WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme

•

0 likes•370 views

The document discusses the Russian IT Security Certification Scheme and steps toward secure software development. It provides an overview of the certification process and participants. It notes that mandatory requirements have been based on Common Criteria since 1999. Current status shows most certified products are antiviruses and IPS/IDS, with both Russian and non-Russian developers. Steps taken include approving protection profiles and developing a secure development standard. The presentation concludes that efficiency in vulnerability detection will increase and Russian developers will pay more for certification.

Secure software development in
the Russian IT Security
Certification Scheme
Alexander Barabanov, Alexey Markov, Valentin Tsirlov

Agenda
2
 Brief overview
 Current status of the Russian IT Security
Certification Scheme
 Steps Toward Common Criteria Approach
and Secure Software Development
 Final Remarks

Brief overview:
Historical Perspective
3
1995
Establishment of
Russian IT Security
Certification Scheme
1997
Mandatory
requirements for
firewall and access
control systems
1999 2003
Guidance based
on CC v.2.1
Mandatory
requirements for
IPS/IDS
(based on CC)
Mandatory
requirements for
antiviruses
(based on CC)
Mandatory
requirements for
source code
analysis
2012 2013 2014
Mandatory
requirements for
trusted boot loader
(based on CC)
Mandatory
requirements for
removable storage
protection tools
(based on CC)

Brief overview:
who takes part in the certification process?
4

Brief overview: typical timeline
5
Obtaining FSTEC ID
Normally 1 month
Evaluation provided by Laboratory
3-4 months
Certification by Certification Body
1 month and more
Obtaining a certificate
from FSTEC of Russia
Normally 1 month

Brief overview:
Accredited Evaluation Laboratories
6

Brief overview:
Accredited Certification Bodies
7

Brief overview:
Classical Major Approaches to Evaluation
8
Evaluation of the security functionality
• Black box testing to ensure that TOE works as it should
Evaluation for the absence of non-declared
functions
• Testing of source code for the absence of software
vulnerabilities

Current status of the Russian Scheme:
Products Evaluations
9

Current status of the Russian Scheme:
Certified Products by Types
10
2011-2014
Evaluation
Timeline

Current status of the Russian Scheme:
Russian vs. Non-Russian Developers
11

Current status of the Russian Scheme:
Non-Russian Developers (2)
12
2011-2014 Evaluation
Timeline

Current status of the Russian Scheme:
Russian Developers
13
2011-2014 Evaluation
Timeline

Steps Toward Common Criteria Approach:
Step #1 (1)
14

Steps Toward Common Criteria Approach:
Step #1 (2)
15

Steps Toward Common Criteria Approach:
Step #1 (3)
16
2004-2014 Evaluation
Timeline

Steps Toward Common Criteria Approach:
Step #2 (1)
17

Steps Toward Common Criteria Approach:
Step #2 (2)
18

Steps Toward Common Criteria Approach:
Step #2 (3)
19
FSTEC of Russia Approved Protection Profiles
• PP for IPS/IDS
• PP for Antiviruses
• PP for Trusted Boot Loaders
• PP for Removable Storage Protection
Protection Profiles in Development
• PP for Firewalls
• PP for Operating System
• PP for DBMS

Steps Toward Common Criteria Approach:
Step #2 (4)
20
http://fstec.ru

Certifications against new FSTEC of Russia
requirements: projects summary
21
Summary:
 TOE Types: IDS/IPS,
Antivirus, Trusted boot
loader
 Vendors: HP, McAfee,
ESET, Trend Micro,
PineApp, Kaspersky
Lab, Cisco, Echelon,
Altx-Soft, Secure
Code
 Number of active
labs: 4
Number of certifications

Certifications against new FSTEC of Russia
requirements: Russian vs. non-Russian TOE
22

Steps Toward Secure Software Development
23
 information security threats
modeling
 source code static/dynamic
analysis
 source code review
 penetration testing
 ...
Russian standard
«Information protection. Secure Software
Development. General requirements» (draft)
Proposed Secure Software
Development Controls:

Final Remarks
24
1. First certifications according to the new requirements
were provided for non-Russian products.
2. More and more leading non-Russian developers provide
the Russian Evaluations Laboratories with access to their
source code, and this tendency shall be observed in the
future.
3. Efficiency in detection of vulnerabilities in software
submitted for certification will advance.
4. Russian developers will pay more for certification.
5. The number of actively working Evaluations Laboratories
will degrade.

