The Need For Open Software Security Standards In A Mobile And Cloudy World

The Need for Open Source Security
Standards in a Mobile and Cloudy World

Dan Cornell
CTO, Denim Group
@danielcornell

© Copyright 2011 Denim Group - All Rights Reserved

Bio: Dan Cornell
• Founder and CTO, Denim Group
• Software developer by background (Java, .NET)

• OWASP
– San Antonio Chapter Leader
– Open Review Project Leader
– Chair of the Global Membership Committee

• Speaking
– RSA, SOURCE Boston
– OWASP AppSec, Portugal Summit, AppSecEU Dublin
– ROOTS in Norway

© Copyright 2011 Denim Group - All Rights Reserved 1

Denim Group Background

• Secure software services and products company
– Builds secure software
– Helps organizations assess and mitigate risk of in-house developed and third party
software
– Provides classroom training and e-Learning so clients can build software securely
• Software-centric view of application security
– Application security experts are practicing developers
– Development pedigree translates to rapport with development managers
– Business impact: shorter time-to-fix application vulnerabilities
• Culture of application security innovation and contribution
– Develops open source tools to help clients mature their software security programs
• Remediation Resource Center, ThreadFix, Sprajax
– OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI
– World class alliance partners accelerate innovation to solve client problems


The World Is Mobile and Cloudy

• And Will Be Getting More So

• Deal With It


What Are Executives Actually Scared Of?
• Fuel Price Changes
• Physical Security
• Global economy
• Cross-Site Scripting(?)

• Security needs to be
aware of this when
they weigh in


Mobile: Risk and Value
• Mobile applications can create tremendous value for organizations
– New classes of applications utilizing mobile capabilities: GPS, camera, etc
– Innovating applications for employees and customers
• Mobile devices and mobile applications can create tremendous risks
– Sensitive data inevitably stored on the device (email, contacts)
– Connect to a lot of untrusted networks (carrier, WiFi)

• Most developers are not trained to develop secure applications
– Fact of life, but slowing getting better
• Most developers are new to creating mobile applications
– Different platforms have different security characteristics and capabilities


Generic Mobile Application Threat Model


What Mobile Users Are You Concerned About?

Mobile
Application
Users

Enterprise Customer
Users Users

Paid
Convenience
Employees Partners Application
Users
Users


Cloud
• Cost Savings

• Ease of Deployment

• Flexibility

• Security?


This is (was) Your Threat Model


This is Your Threat Model on “Cloud”


Security Team’s First Concern…
• Stay in the Conversation

• Identify these initiatives
• Make sure you get to
participate

• This means you have to
add value


Innovation Pressure Leads to Rogue Mobile
Efforts

• “We‟re thinking about doing some mobile applications”
• “Actually your iPhone app went live 6 months ago and your Android
app went live last week…”

• Initiatives being driven from “Office of the CTO”, R&D, and Marketing


Cost and Ease of Use Pressures Lead to Rogue
Cloud Deployments

• “What do you mean the CEO‟s IT trouble tickets are handled by a
SaaS provider?”

• “When did we start using BaseCamp and Google Docs to manage
customer projects?”

• Any employee with a $500/month corporate credit card can now be
their own purchasing officer


Procurement Challenges
• How do we better
judge risk?

• How can we make the
decision process
simpler?


What Are App Stores Promising Stakeholders?
• What does Apple do?

• What does Google
do?

• What does your
enterprise do?


Challenges for Both Suppliers and Consumers
• Did you want an automated
scan or a full design
assessment with manual source
code review?
• „Cause that has an impact on
scope and price…
• Consumers of software and
services must be able to
articulate the level of security
assurance they require
– Otherwise it is a financial race
to the bottom
– RFPs: Garbage in, garbage out


Service Provider Dilemma
• Certain customers
want some sort of
assurance, but are not
necessarily
sophisticated and do
not know what to ask
for
• Other customers
require deeper
assurance

We Need a Better Way To Communicate

• Processes

• Results


What Have We Tried in the Past?

• Common Criteria

• PCI-DSS


Common Criteria

or


Payment Card Industry Data Security Standards

• Initially based on
OWASP Top 10

• Now more open, but
still based on
vulnerability lists


Recent Developments
• Process:
– OpenSAMM
– BSIMM
• Results:
– Penetration Testing
Execution Standard
(PTES)
– OWASP Application
Security Verification
Standard (ASVS)

Geekonomics by David Rice
• Great insight into
economic and legal
issues for software
security and reliability

• Calls for better
software construction
and testing standards


Comparing Software to Food
• Jeff Williams and
nutrition labels for
software

• John Dickson and
restaurant cleanliness
ratings


OpenSAMM and BSIMM
• Externally look very similar
– Both are three-level maturity models
– Both have 12 different major areas of concern

• Methodology is very different
– BSIMM based on data from industry leaders
– OpenSAMM based on general industry consensus


Penetration Testing Execution Standard
• Emerging standard for
penetration testers

• Suitable for
operational
environments


Application Security Verification Standard
• Defines multiple levels
to correspond with the
degree of inspection

• Currently available for
web applications, but
other derivatives in the
works


A Case Study
• Service provider for
financial services
industry

• Hounded by small and
large clients


A Case Study (continued)
• Used a combination of
OpenSAMM and OWASP
ASVS
• Extended to meet certain
special requirements
• Detailed report provided to
client
• Summary report provided
to interested parties


So What Does This Get Us?
• Application consumers can know what they are getting

• Applications providers can clearly communicate the security state of
their offerings

• World peace?


And What Are We Still Lacking?
• Is a “standard” being appropriately applied?

• Is the evaluation being done at an appropriate technical granularity?

• How do you report and communicate business risk?

• How do you avoid a “checkbox” mentality?


What Can You Do To Be a Winner?
• Involve yourself in these
key conversations

• Discuss your verification
requirements

• Secure your right to test

• Reward the good and
punish the bad

References
• Geekonomics
– http://www.geekonomicsbook.com/
• Common Criteria
– https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria
• Building Security In Maturity Model (BSI-MM)
– http://bsimm.com/
• Open Software Assurance Maturity Model (OpenSAMM)
– http://www.opensamm.org/
• Penetration Test Execution Standard (PTES)
– http://www.pentest-standard.org/
• OWASP Application Security Verification Standard (ASVS)
– https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project


Questions?
Dan Cornell
dan@denimgroup.com
Twitter: @danielcornell

www.denimgroup.com
blog.denimgroup.com
(210) 572-4400


The Need For Open Software Security Standards In A Mobile And Cloudy World

More Related Content

What's hot

Similar to The Need For Open Software Security Standards In A Mobile And Cloudy World

More from Denim Group

Recently uploaded

The Need For Open Software Security Standards In A Mobile And Cloudy World