Harold Toomey, Principal Product Security Architect; McAfee, Part of Intel Security
My Other Marathon
When it comes to enterprise IT applications, what happens before you purchase the software can significantly impact your business even after it is installed with the best security controls. Learn what software developers should be doing to ensure their code is free from vulnerabilities before you ever put their products into an operational environment. People, processes, and technology needed to run a successful software security program and incident response team (PSIRT) will be covered. The tasks required to do this have been adapted to both waterfall and agile development methodologies. Each task will be compared to my recent journey of running my first 100 mile ultra-marathon. I will answer the question: “Which is less painful, developing secure software or running a 100 mile race?”
Doug Landoll, CEO, Lantego
Why Lead with Risk?
There are many approaches to establishing, maintaining and improving information security programs: technology-centric, policy-driven, framework-based, audit-driven, compliance-driven, or risk-based. Mr. Landoll will discuss these each of these approaches and give concrete examples of why the only effective approach is to lead with risk. The presentation will also give pointers on conducting an effective security risk assessment and establishing a risk management process. Many of these approaches are based on Mr. Landoll's book: The Security Risk Assessment Handbook (2011).
Info Sec Opportunity – Embracing Big Data with People, Process, & Technology
Increased awareness for participants to begin and/or expand upon channels for utilizing Big Data to enhance their respective programs via People, Process & Technology.
John Whited, Principal Engineer, Raytheon
Software Assurance
Software Assurance (SwA) is also known by many other names -- application security, software security, secure application development, and others. The numbers vary from study to study, but a vast majority of cyber-attacks at least involve an element of attack on one or more software applications. Fundamentally, SwA provides a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. SwA is a development lifecycle endeavor requiring the participation of many disciplines. This presentation will explore some of the best practices in secure software development across its lifecycle.
Steven Hatfield, Vulnerability Management Senior Advisor, Dell
Social Engineering 101 or the Art of How You Got Owned by That Stranger
Steven will be covering the basics of Social Engineering, different attack vectors that have worked with real world examples from friends currently conducting such tests, provide different sources to gather information on this topic, and present ways to prevent such attacks from happening in the future.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.
Jon Murphy, National Practice Lead, AOS
Top 10 Trends for 2015 in Information Tech Risk Management
ITRM is more than merely security hardware and apps under the control of an overworked network admin. It is strategic and tactical process, technology, and people in various roles and levels working collaboratively to protect vital organizational assets like data, information, ability to delivery timely, and reputation. Organizations need continuous, current, Actionable InsightSM about probable sources of majorly impactful risks and threats. Then and only then are they adequately prepared to make the smartest investments in continuing education, process improvement, and procedures for the proper use of the right technology for their situation. This multi-media, interactive presentation will cover the current top trends for 2015 in ITRM and that Actionable InsightSM - what your organization can and should do about likely and impactful IT risks and vulnerabilities.
Doug Landoll, CEO, Lantego
Why Lead with Risk?
There are many approaches to establishing, maintaining and improving information security programs: technology-centric, policy-driven, framework-based, audit-driven, compliance-driven, or risk-based. Mr. Landoll will discuss these each of these approaches and give concrete examples of why the only effective approach is to lead with risk. The presentation will also give pointers on conducting an effective security risk assessment and establishing a risk management process. Many of these approaches are based on Mr. Landoll's book: The Security Risk Assessment Handbook (2011).
Info Sec Opportunity – Embracing Big Data with People, Process, & Technology
Increased awareness for participants to begin and/or expand upon channels for utilizing Big Data to enhance their respective programs via People, Process & Technology.
John Whited, Principal Engineer, Raytheon
Software Assurance
Software Assurance (SwA) is also known by many other names -- application security, software security, secure application development, and others. The numbers vary from study to study, but a vast majority of cyber-attacks at least involve an element of attack on one or more software applications. Fundamentally, SwA provides a level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner. SwA is a development lifecycle endeavor requiring the participation of many disciplines. This presentation will explore some of the best practices in secure software development across its lifecycle.
Steven Hatfield, Vulnerability Management Senior Advisor, Dell
Social Engineering 101 or the Art of How You Got Owned by That Stranger
Steven will be covering the basics of Social Engineering, different attack vectors that have worked with real world examples from friends currently conducting such tests, provide different sources to gather information on this topic, and present ways to prevent such attacks from happening in the future.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.
