecOps in 2031: How robots and humans will secure apps together Log
byStefan Streichsbier
 
7 Steps to Build a SOC with Limited Resources
byLogRhythm
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
byDevSecCon
 
The Case for Continuous Open Source Management
byBlack Duck by Synopsys
 
Building Security Controls around Attack Models
bySeniorStoryteller
 
The path of secure software by Katy Anton
byDevSecCon
 
Baselining Logs
byAnton Chuvakin
 
NTXISSACSC2 - Software Assurance (SwA) by John Whited
byNorth Texas Chapter of the ISSA
 
Information Security Life Cycle
byvulsec123
 

Similar to Secure software chapman

PDF
AppSec in an Agile World
byDavid Lindner
 
PPT
Testingfor Sw Security
byankitmehta21
 
PPSX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
PPTX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
PPTX
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
PDF
Ibm עמרי וייסמן
bylihig
 
PDF
Omri
bylihig
 
PDF
Ibm עמרי וייסמן
bylihig
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PPTX
Improve Security through Continuous Testing
byTechWell
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PPTX
How to Get the Most Out of Security Tools
bySecurity Innovation
 
PDF
Threat modelling & apps testing
byAdrian Munteanu
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
Software Engineering and Information Security
byMassimo Felici
 
PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PPTX
Security Architecture for Cyber Physical Systems
byAlan Tatourian
 
PPTX
Security engineering
byOWASP Indonesia Chapter
 
AppSec in an Agile World
byDavid Lindner
 
Testingfor Sw Security
byankitmehta21
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
byManoj Purandare ☁
 
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
Ibm עמרי וייסמן
bylihig
 
Omri
bylihig
 
Ibm עמרי וייסמן
bylihig
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
The Future of Software Security Assurance
byRafal Los
 
Improve Security through Continuous Testing
byTechWell
 
The Future of DevSecOps
byStefan Streichsbier
 
How to Get the Most Out of Security Tools
bySecurity Innovation
 
Threat modelling & apps testing
byAdrian Munteanu
 
Software Security in the Real World
byMark Curphey
 
Software Engineering and Information Security
byMassimo Felici
 
Reduce Third Party Developer Risks
byKevo Meehan
 
Security Architecture for Cyber Physical Systems
byAlan Tatourian
 
Security engineering
byOWASP Indonesia Chapter
 

More from AdaCore

PDF
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
PDF
Have we a Human Ecosystem?
byAdaCore
 
PDF
Rust and the coming age of high integrity languages
byAdaCore
 
PDF
SPARKNaCl: A verified, fast cryptographic library
byAdaCore
 
PDF
Developing Future High Integrity Processing Solutions
byAdaCore
 
PDF
Taming event-driven software via formal verification
byAdaCore
 
PDF
Pushing the Boundary of Mostly Automatic Program Proof
byAdaCore
 
PDF
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
PDF
Product Lines and Ecosystems: from customization to configuration
byAdaCore
 
PDF
Securing the Future of Safety and Security of Embedded Software
byAdaCore
 
PDF
Spark / Ada for Safe and Secure Firmware Development
byAdaCore
 
PDF
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
byAdaCore
 
PDF
The Future of Aerospace – More Software Please!
byAdaCore
 
PDF
Adaptive AUTOSAR - The New AUTOSAR Architecture
byAdaCore
 
PDF
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
byAdaCore
 
PDF
Software Engineering for Robotics - The RoboStar Technology
byAdaCore
 
PDF
MISRA C in an ISO 26262 context
byAdaCore
 
PPTX
Application of theorem proving for safety-critical vehicle software
byAdaCore
 
PDF
The Application of Formal Methods to Railway Signalling Software
byAdaCore
 
PDF
Bounded Model Checking for C Programs in an Enterprise Environment
byAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
Have we a Human Ecosystem?
byAdaCore
 
Rust and the coming age of high integrity languages
byAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
byAdaCore
 
Developing Future High Integrity Processing Solutions
byAdaCore
 
Taming event-driven software via formal verification
byAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
byAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
byAdaCore
 
Product Lines and Ecosystems: from customization to configuration
byAdaCore
 
Securing the Future of Safety and Security of Embedded Software
byAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
byAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
byAdaCore
 
