next generation strategies for software security in ... ottawa 2014...next generation strategies for...
TRANSCRIPT
Next Generation Strategies for Software
Security in Critical Systems & Securing the
Supply Chain
BSides
Daniel Thanos ([email protected]) Director Advanced Cybersecurity & Strategic Programs
September, 2014
A Confession My presentation title is a sales job!
Most of the strategies out there are not next generation
they are more like going back to the future but being more
practical and incremental in your execution
There really isn’t “critical systems” anymore as everything
is becoming critical as they are built from the same
components and are becoming exponentially connected
Why Software and Supply Chain Security?
No I didn’t want to boil the ocean!
They have become intertwined and are inseparable
All modern software (and firmware/hardware)
development (open source and commercial) is based
on global and complex supply chains
The world is becoming software defined therefore so
are all supply chains!
Some Ground Truth Technology innovation and business disruption is good and needs to be better embraced and leveraged in security strategy or security will simply not be built-in and we will have to secure the impossible after the fact
Security through prohibition is no longer a tenable strategy for most businesses/organizations that want to remain competitive on multiple fronts
The world of discrete hardware devices and networks which sit behind well defined security perimeters is being displaced by massively complex systems based on mobility, software defined systems, web APIs, virtualization, clouds, and an exponential rise of IoT devices that increasingly have no physical or cyber boundaries.
Nextgen security models will increasingly need to be distributed, cloud-based, make use of more intelligent monitoring and analytics but fundamentally rely on a much stronger basis in software and supply chain security
The Problem: Poor Technology Evolution and its Path to Security
Design and standards specification phase:
Security? Everything is trusted and too “advanced” to hack or hand waving design addresses this.
Product development and deployment phase:
Security? Yes there are “issues” but solutions exist, just plug in your magic security box or give your holy water blessing.
Secure this phase:
Security!!? Please secure this new paradigm changing technology with no budget and/or disruptions to schedule or operations.
Security needs to be here Security typically found here
Innovators ENG/DEV/OPS
Professional Paranoid Hypochondriacs
(Security Team)
Innovation & disruption are a strength when security is on the correct side of it
Software and Supply Chain Insecurity:
Root Cause of Most Breaches Many of the large scale data breaches that have occurred
last year and this year have software and supply chain
security issues at their core
Many simple attacks directly leverage vulnerabilities in
software (e.g. many classes of web attacks based on SQL
Injection, XSS, etc. )
Most complex attacks/APTs involve multistage
penetrations that exploit software vulnerabilities (e.g.
known or unknown 0days) in combination with social
engineering
Exploiting the supply chain through leveraging trusted
access and weaknesses in vendor products and services
that support targeted organizations is evolving into a potent
weapon for advanced adversaries (e.g. use of HVAC system
access in the Target data breaches)
State of Software Security Relatively mature when it comes to established practices and toolsets for
various types of software development- e.g. (web, enterprise, embedded, etc.)
Practices are not consistently applied across many products and the supply
chains that support them
Many systems and critical infrastructure industries (e.g. SCADA/ICS,
Energy, Healthcare, Embedded/IoT, etc.) lag in best practices for many reasons
Recent key trends: Heartbleed bug (large scale and eye opening for the industry), many back doors being discovered in products, especially poor
security being exposed in many critical systems and embedded devices
The homogenization/commoditization of the supply chain (e.g. convergence
towards generic platform OSs like Linux and Windows will continue) which increasingly relies on more common code bases with systems/networks having
heavy reliance on both commercial and open source products
All of the above trends are driving increased risks across many industries-
particularly critical ones: Energy, Manufacturing, Telecom, Financial Services, Healthcare, etc.
In many cases very simple (and often known) vulnerabilities are being
exploited by system attackers- making some minor and incremental
improvements here can provide substantial dividends in terms of preventing many system penetrations, both simple and advanced.
Increasing Cross-
Industry Risk
Increasing Vulnerabilities
and Exploitation
Inconsistent Application of
Mature Practices
Homogenization &
Commoditization
Lagging Critical Systems
There is a gap between
established security practices and
applying them and it can’t be
addressed through technical
strategies or simple education
campaigns alone, it requires a
market driven solution
State of Supply Chain Security The issue is well understood in high security organizations in
the government and private sector
Comprehensive programs exist particularly in the defense
sectors but they are cost prohibitive for general commercial industry
High assurance certifications (e.g. Common Criteria, FIPS, etc.)
are common and well understood particularly in government
environments but they can’t scale to general commercial systems
Even high security environments face considerable budget
challenges and need to leverage COTS, this further necessitates a
middle ground alternative to high assurance certifications
In general commercial industry is early in the process of
understanding and establishing comprehensive supply chain security
programs particularly for software products. For organizations that
are starting programs it is largely driven by dealing with higher
security government entities for the first time
Trustworthy model for supply chain and software security: In between the spectrum of no security to high assurance there is room for a middle
ground that can be equally effective and scalable across the market . In
reality when based on continuous verification it can better than HA certs alone
High Assurance
Certification
Trustworthy
No Security
Area of
greatest
promise
and
value
Why Trustworthy Systems?