Jon Murphy, National Practice Lead, AOS
Top 10 Trends for 2015 in Information Tech Risk Management
ITRM is more than merely security hardware and apps under the control of an overworked network admin. It is strategic and tactical process, technology, and people in various roles and levels working collaboratively to protect vital organizational assets like data, information, ability to delivery timely, and reputation. Organizations need continuous, current, Actionable InsightSM about probable sources of majorly impactful risks and threats. Then and only then are they adequately prepared to make the smartest investments in continuing education, process improvement, and procedures for the proper use of the right technology for their situation. This multi-media, interactive presentation will cover the current top trends for 2015 in ITRM and that Actionable InsightSM - what your organization can and should do about likely and impactful IT risks and vulnerabilities.
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
Skybox Security joins SANS to address using a network model to gain insight into your attack surface and how to address SANS Critical Controls 10 and 11
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...centralohioissa
In January, the FDA has draft recommendations for medical device security after the sale. Among other things, the recommendations tell manufacturers how to evaluate security risks, how to build a program for coordinated vulnerability disclosure program, and how to intake vulnerability reports from researchers. While the security of medical devices is especially important given the potential consequences, we can learn from the FDA recommendations regardless of our industry. Any recommendations adopted by the FDA for medical devices are likely to be implemented across other verticals for their IoT devices as well. Whether you manufacture, purchase, integrate, implement, or generally try to run away from IoT devices, there’s plenty to take away from this session while learning about the future of IoT device security.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.
Top 5 Cloud Security Predictions for 2016 Alert Logic
Join Alert Logic Chief Strategy Officer and Co-Founder Misha Govshteyn as he presents his predictions for the state of cloud security in 2016, including:
-The rise of cloud adoption and how businesses will approach the cloud
-What the threat landscape for cloud environments will look like
-How data and analytics will evolve to meet cloud adoption
...and more.
You’ll get a clear view of what expert security researchers are expecting in the coming year for organizations like yours who are leveraging the power of cloud infrastructure.
See the accompanying webinar here: https://www.alertlogic.com/resources/webinars/top-5-cloud-security-predictions-for-2016/
Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
Imagine being dependent on a wireless infusion pump to receive the correct dosage of life-supporting medication. Now imagine the implications, were that pump to be maliciously hacked. In this session learn more about how to successfully secure these medical devices, based on work being conducted at the National Cybersecurity Center of Excellence (NCCoE) with premier health care organizations.
(Source: RSA USA 2016-San Francisco)
Introducing the Vulnerability Management Maturity Model - VM3
The information security landscape has evolved significantly during the last 5 years with the emergence and wider use of new technologies such as Cloud, BYOD, Mobile and the Internet of Things. Alongside this landscape, corporate organizations‰Ûª key defense leaders, CIOs, CSOs and CISOs, have evolved in their information security defense strategies, as well as in how they think and approach information security. This different and evolved landscape, combined with defense leaders‰Ûª new mindset, has influenced key information security processes and in particular, has resulted in a greater understanding of the process of Vulnerability Management.
This session presents a Vulnerability Management Maturity Model, referred to as VM3, and which identifies six different levels of vulnerability management maturity within which different organizations operate. Detailed findings and lessons learned from of a recent study on vulnerability management maturity are shared.
The session covers the six high level activities, as well as a surrounding business environment which characterize an organization's execution of the vulnerability management process. Key challenges present within each of the six high level activities of vulnerability management, as well as challenges imposed by the organization's surrounding business environment are identified and described. Attendees will learn and appreciate how these key challenges impede one's ability to achieve higher levels of maturity, as well as strategies on overcoming these identified challenges. Attendees will learn how they may help their organization evolve to higher levels of vulnerability management maturity, with the goal of achieving lower levels of information security risk.
Gordon MacKay, CISSP, Software/Systems Guru with a dash of security hacking, serves as CTO for Digital Defense, Inc. He applies mathematical modeling and engineering principles in investigating solutions to many of the challenges within the information security space. His solution to matching network discovered hosts within independent vulnerability assessments across time resulted in achieving patent-pending status for the company’s scanning technology.
He has presented at many conferences including ISC2 Security Summit, Cyber Texas, BSides Detroit, BSides San Antonio, BSides Austin, BSides DFW, RSA and more, and has been featured by top media outlets such as Fox News, CIO Review, Softpedia and others.
He holds a Bachelor's in Computer Engineering from McGill University and is a Distinguished Ponemon Institute Fellow.