The Future of Aerospace – More Software Please!
byAdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
byAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
byAdaCore
 
Software Engineering for Robotics - The RoboStar Technology
byAdaCore
 
MISRA C in an ISO 26262 context
byAdaCore
 
Application of theorem proving for safety-critical vehicle software
byAdaCore
 
The Application of Formal Methods to Railway Signalling Software
byAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
byAdaCore
 

Secure software chapman

  • 1.
    High Assurance SoftwareSymposium Directions in Secure Software Development Rod Chapman
  • 2.
    Contents • Some observations •Experiences with secure systems… • Trends and Concerns • A future?
  • 3.
    Some observations • Thesafety-critical industry has been building remarkably reliable and high-quality systems for years… • Can we apply the same approach for secure systems? • At Altran Praxis, we first tested this hypothesis in 1999 with the MULTOS CA system. • It seems the answer is “Yes…but with a few key assumptions changed…”
  • 4.
    Some observations • Inthe last ten years or so, we have seen a huge rise in interest in “security vulnerabilities” in • operating systems, • embedded systems, • SCADA systems etc. • What changed?
  • 5.
    What changed? • In“Software Security: Building Security In…”, Gary McGraw cites three main areas of change…
  • 6.
    What changed? • Connectivity • “Let’s network everything!”
  • 7.
    What changed? • Extensibility • “Dynamically loadable everything!”
  • 8.
    What changed? • Growthin complexity • More code implies more bugs
  • 9.
    Safety and security… the difference? • Possibly the most notable difference is in the environment itself. • Safety-related systems – mostly operate in a benign environment that we can control to some extent. • Security-critical systems operate in a openly malicious environment where we might have no control over inputs, access, and so on • ..and…attackers are arbitrarily intelligent, well-funded and motivated. • “Programming Satan’s Computer” [Needham and Anderson]
  • 10.
    Experiences with Security • In the worst-case, we must assume systems will be attacked in a way that we haven’t even thought of (let alone tested)… • Therefore any sole claim of “we’ve tested it lots”, or “we’ve tested it more…” offer limited confidence for security properties • So – why not use formal methods and sound static verification – i.e. Correctness-by-Construction? • Examples: MULTOS CA, Tokeneer, SPARKSkein, and other SPARK users.
  • 11.
    Experiences with Security • At a technical level, strong static verification offers confidence in a number of basic areas: • Absence of “dumb bugs”… • Verification of specific program properties of interest. • But...no silver bullet. There is still a need for solid requirements engineering, security engineering, architecture and so on.
  • 12.
    Trends and Concerns • Trend: massive resurgence in interest in static analysis in general. (How many companies selling “security vulnerability finder” tools???) • Good! Raises awareness and average maturity. • Concern: Almost all effort aimed at “low hanging fruit” of retrospective analysis of legacy code- bases. Gives the impression that this is the only thing you can do…
  • 13.
    Trends and Concerns • Trend: lots of effort in “enumeration” of defects, vulnerabilities, etc. • Examples: SANS “Top 25” list, CVE, CWE, ISO OWGV effort etc. • Good! Provides a starting point.. • Concern: Encourages “box ticking” mentality. • Concern: Application-specific security requirements (i.e. the interesting stuff) is an infinite set. Trying to enumerate it is unlikely to terminate!
  • 14.
    A Future? • We have shown that the CbyC/SPARK approach can yield strong results, particularly for the highest-grade secure systems. • But…many systems incorporate: • Legacy code, COTS, “SOUP”, many languages, developed by many teams… • The boundary between “safety” and “security” is becoming blurred – many systems exhibit “both”…
  • 15.
    A Future? • Can we use architecture to isolate (sub-)systems of differing security requirements? • Can we combine verification evidence from multiple sources to gain confidence where it’s most needed? • Formal methods for the most critical components? • Test, isolate, and contain for the less critical? • What can we do to contractualize and enforce the boundary between such components?
  • 16.
    Altran Praxis Limited 22 St. Lawrence Street, Southgate, Bath BA1 1AN United Kingdom Telephone +44 (0) 1225 466991 Facsimile +44 (0) 1225 469006 Website www.altran-praxis.com Email rod.chapman@altran-praxis.com