cybersecurity overview - open source compliance seminar
TRANSCRIPT
Cyber Security Overview
Jeff HildrethSr. Account Executive Automotive & Aerospace/Defense [email protected]
2
Agenda• Why is this a reality in Automotive• How to mitigate risk • Augment existing processes to demonstrate security
compliance
Cybersecurity. Why do I care?
Cyber Supply Chain Management and Transparency Act of 2014
6
Requirements Analysis
System Design
System Test
Component Design
Component Implementation
Component Test
System Integration
Item Definition
Hazard and Risk Analysis
System Safety
Concept
System and Component
Design
Qualitative Safety
Analyses
Quantitative System
Analyses
Safety Case
Verification and
Validation
SECURITY?
ISO 26262
AcceptSprint 1
Sprint 2
Sprint n Release
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Yes!
Release to Market
Integrate and Test
Integrate and TestIntegrate
and Test
Agile Development – Integrated Security
Characteristics• Multiple testing
points• Rapid feedback
required• “Outside” testing
does not meet agile needs
Application code3rd party components
Ensure the open source code provider has a strong security plan
APIs and Web ServicesPrevent buffer overflows and ensure your code is safe before adding it to your code
Test your code
Look for flaws early
Make security a priority
9© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Common attacksOrganizations have failed to prevent attacks
Lack of time Lack of focusLack of
tools/proper tools
Survey:1700 developers,
80% of them incorrectly answered
key questions surrounding the
protection of sensitive data
SQL injection Unvalidated input
Cross-site scripting
Most breaches result from input trust issues
Heartbleed: buffer overrun
BMW patch: HTTP vs. HTTPS
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Security is hard but it’s important
10
Agile, continuous integration, continuous delivery
Understanding processes
Educating teams
Implementing tools
Enforcing compliance
Measuring success
Adopting new standards
Systems integrators vs. systems builders
Multiple development teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Who owns security?
11
Security is everyone’s responsibility
Developers Focused on making code
functional Meeting deadlines Developing code faster Security is an
afterthought
IT Cleaning up the aftermath
of breaches Preventing system hacks Creating a safe structure Security is a priority
Developers Focused on making code
functional Meeting deadlines Developing code faster Security is an afterthought
IT Cleaning up the aftermath
of breaches Preventing system hacks Creating a safe structure Security is a priority
Tools Automate detection of
vulnerabilities Fit into existing
processes Aggregate reports to
see trends
12© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Understanding vulnerabilities
KlocworkOn-the-fly scanning
OpenLogicSecure open source
“On-the-fly” Analysis Build Analysis / Test
Organizations need automation and scanning support
Open Source and CVEThe Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. CVE is used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system as well as the US National Vulnerability Database.
Audit your code Review CVE Monitor &
Remediate
Defect reduction efforts
OWASP, MISRA, ISO 26262
See where and how the defects are being reduced
Chart defects and establish a baseline in order to focus on priorities
Compliance of standards
Continuous reporting & trending
Agile development team: baseline scanning, triage the critical issues first