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
The healthcare IT landscape is changing daily, and trying to keep up with requirements like HIPAA and HITECH can leave you and your clients extremely vulnerable. Register today to hear more about the current HIPAA threat landscape and learn best practices for protection.
Experts from Hostway and Alert Logic will keep you up-to-date on the latest trends in healthcare IT.
You'll learn about the following:
- The current state of the healthcare IT industry and the role of HIPAA
- Threats associated with the healthcare landscape
- How a security breach can impact your organization
- Security best practices for HIPAA compliant cloud hosting and more!
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
Skybox Security joins SANS to address using a network model to gain insight into your attack surface and how to address SANS Critical Controls 10 and 11
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...centralohioissa
In January, the FDA has draft recommendations for medical device security after the sale. Among other things, the recommendations tell manufacturers how to evaluate security risks, how to build a program for coordinated vulnerability disclosure program, and how to intake vulnerability reports from researchers. While the security of medical devices is especially important given the potential consequences, we can learn from the FDA recommendations regardless of our industry. Any recommendations adopted by the FDA for medical devices are likely to be implemented across other verticals for their IoT devices as well. Whether you manufacture, purchase, integrate, implement, or generally try to run away from IoT devices, there’s plenty to take away from this session while learning about the future of IoT device security.
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
James Brown, Director of Cloud Computing & Security Architecture, Alert Logic covers:
• The shared security model: what security you are responsible for to protect your content, applications, systems and networks vs AWS.
• Overview of the OWASP Top 10 most critical web application security risks (such as SQL injections)
• Best practices for how to protect your environment from the latest threats
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.
Top 5 Cloud Security Predictions for 2016 Alert Logic
Join Alert Logic Chief Strategy Officer and Co-Founder Misha Govshteyn as he presents his predictions for the state of cloud security in 2016, including:
-The rise of cloud adoption and how businesses will approach the cloud
-What the threat landscape for cloud environments will look like
-How data and analytics will evolve to meet cloud adoption
...and more.
You’ll get a clear view of what expert security researchers are expecting in the coming year for organizations like yours who are leveraging the power of cloud infrastructure.
See the accompanying webinar here: https://www.alertlogic.com/resources/webinars/top-5-cloud-security-predictions-for-2016/
Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical DevicePriyanka Aash
Imagine being dependent on a wireless infusion pump to receive the correct dosage of life-supporting medication. Now imagine the implications, were that pump to be maliciously hacked. In this session learn more about how to successfully secure these medical devices, based on work being conducted at the National Cybersecurity Center of Excellence (NCCoE) with premier health care organizations.
(Source: RSA USA 2016-San Francisco)
Introducing the Vulnerability Management Maturity Model - VM3
The information security landscape has evolved significantly during the last 5 years with the emergence and wider use of new technologies such as Cloud, BYOD, Mobile and the Internet of Things. Alongside this landscape, corporate organizations‰Ûª key defense leaders, CIOs, CSOs and CISOs, have evolved in their information security defense strategies, as well as in how they think and approach information security. This different and evolved landscape, combined with defense leaders‰Ûª new mindset, has influenced key information security processes and in particular, has resulted in a greater understanding of the process of Vulnerability Management.
This session presents a Vulnerability Management Maturity Model, referred to as VM3, and which identifies six different levels of vulnerability management maturity within which different organizations operate. Detailed findings and lessons learned from of a recent study on vulnerability management maturity are shared.
The session covers the six high level activities, as well as a surrounding business environment which characterize an organization's execution of the vulnerability management process. Key challenges present within each of the six high level activities of vulnerability management, as well as challenges imposed by the organization's surrounding business environment are identified and described. Attendees will learn and appreciate how these key challenges impede one's ability to achieve higher levels of maturity, as well as strategies on overcoming these identified challenges. Attendees will learn how they may help their organization evolve to higher levels of vulnerability management maturity, with the goal of achieving lower levels of information security risk.
Gordon MacKay, CISSP, Software/Systems Guru with a dash of security hacking, serves as CTO for Digital Defense, Inc. He applies mathematical modeling and engineering principles in investigating solutions to many of the challenges within the information security space. His solution to matching network discovered hosts within independent vulnerability assessments across time resulted in achieving patent-pending status for the company’s scanning technology.