Certifications + Compliance = Reduced Risk
Certifications + Compliance ≠ High Assurance Security
Trustworthy Systems ≈ Defensible Systems
Higher Assurance Security
Software Security Strategy Start with risk discovery in your engineering process and that of your supplying vendors and begin to identify and asses technical
and process risks. Share results with business and technology stakeholders and be transparent
Distribute questionnaires (that non-experts can understand) that ask about how security is being applied in the development process and how it is
supported once the product is in the field
Run or ask for the results of dynamic (e.g. fuzzing) or static (e.g. source/binary code scans) security analysis tests of code (preferably source) or use
tools that can do some analysis on binaries
Start with some simple vulnerability scanning, move to penetration testing, and evolve towards more advanced red teaming activity against systems to
adequately test the security of a system end-to-end from a true adversary.
Insert your Secure Development Lifecycle (SDL) of choice here __________ but apply incrementally and take a risk driven
approach and start parallel threads. Think like a lean startup- e.g. do the bare minimum in the beginning to get started and then
rapidly iterate and improve. Remember to empower your engineers and system developers along the way with design and coding practices they can understand,
Focus on a Trustworthy model which is based on practical and evidentiary measures of security in each step of the SDL (e.g.
number of open critical/high vulnerabilities in code, number and type of dynamic and static security tests passed, number and
quality of security requirements met, etc.)
SDL Points of Improvement:
• Greater emphasis on the correct use of static and dynamic security testing tools
• Making hardening secure configuration guides part of the process
• Better integrating penetration testing and red team based activities early (e.g. alternative analysis and verification of design and security testing of sourced components) in the process
Market Driven Strategy Software security is really a demand side economic problem, there is adequate supply of tools and expertise
but they need to be prioritized and applied
The procurement process applied against the supply chain by just a few large industry players in a considered
and practical way can seed the demand but applied in isolation by various organizations lacks the ability to scale
and sustain an industry change
A Trustworthy model of continual security verification is needed based on practical and evidentiary artifacts
and tests that are low cost and relatively automated and tied to key aspects of the SDL.
The verification should provide a certificate/attestation that allows for a clear competitive advantage by a
vendor that passes it as well it should be consistent so that it can universally be applied as a procurement
standard. This saves both the vendor and the acquiring organization a great deal of time and money and delivers
something that can truly scale in a large commercial market.
The recently announced Codenomicon CodeVerified program offers an interesting model to consider for
some aspects of this needed Trustworthy concept of verification in regards to fuzz testing and basic binary
analysis. It would be good to see other SDL tool vendors come to the plate with similar programs- e.g. verification
certificates for static code analysis, vulnerability scanning, basic security design, etc.
Longer Term R&D Strategy
Nextgen software security analysis
•Intelligent forms of binary static and dynamic analysis that apply machine learning methods to better identify innate vulnerabilities and malicious behavior in machine code.
•Intelligent forms of fuzzing that take into account program and data state in order to optimally search through the infinite state-space problem and get to vulnerable points in code more often and in a more timely fashion
•Deeper analysis into defining upper and lower bounds of fuzzing in order to have a quantitative model for understanding how much fuzzing is enough given some measure of complexity for a protocol, program, or data that it processes
•More security intelligent forms of static/dynamic analysis of source code looking for deeper vulnerability patterns and flawed security design/implementation
Tamper & exploit resistant software
•More research into secure compilers and runtimes for building tamper controls into the control/data flow of programs.
•Applying trusted platform hardware security elements to continuous runtime protections and verifications for detecting/preventing software vulnerability exploitation
•Continued research into using entropy and diversification in novel ways to further frustrate and degrade an attackers ability to execute mass exploitation
Applying adversarial methods
•Polymorphism and diversity in code as a mechanism for creating diversity and hence defeating trivial/mass exploitation
•Anti-reverse engineering/debugging methods that delay and frustrate attackers when trying to research and find vulnerabilities
•Introduction of obfuscation methods as well as techniques of evasion so that security monitoring processes cannot be trivially identified and disabled
Summary Embrace innovation and disruption
•Allow businesses to succeed and be competitive through enabling risk taking- e.g. don’t try to eliminate risk through prohibitions or over engineering security but intelligently manage risk through proportionate measures that incrementally/continually improve over time
•Anticipate new technology and trends and be on the forefront of developing new and innovative security models to enable them
•Understand how adversarial/malicious technology actually works and how threat actors use it while simultaneously using it for novel security technologies/defenses
Pick all the rotting and low hanging fruit first
•Start as simple and cheap as possible in your software and supply chain security programs, use a lean start up mentality- e.g. start with the minimum and rapidly iterate and improve.
•Focus on practical and incremental software and supply chain security programs- e.g. perfection is not the goal but being more aware and secure than yesterday is
• Inject security practices into the procurement process as product/service requirements, nothing motivates improved practices like knowing a cheque is attached to them.
•Educate, educate, educate. Make management and developers/engineers aware and get them trained in secure engineering/development practices.
•SDLs are not built overnight but you can’t wait to roll out the perfect one either, start by using the static and dynamic security analysis/testing tools to know your risks and start to build enforcement as processes and training get formalized.
Develop market and incentive driven security strategies
•Security professionals now more than ever need to understand market forces and use them to their advantage, so it is really important to understand the business that you and your supply chain is in and what competitive forces mold it. Get a mentor on the business side of your org to help you get that understanding and knowledge.
•The vendor needs to have security attestations to market that provides competitive differentiation but also doesn’t create too much barrier to entry as that will limit competitiveness, scale, and innovation
•The security community needs to develop and encourage more lower cost and agile “trustworthy” based verifications vs. just hard high assurance certifications