ntxissacsc4 - how not to build a trojan horse
TRANSCRIPT
ISSA Cyber Security Conference 4 2016 Intel Public 1
How Not To Build A Trojan Horse
Harold Toomey, Intel
8 October 2016
ISSA Cyber Security Conference 4 2016 Intel Public 2
Worst Case Scenario
Your job is to …
1. Protect the brand
2. Be your customer’s trusted security advisors
3. Build secure software
ISSA Cyber Security Conference 4 2016 Intel Public 3
Table of Contents
• Worst case scenario
• Building secure software
1. Team
2. Agile Secure Development Lifecycle (SDL)
3. Product Security Maturity Model (PSMM)
4. Product Security Incident Response Team (PSIRT)
• Challenges
• Experience
ISSA Cyber Security Conference 4 2016 Intel Public 4
Building Secure Software
Executive support
§ 5958 .DAT
Engineering support
§ Development
§ IT
Product security program
ISSA Cyber Security Conference 4 2016 Intel Public 5
Product Security Program
1. Team
2. Agile SDL – Proactive
3. PSMM
4. PSIRT – Reactive
ISSA Cyber Security Conference 4 2016 Intel Public 6
1. Who? – Team
1.1 Product Security Architects (PSAs)
1.2 Product Security Champions (PSCs)
1.3 Others
ISSA Cyber Security Conference 4 2016 Intel Public 7
1.1 Product Security Architects (PSAs)
Mentor
Technical activities
Operational activities
ISSA Cyber Security Conference 4 2016 Intel Public 8
Mentor .Security training
Bi-weekly technical roundtables
Empower PSC leads
ISSA Cyber Security Conference 4 2016 Intel Public 9
Technical .
16 Technical SDL activities
Security architecture reviews
Threat modeling
Tools
Technical1. Security Requirements Plan / DoD2. Security Architecture Review3. Security Design Review4. Threat Modeling5. Security Testing6. Static Analysis7. Dynamic Analysis (Web Apps)8. Fuzz Testing9. Vulnerability Scan10. Penetration Testing11. Manual Code Review12. Secure Coding Standards13. Open Source and 3rd Party Libraries14. License and Vendor Management15. Privacy16. Operating Environment
ISSA Cyber Security Conference 4 2016 Intel Public 10
Operational .
9 Operational SDL Activities
Manage satellite team1. Program2. SDL3. PSIRT4. Tools and Services5. Resources6. Policy and Compliance7. Process8. Training9. Metrics
Operational
ISSA Cyber Security Conference 4 2016 Intel Public 11
1.2 Product Security Champions (PSCs)
1 Per Product, Product Group, Solution, and GEO
Qualifications
ResponsibilitiesSolutionSolution
Product Group
ProductProductProduct
Product Group
ProductProductProduct
Product Group
ProductProductProduct
ISSA Cyber Security Conference 4 2016 Intel Public 12
PSC Qualifications .
Enthusiastic
4+ Years experience
20% Time commitment
VP Engineering approval
ISSA Cyber Security Conference 4 2016 Intel Public 13
PSC Responsibilities .
Agile SDL activities
Incident response (PSIRT)
Attend meetings and training
Collocated in engineering teams
ISSA Cyber Security Conference 4 2016 Intel Public 14
1.3 Other Team Contributors
Product Security Evangelists (PSEs)
Privacy
Extended team
§ Public Relations (PR)
§ Technical Support
§ IT Security
§ Learning
§ Legal
ISSA Cyber Security Conference 4 2016 Intel Public 15
2. Agile SDL Activities (What?)
Mandatory
Conditional
Execution
Plan of Intent
Program Backlog
TeamBacklog Stories
Daily Scrum
ReleaseQuality
Increment(PSI)
Finished Product
Release to Customer
Sprint Review &
Retrospective
Development & Test
Sprint Planning
Release Planning
Investment Themes, Epics (Viability,
Feasibility, Desirability)
Plan-Of-Intent Checkpoint
Release Planning
Checkpoint
Sprint PlanningCheckpoint
Release LaunchCheckpoint
Develop on a Cadence, Release on Demand
1-4 Weeks
Sprint / Release Readiness Checkpoint
ISSA Cyber Security Conference 4 2016 Intel Public 16
2.1 Mandatory SDL Activities .
1. Static Analysis
§ Dynamic Analysis TBD
2. Privacy Review
3. Security Definition of Done
§ Agile storyboard
4. 7 Key questions
ISSA Cyber Security Conference 4 2016 Intel Public 17
2.2 Conditional SDL Activities .
7 Key Questions1. Release Scope
– Major, Minor, Patch, Hotfix
2. Architecture– No change, Some change, Redesign, Greenfield
3. Using 3rd Party / Open Source Software4. Hosting
– By us, By partner (SaaS)
5. Privacy– Collecting customer data (PII)
6. Interfaces– Web, Web Services, Non-Web
7. Releasing with an Operating System
7
ISSA Cyber Security Conference 4 2016 Intel Public 18
2.3 Execution
How?