He has presented at many conferences including ISC2 Security Summit, Cyber Texas, BSides Detroit, BSides San Antonio, BSides Austin, BSides DFW, RSA and more, and has been featured by top media outlets such as Fox News, CIO Review, Softpedia and others.
He holds a Bachelor's in Computer Engineering from McGill University and is a Distinguished Ponemon Institute Fellow.
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
The healthcare IT landscape is changing daily, and trying to keep up with requirements like HIPAA and HITECH can leave you and your clients extremely vulnerable. Register today to hear more about the current HIPAA threat landscape and learn best practices for protection.
Experts from Hostway and Alert Logic will keep you up-to-date on the latest trends in healthcare IT.
You'll learn about the following:
- The current state of the healthcare IT industry and the role of HIPAA
- Threats associated with the healthcare landscape
- How a security breach can impact your organization
- Security best practices for HIPAA compliant cloud hosting and more!
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
Social Engineering 101 or The Art of How You Got Owned by That Random StrangerSteven Hatfield
My presentation that was given at North Texas ISSA Second Annual Cyber Security Conference on 4/25/2015. This presentation covers the basics of Social Engineering and provides a good base of knowledge for anyone looking to understand more about this skill, along with where to learn more.
How can i find my security blind spots ulf mattsson - aug 2016Ulf Mattsson
Security Blind Spots
We need to automatically detect and report on security blind spots, including Sensitive Data that was not found in our initial Discovery and failures of deployed security control systems. Without formal and automated processes to detect and alert to new data discovery findings and critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data. This can also impact our real compliance posture.
In this presentation I talked about
Secure Software Development Life Cycle
Design Issues.
Threat Modeling.
Static Code Analysis.
Pentesting.
Resources.
CISSP Preview - For the next generation of Security LeadersNUS-ISS
Presented by Mr Hoo Chuan-Wei, Technical Advisor-APAC, (ISC)2, at the CISSP Preview Session, which was jointly organised with (ISC)2 Singapore Chapter on 27 Jun 2017.
AI on Spark for Malware Analysis and Anomalous Threat DetectionDatabricks
At Avast, we believe everyone has the right to be safe. We are dedicated to creating a world that provides safety and privacy for all, not matter where you are, who you are, or how you connect. With over 1.5 billion attacks stopped and 30 million new executable files monthly, big data pipelines are crucial for the security of our customers. At Avast we are leveraging Apache Spark machine learning libraries and TensorflowOnSpark for a variety of tasks ranging from marketing and advertisement, through network security to malware detection. This talk will cover our main cybersecurity usecases of Spark. After describing our cluster environment we will first demonstrate anomaly detection on time series of threats. Having thousands of types of attacks and malware, AI helps human analysts select and focus on most urgent or dire threats. We will walk through our setup for distributed training of deep neural networks with Tensorflow to deploying and monitoring of a streaming anomaly detection application with trained model. Next we will show how we use Spark for analysis and clustering of malicious files and large scale experimentation to automatically process and handle changes in malware. In the end, we will give comparison to other tools we used for solving those problems.
AppSec Awareness: A Blueprint for Security Culture ChangePriyanka Aash
How does an individual change the application security culture of an organization? By deploying an application security awareness program with engaging content, humor and recognition. See the blueprint for how you can build an application security awareness program based on real life experience. Change the security DNA of everyone in your organization.
(Source: RSA USA 2016-San Francisco)
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
1. @NTXISSA
Software Security – My Other
Marathon
Harold Toomey
Past President, ISSA North Texas, 2013
Principal Product Security Architect & PSIRT Manager
Intel Security
April 24, 2015
2. @NTXISSA
Introduction
• Responsibilities
• PSIRT Manager
• Manage a team of 50+ Sr. Security Architects (PSCs)
• Manage the SDL, policies and PSG program
• Training program
• Metrics
• Experience
• 4 Years: Eng. Software Security
• 2 Years: IT Operational Security
• 11 Years: Product Management
• 10 Years: Software Development (C++)
• ISSA North Texas Chapter, Past President
• CISSP, CISA, CISM, CRISC, CGEIT, ITIL, …
• CVSS Special Interest Group (SIG)
NTX ISSA Cyber Security Conference – April 24-25, 2015 2
Harold Toomey
Principal Product
Security Architect
3. @NTXISSA
Agenda
• Plot #1: Developing Secure Software
• Plot #2: Running a 100 Mile Ultra Marathon
Which is easier?