Contact Information
25
 Alexander Barabanov, Ph.D., CISSP, CSSLP
NPO Echelon
ab@cnpo.ru
 Alexey Markov, Dr.Sc., CISSP, Member of IEEE
NPO Echelon
am@cnpo.ru
 Valentin Tsirlov, Ph.D., CISSP, CISM
NPO Echelon
z@cnpo.ru

What's hot

Blackhat Europe 2009 - Detecting Certified Pre Owned Software

Tyler Shields

Introduction to Memory Analysis

Emil Tan

Software security testing

nehabsairam

Legal and practical concerns with open source software

Rogue Wave Software

[Warsaw 26.06.2018] SDL Threat Modeling principles

OWASP

Sumeet Mandloi: Robust Security Testing Framework

Anna Royzman

Havex Deep Dive (English)

Digital Bond

Scanning web vulnerabilities

Mohit Dholakiya

Vulnerability

Mohit Dholakiya

IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach

IRJET Journal

This presentation showcased live during the DNIF Konnect meetup on 5th September 2019. We have our guest presenter: Mr. Mikhail Moskvin - Cyber Security Expert from Kaspersky, walk us through some key points related to benefits and practical applications of threat intelligence. Some key points discussed during the meetup: - Introduction to threat intelligence. - Strategies to implement threat intelligence with SIEM. - Practical use cases on using KASPERSKY Threat Intelligence Portal with DNIF. - How SOC teams can leverage threat intelligence aand validation. Watch the full presentation here: https://youtu.be/C89lTX13Vcw?t=1284

Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION

DNIF

Windows Live Forensics 101

Arpan Raval

Flight East 2018 Presentation–Black Duck at Docusign

Synopsys Software Integrity Group

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

PCI and Vulnerability Assessments - What’s Missing

Black Duck by Synopsys

Flight East 2018 Presentation–Continuous Integration––An Overview

Synopsys Software Integrity Group

CNIT 128 6. Analyzing Android Applications (Part 2 of 3)

Sam Bowne

Windows 10 IoT was released as a platform for IoT. Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option. We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely. We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection. As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core. On the other hand, we also found some designs and default settings of services and components are insecure. For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication. Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware. Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.

Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...

CODE BLUE

Tematem mojej prezentacji będzie omówienie wybranych zagrożeń bezpieczeństwa, które są wykrywane i obsługwane przez analityków SOC. Zwrócę uwagę na incydenty bezpieczeństwa, które powinny być przedmiotem monitorowania w każdym SOC oraz wskażę przykłady implementacji mechanizmów detekcji wybranych zagrożeń. W drugiej części prezentacji opowiem o stowarzyszeniu (ISC)2 Poland Chapter, a dokładniej czym się zajmujemy i jak można do nas dołączyć. http://isc2chapter-poland.com/

[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst

PROIDEA

This webinar by Viktoriia Taraniuk (QA Manager, Consultant, GlobalLogic) was delivered at Embedded Community Webinar #2 on July 29, 2020. Webinar agenda: - What is the difference between the built-in system and what are its features. - How to keep the focus on key priorities and not go beyond resources. - The main resource stealers. - How to consider the main risks. More details and presentation: https://www.globallogic.com/ua/about/events/embedded-community-webinar-2/

Fast embedded system verification

GlobalLogic Ukraine

What's hot (20)

Blackhat Europe 2009 - Detecting Certified Pre Owned Software

Introduction to Memory Analysis

Software security testing

Legal and practical concerns with open source software

[Warsaw 26.06.2018] SDL Threat Modeling principles

Sumeet Mandloi: Robust Security Testing Framework

Havex Deep Dive (English)

Scanning web vulnerabilities

Vulnerability

IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach

Threat Intelligence and Cyber Security Challenges | KASPERSKY & DNIF INTEGRATION

Windows Live Forensics 101

Flight East 2018 Presentation–Black Duck at Docusign

Myths and Misperceptions of Open Source Security

PCI and Vulnerability Assessments - What’s Missing

Flight East 2018 Presentation–Continuous Integration––An Overview

CNIT 128 6. Analyzing Android Applications (Part 2 of 3)

Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...