§ Templates
– Tasks– Tools
– Resident experts– Resources
When?
Why?
ISSA Cyber Security Conference 4 2016 Intel Public 19
When? Technical ActivitiesT01SecurityRequirementsPlan/DoD
CodeState
T06StaticAnalysis
MostlyManualorAutomatic?
T11ManualCodeReview
❷HaveCode
❸HaveExecutables
MostlyManualorAutomatic?
Machine Human
T10PenetrationTesting
Machine Human
T07DynamicAnalysis(Webinputs)
T08FuzzTesting(Allinputs,
anomoly-based)
T09Vulnerability
Scan(Signature-based)
T02SecurityArchitecture
Review
T03SecurityDesignReview
T04ThreatModeling
❶ProjectStarted
T12SecureCoding
Standards
T15PrivacyReview
T13OpenSourceLicensing
T143rdPartyLibraries(Blacklist)
MostlyManualorAutomatic?
Human
T05SecurityTesting
ISSA Cyber Security Conference 4 2016 Intel Public 20
Why? VM Flowchart
ISSA Cyber Security Conference 4 2016 Intel Public 21
3. Product Security Maturity Model (PSMM) .
None, Minimal, Good, Better, Best
§ Maturity levels0. None1. Basic2. Initial3. Acceptable4. Mature
§ Math
Set team goal for each SDL activity
Measure 2x a year and report
(𝟗 + 𝟏𝟔)×𝟒 = 𝟏𝟎𝟎
ISSA Cyber Security Conference 4 2016 Intel Public 22
4. PSIRT (Reactive)
Verify vulnerabilities
Patch within CVSS SLA
Publish security bulletinProduct Security Incident Response Team
ISSA Cyber Security Conference 4 2016 Intel Public 23
4.1 Verify Vulnerabilities .
False alarms (apache/tomcat)
Real vulnerabilities
Cutely named vulnerabilities
§ Heartbleed (OpenSSL)
ISSA Cyber Security Conference 4 2016 Intel Public 24
4.2 Patch Within CVSS SLA .
Common Vulnerability Scoring System v3 (CVSS)
Service Level Agreement (SLA)
Low, Medium, High, Critical severity
Severity CVSS Score Max. Fix Time Notification
P1- Critical 8.5-10.0 1-2Days ALERT
P2- High 7.0-8.4 1Week Notice
P3- Medium 4.0-6.9 1Month Notice
P4- Low 0.0-3.9 1-3Quarters Optional
P5- Info NA NA NA
ISSA Cyber Security Conference 4 2016 Intel Public 25
4.3 Publish Security Bulletin .
SB – Security Bulletin
KB – KnowledgeBase article
SS – Sustaining Statement
NN – Not Needed or Release Notes
CVSS = 0 0 < CVSS < 4Low
4 ≤ CVSS < 7Medium
7 ≤ CVSS ≤ 10High
NNSSKB
(if lots of attention)
KB SB +TXT Notice
SB +TXT Alert
ISSA Cyber Security Conference 4 2016 Intel Public 26
Challenges
Waterfall à Agile à Continuous
Tools
Skill levels
Legacy architectures
Technical debt
Getting to PSMM 4-Mature
PSIRT exponential growth
ISSA Cyber Security Conference 4 2016 Intel Public
Experience - People
Identify the experts– No one person can do it all
Trust the Product Security Champions (PSCs)– They are smart and want to do what is right
– They balance security with their time, expertise, resources and schedule
Collaborate often– Meet as PSCs weekly (business and technical)
– Use email PDLs
Don’t just train…mentor!– Have an open door policy and help them to mature and grow
27
ISSA Cyber Security Conference 4 2016 Intel Public
Experience - Process
Keep it flexible– Don’t micro manage– Don’t default to “all activities are mandatory”
We don’t need to write a 200 page book on each SDL activity– Instead point engineers to the best material & BKMs
Some requirements are simply mandatory– Filing exceptions for incomplete SDL activities or shipping with high severity
vulnerabilities– Blacklist for 3rd party components– Security and privacy governance (SDL-Gov) audits
The Agile SDL and PSMM go hand-in-hand
28
ISSA Cyber Security Conference 4 2016 Intel Public
Experience - Technology
Purchase tools as one company– Volume discounts, flexible license terms
Human vs. Machine– Some activities require much more human interaction than others– Where possible, automate: “Make the computer do the work”– Automation is required for successful continuous delivery
Bring the tools to the engineers– Version One / JIRA Software vs. SharePoint– Provide customized templates and real-world examples
Good tools can minimize exceptions– It is hard to do fuzz testing without an easy to use tool with good content
29
ISSA Cyber Security Conference 4 2016 Intel Public 30
Questions?Harold ToomeySr. Product Security Architect & PSIRT ManagerProduct Security GroupIntel Security (McAfee)[email protected]: (972) 963-7754M: (801) 830-9987