NTX ISSA Cyber Security Conference – April 24-25, 2015 3
vs.
4. @NTXISSA
Scenario #1 – Secure Software
• 110+ Enterprise and consumer security
products
• 4,000+ software engineers
• 200M+ customers
• Someone reports a vulnerability
• Now what?
• How did this happen?
NTX ISSA Cyber Security Conference – April 24-25, 2015 4
5. @NTXISSA
Scenario #2 – 100M Ultra Run
• You gained 50 pounds over the past 10 years
• You hear running gets you healthy again
• You sign up for a 100 mile ultra marathon
• Are you crazy? (yes, of course)
• How long will it take for you
to pull this off?
NTX ISSA Cyber Security Conference – April 24-25, 2015 5
6. @NTXISSA
#1 The Development Team
• Executive Support
• Software Engineering Teams
• Product Security Group / PSIRT
• Product Security Champions (PSCs)
• Tier III Technical Support
• Knowledgebase Team
• Extended Team
• IT, PR, Legal, Training
NTX ISSA Cyber Security Conference – April 24-25, 2015 6
7. @NTXISSA
#2 Your Running Crew
• Supportive spouse
• Trainer
• Running buddies
• Your dog (Roxy)
• Facebook running friends
• Marathon Maniacs
• Race volunteers
• Pacers
NTX ISSA Cyber Security Conference – April 24-25, 2015 7
8. @NTXISSA
#1 PSIRT Process
• Contact engineering network (PSCs)
• Verify the vulnerability
• Score the vulnerability’s severity (CVSS)
• Communicate fix schedule to the discoverer
• Develop and publish the patch
• Publish Security Bulletin
• Next week: “lather, rinse, repeat”
NTX ISSA Cyber Security Conference – April 24-25, 2015 8
9. @NTXISSA
#2 Ultra Training
• Start running
• Sign up for weekend races (milestones)
• Set goals
• Read about it
• Friend like minded runners
• Learn by experience (pain)
• Build up to it
NTX ISSA Cyber Security Conference – April 24-25, 2015 9
10. @NTXISSA
#2 Possible Training Goals
• Year 1
• Run a 5K to see how out of shape you are
• Run a half marathon after 6 months
• Run a full marathon after 1 year
• Year 2
• Run a half marathon or farther every weekend
• Year 3
• Run an ultra every month, with 2x 100M by end of year
• Try Sprint and Olympic Ironman Triathlons
• Year 4
• Run a 100 miler every month (Jun – Feb)
NTX ISSA Cyber Security Conference – April 24-25, 2015 10
11. @NTXISSA
#1 Named Vulnerabilities
NTX ISSA Cyber Security Conference – April 24-25, 2015 11
Date Description
# Vuln.
Products
SB
8 Apr 2014 Heartbleed 19 SB10071
2 Jun 2014 Heartbleed II 22 SB10075
24 Sep 2014 Shellshock/BASH 23 SB10085
14 Oct 2014 POODLE 28 SB10090
14 Oct 2014 3 SSLv3 CVEs 15 SB10091
27 Jan 2015 GHOST 28 SB10100
4 Mar 2015 FREAK 3 SB10108
19 Mar 2015 14 OpenSSL CVEs 22 SB10110
Summer
2015
OpenSSL Security
Audit
TBD TBD
“OpenSSL: The gift that keeps on giving.”