[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst

Fast embedded system verification

Similar to WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf

nattamailru

Дмитро Терещенко, "How to secure your application with Secure SDLC"

Sigma Software

Standards for safety and security in avionics

Alessandro Bruni

Echelon_Sibcon-2016

Alexander Barabanov

How PCI And PA DSS will change enterprise applications

Ben Rothke

Information Assurance, A DISA CCRI Conceptual Framework

James W. De Rienzo

Cybersecurity Frameworks for DMZCON23 230905.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

Our audits are designed to help you determine your SAP landscape's actual risk exposure and pinpoint areas that are open to potential attacks. They include everything from your infrastructure and SAP system parameters to individual component configurations and authorizations. Also if your company's migration to SAP HANA or S/4HANA is right around the corner. An audit offers an ideal solution for safeguarding your systems and taking all the necessary security measures before you start your transition. Our approach is based on SAP's security guidelines, the recommendations of the German Federal Office for Information Security (BSI), and the information security standard DIN ISO 27001. Topics of focus: • Challenges, tools and proven methods • Advantages of a root cause analysis and of the resulting risks for your company • Quick check vs. audit vs. penetrationtest • Our project approach at a glance • Recommendations for the follow-up of an Audit ----------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...

akquinet enterprise solutions GmbH

First SCADA LAB International Workshop

ScadaLab Project

Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx

MardhaniAR

As the movement of applications from bare metal to the cloud continues, considerations around analytics and tracing are becoming more prevalent for security, monitoring, and accounting. As an open source project under the Linux Foundation, the IO Visor Project is working with the kernel community on extending BPF (eBPF) and is being used by many companies for security, tracing, and analytics. This talk will describe how an OpenStack micro-segmentation framework using eBPF can be utilized for analytics and tracing to secure application workloads. Use cases around application security, intrusion detection using service insertion, identity will be described. While networking is one piece of the solution, sandboxing applications to avoid attacks is also important. We will also touch upon how eBPF technology and a unified policy framework can secure application workloads in areas beyond networking.

In-kernel Analytics and Tracing with eBPF for OpenStack Clouds

PLUMgrid

Transforming your Security Products at the Endpoint

Ivanti

Csslp Launch Presentation

gueste35899

Many European and international standardization bodies and industrial organizations do provide more or less detailed specification catalogues addressing IoT product security requirements, test cases and evaluation methods. In this contribution, a dedicated set of relevant standards, guides and recommendations which recently have been recognized by the European Union Agency for Cybersecurity (ENISA) will be introduced. Special attention is given to their contribution for the security evaluation process and the product quality itself, including the level of details regarding their suitability for test definition and execution.

Towards a certification scheme for IoT security evaluation

Axel Rennoch

The paper proposes a method based on different security-related factors to dynamically calculate the validity period of digital certificates. Currently validity periods are most often defined statically without scientific justification. This approach is not sufficient to objectively consider the actual need for security. Therefore the approach proposed in this paper considers relevant security criteria in order to calculate a meaningful validity period for digital certificates. This kind of security assessment can be executed periodically in order to dynamically respond to changing conditions. Especially in the context of complex systems and infrastructures that have an increased need for security, privacy and availability this issue is highly relevant.

Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...

ijcisjournal

CVSS

Christian Heinrich

2.Public Vulnerability Databases

phanleson

Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...

Amine Barrak

NIST Framework for Information System

newbie2019

Similar to WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf

Дмитро Терещенко, "How to secure your application with Secure SDLC"

Standards for safety and security in avionics

Echelon_Sibcon-2016

How PCI And PA DSS will change enterprise applications

Information Assurance, A DISA CCRI Conceptual Framework

Cybersecurity Frameworks for DMZCON23 230905.pdf

SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...

First SCADA LAB International Workshop

Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx

In-kernel Analytics and Tracing with eBPF for OpenStack Clouds

Transforming your Security Products at the Endpoint

Csslp Launch Presentation

Towards a certification scheme for IoT security evaluation

Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...

CVSS

2.Public Vulnerability Databases

Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...