12. @NTXISSA
#2 Popular/Local Races
• Boston Marathon (20 Apr 2015)
• Badwater 135 (28-30 July 2015)
• Big Cedar 100M (30-31 Oct 2015)
• Brazos Bend 100M (11-12 Dec 2015)
• Rocky Raccoon 100M (1-2 Feb 2016)
NTX ISSA Cyber Security Conference – April 24-25, 2015 12
13. @NTXISSA
#1 Doing the Basics
1. Minimum SDL activities
2. Compile with security flags set
3. Remove banned C/C++ functions
4. Fix high severity vulnerabilities
5. Complete Static/Dynamic Analysis/Fuzzing
6. Manual code reviews
7. Validate inputs
8. Build in privacy/protect PII
9. Remove debugging code
10. Scan for viruses/malware
11. Don’t implement backdoors
NTX ISSA Cyber Security Conference – April 24-25, 2015 13
14. @NTXISSA
#2 Doing the Basics
• You can’t outrun a bad diet
• 15% Exercise
• 85% Diet
• Sleep
• Regular run schedule
• Buy good equipment
• Positive attitude (“Never give up”), but
• Never run on an injury
NTX ISSA Cyber Security Conference – April 24-25, 2015 14
15. @NTXISSA
#1 Proactive Measures – Waterfall
• SDL
NTX ISSA Cyber Security Conference – April 24-25, 2015 15
Security
Assessment
Architecture Design & Development Ship Post-Release,
Legacy, & M&A
S0 S1 S2 S3 S4 S5
• Product security team is
looped in early
(Product Security Group
& Product Security
Champions)
• Product security team
hosts a discovery
meeting
• Product security team
creates an SDL project
plan
(states what further
work will be done)
• Product team initiates a
Privacy Impact
Assessment (PIA)
• S1 Security Plan
• SDL policy
assessment &
scoping
• Threat modeling /
architecture
security analysis
• Privacy information
gathering and
analysis
• S2 Security Plan
• Security test plan
composition
• Static analysis
• Threat model
updating
• Design security
analysis & review
• Secure coding
• Privacy
implementation
assessment
• S3 Security Plan
• Security test case
execution
• Static analysis
• Dynamic analysis
• Fuzz testing
• Manual code
review
• Privacy validation
and remediation
• S4 Security Plan
• Final security
review
• Vulnerability scan
• Penetration test
• Open source
licensing review
• Final privacy
review
• External vulnerability
disclosure response
(PSIRT)
• Reviews by 3rd party
service contractors
• Post-release
certifications
• Internal review for
new product
combinations or cloud
deployment
• Security architectural
reviews & tool-based
assessments of legacy
and M&A products
0 1 2 3 4 5
Concept Planning Design &
Development
Readiness Release &
Launch
Support & Sustain
28. @NTXISSA
Finishing the Hawk Hundred
NTX ISSA Cyber Security Conference – April 24-25, 2015 28
13 Sep 2014
Finish Time:
31:38
29. @NTXISSA
Finishing the Brazos Bend 100
NTX ISSA Cyber Security Conference – April 24-25, 2015 29
13 Dec 2014
Finish Time:
28:22
30. @NTXISSA
Conclusion
• Plot #1: Developing Secure Software
• Plot #2: Running a 100 Mile Ultra Marathon
Which is easier?
NTX ISSA Cyber Security Conference – April 24-25, 2015 30
vs.
31. @NTXISSA
Q&A
NTX ISSA Cyber Security Conference – April 24-25, 2015 31
Harold Toomey
Principle Product Security Architect
Product Security Group
Intel Security
Harold_Toomey@IntelSecurity.com
(801) 830-9987
32. @NTXISSA@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – April 24-25, 2015 32
Thank you
Editor's Notes
Good morning.
My name is Harold Toomey.
I work for Intel Security.
I attended the first Cyber Security Conference last year and wanted to contribute more this year, so here I am.
I have worked for McAfee/Intel Security for the past 9 years.
Before that I worked for Symantec for 8 years.
For the past 4 years I have worked in software security.
I manage our PSIRT team as well as other SDL programs.
“Product Security is like running a marathon. It’s not a sprint. Prepare for the long haul.”
Redshirts
“Well gentlemen, you’re all going to die.”
Product Security Champions (PSCs)
Qualification:
A minimum of 3-5 years software development experience (architects preferred)
A passion for or background in software security
Approved by the BU General Manager & BU PSC Lead
Dedicate 10% - 20% of their time doing product security tasks
Time to be trained in software security, tools, plans, and processes
Must not only know how to develop (build) software, but also know how to deconstruct it (take it apart) while “thinking like a hacker”
Responsibilities:
Enforce the SDL: Assist the PSG in assuring the security tenants of confidentiality, integrity, availability, and privacy are adhered to
Reviews: Assist the PSG’s software security architects in conducting architecture security analysis, reviews, and threat modeling
Escalations: Assist with Security Bulletins and patches for externally disclosed vulnerabilities (PSIRT)
Tools Expert: e.g. static, dynamic – which includes fuzzing, within each product development team, and/or business unit (BU)
Collocated: Be the eyes, ears, and advocate of the PSG within each product development team / BU
Attend Meetings: Participate in weekly Admin / Technical meetings as a team
OpenSSL
Facts
April 8, 2014 – The Heartbleed OpenSSL vulnerability was announced.
This vulnerability went undetected for several years.
OpenSSL is widely used in the public.
We have seen it used in ¼ of our products.
In 2012 & 2013, we only saw one (1) OpenSSL vulnerability per year.
Then, in April 2014 we saw our first cutely named vulnerability - “Heartbleed”.
Every quarter since then we have seen a new named OpenSSL vulnerabilities.
We call OpenSSL “The gift that keeps on giving.”
We expect to see more OpenSSL vulnerabilities.
Cryptography Services, a part of the Linux Foundation's Core Infrastructure Initiative (CII), has begun an extensive audit of OpenSSL security.
Preliminary results of the audit could be out by the beginning of the summer, Cryptography Services said.
http://gcn.com/blogs/cybereye/2015/03/openssl-audit.aspx
Linux/UNIX
The crisis created by the Heartbleed bug fed into our concern about open source software overall.
I am sure you have all heard of other named vulnerabilities, such as Shellshock and GHOST.
Both have a CVSS score of 10.0.
Both primarily impact Linux and UNIX systems.
Shellshock affected only the Linux and Unix operating systems.
This vulnerability allows malicious code execution within the Bash shell.
GHOST was caused by a Linux glibc library vulnerability.
It allows attackers to remotely take complete control of the target system without having any prior knowledge of system credentials.
Static Analysis:
A method of examining software at compile time, reporting potential defects
Dynamic Analysis:
A method of examining software at runtime, by executing the code over multiple test cases
Fuzz Testing:
Providing unexpected, invalid, or random data to an application with the intention of triggering a bug
Static Analysis:
A method of examining software at compile time, reporting potential defects
Dynamic Analysis:
A method of examining software at runtime, by executing the code over multiple test cases
Fuzz Testing:
Providing unexpected, invalid, or random data to an application with the intention of triggering a bug
1. Heartbleed Post-Mortem
Listing All Products in Advisories
Post-Mortem = Retrospective
Problem
Policy states only publish a security bulletin if there is a patch or workaround (something actionable).
Customers demand to know immediately if their products are vulnerable or not to highly publicized named vulnerabilities.
Facts
April 8, 2014 – The Heartbleed OpenSSL vulnerability was announced.
This vulnerability went undetected for several years.
OpenSSL is widely used in the public.
We have seen it used in ¼ of our products.
Lessons Learned
Created a shared technologies security bulletin template
Updated PSIRT Procedures with the “Crisis Scenario”
For publicly known high-severity vulnerabilities affecting multiple products
Consolidated Security Bulletin listing all enterprise products into buckets
“Being Investigated” bucket only used if vulnerability is readily identified by customers
Shared technology inventory needed
What you can tell customers
Policy on communicating products known “Not Vulnerable”
“Not Patched Yet” exception
SNS Expectations – Early Notification
8. Measuring How Well Teams Do Product Security
The Intel Security Product Security Maturity Model (PSMM)
Problem
We have an SDL. It is well defined for both waterfall and agile. How well are the product teams following it?
Facts
This metric indicates how well the BUs are implementing the product security program.
Lessons Learned
We designed our own MM to match our SDL
Engineers asked for a spreadsheet with drop-downs so they can easily rate their product teams
Automation
Peer review
PSMM Parameters
Our simple maturity model categorizes 22 parameters into two categories:
Operational for the program and
Technical for the engineers.
Operational
Program
Process
Resources
Training
Security Reviews
Tools
PSIRT
SDL
Policy
Privacy
Certification
M&A
Extended Team
Technical
Threat Modeling / Architecture Reviews
Static Analysis
Dynamic Analysis (Web Apps)
Fuzz Testing
Vulnerability Scans / Penetration Testing
Manual Code Reviews
Secure Coding Standards
Open Source / 3rd Party Libraries
Tracking Tools
100-Mile American Record Smashed
On October 4, 2013 Jon Olsen ran 11:59:28 to break 24-year old record.
8. Measuring How Well Teams Do Product Security
The Intel Security Product Security Maturity Model (PSMM)
Problem
We have an SDL. It is well defined for both waterfall and agile. How well are the product teams following it?
Facts
This metric indicates how well the BUs are implementing the product security program.
Lessons Learned
We designed our own MM to match our SDL
Engineers asked for a spreadsheet with drop-downs so they can easily rate their product teams
Automation
Peer review
May vary by individual.
I feel an Ultra is easier since, unlike software security, it has an end … until you sign up for another ultra.