NIST Framework for Information System

WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme

1. Secure software development in the Russian IT Security Certification Scheme Alexander Barabanov, Alexey Markov, Valentin Tsirlov

2. Agenda 2  Brief overview  Current status of the Russian IT Security Certification Scheme  Steps Toward Common Criteria Approach and Secure Software Development  Final Remarks

3. Brief overview: Historical Perspective 3 1995 Establishment of Russian IT Security Certification Scheme 1997 Mandatory requirements for firewall and access control systems 1999 2003 Guidance based on CC v.2.1 Mandatory requirements for IPS/IDS (based on CC) Mandatory requirements for antiviruses (based on CC) Mandatory requirements for source code analysis 2012 2013 2014 Mandatory requirements for trusted boot loader (based on CC) Mandatory requirements for removable storage protection tools (based on CC)

4. Brief overview: who takes part in the certification process? 4

5. Brief overview: typical timeline 5 Obtaining FSTEC ID Normally 1 month Evaluation provided by Laboratory 3-4 months Certification by Certification Body 1 month and more Obtaining a certificate from FSTEC of Russia Normally 1 month

6. Brief overview: Accredited Evaluation Laboratories 6

7. Brief overview: Accredited Certification Bodies 7

8. Brief overview: Classical Major Approaches to Evaluation 8 Evaluation of the security functionality • Black box testing to ensure that TOE works as it should Evaluation for the absence of non-declared functions • Testing of source code for the absence of software vulnerabilities

9. Current status of the Russian Scheme: Products Evaluations 9

10. Current status of the Russian Scheme: Certified Products by Types 10 2011-2014 Evaluation Timeline

11. Current status of the Russian Scheme: Russian vs. Non-Russian Developers 11

12. Current status of the Russian Scheme: Non-Russian Developers (2) 12 2011-2014 Evaluation Timeline

13. Current status of the Russian Scheme: Russian Developers 13 2011-2014 Evaluation Timeline

14. Steps Toward Common Criteria Approach: Step #1 (1) 14

15. Steps Toward Common Criteria Approach: Step #1 (2) 15

16. Steps Toward Common Criteria Approach: Step #1 (3) 16 2004-2014 Evaluation Timeline

17. Steps Toward Common Criteria Approach: Step #2 (1) 17

18. Steps Toward Common Criteria Approach: Step #2 (2) 18

19. Steps Toward Common Criteria Approach: Step #2 (3) 19 FSTEC of Russia Approved Protection Profiles • PP for IPS/IDS • PP for Antiviruses • PP for Trusted Boot Loaders • PP for Removable Storage Protection Protection Profiles in Development • PP for Firewalls • PP for Operating System • PP for DBMS

20. Steps Toward Common Criteria Approach: Step #2 (4) 20 http://fstec.ru

21. Certifications against new FSTEC of Russia requirements: projects summary 21 Summary:  TOE Types: IDS/IPS, Antivirus, Trusted boot loader  Vendors: HP, McAfee, ESET, Trend Micro, PineApp, Kaspersky Lab, Cisco, Echelon, Altx-Soft, Secure Code  Number of active labs: 4 Number of certifications

22. Certifications against new FSTEC of Russia requirements: Russian vs. non-Russian TOE 22

23. Steps Toward Secure Software Development 23  information security threats modeling  source code static/dynamic analysis  source code review  penetration testing  ... Russian standard «Information protection. Secure Software Development. General requirements» (draft) Proposed Secure Software Development Controls:

24. Final Remarks 24 1. First certifications according to the new requirements were provided for non-Russian products. 2. More and more leading non-Russian developers provide the Russian Evaluations Laboratories with access to their source code, and this tendency shall be observed in the future. 3. Efficiency in detection of vulnerabilities in software submitted for certification will advance. 4. Russian developers will pay more for certification. 5. The number of actively working Evaluations Laboratories will degrade.

25. Contact Information 25  Alexander Barabanov, Ph.D., CISSP, CSSLP NPO Echelon ab@cnpo.ru  Alexey Markov, Dr.Sc., CISSP, Member of IEEE NPO Echelon am@cnpo.ru  Valentin Tsirlov, Ph.D., CISSP, CISM NPO Echelon z@cnpo.ru

26. 26 Thank you for your attention!

WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme

Similar to WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme (20)

WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificationScheme