the need for open software security standards in a mobile and cloudy world

© Copyright 2011 Denim Group - All Rights Reserved

The Need for Open Source Security

Standards in a Mobile and Cloudy World

Dan Cornell

CTO, Denim Group

@danielcornell

http://twitter.com/danielcornell


Bio: Dan Cornell

• Founder and CTO, Denim Group

• Software developer by background (Java, .NET)

• OWASP

– San Antonio Chapter Leader

– Open Review Project Leader

– Chair of the Global Membership Committee

• Speaking

– RSA, SOURCE Boston

– OWASP AppSec, Portugal Summit, AppSecEU Dublin

– ROOTS in Norway

1

© Copyright 2011 Denim Group - All Rights Reserved 2

Denim Group Background

• Secure software services and products company

– Builds secure software

– Helps organizations assess and mitigate risk of in-house developed and third party

software

– Provides classroom training and e-Learning so clients can build software securely

• Software-centric view of application security

– Application security experts are practicing developers

– Development pedigree translates to rapport with development managers

– Business impact: shorter time-to-fix application vulnerabilities

• Culture of application security innovation and contribution

– Develops open source tools to help clients mature their software security programs

• Remediation Resource Center, ThreadFix, Sprajax

– OWASP national leaders & regular speakers at RSA, SANS, OWASP, ISSA, CSI

– World class alliance partners accelerate innovation to solve client problems


The World Is Mobile and Cloudy

• And Will Be Getting More So

• Deal With It

3


What Are Executives Actually Scared Of?

• Fuel Price Changes

• Physical Security

• Global economy

• Cross-Site Scripting(?)

• Security needs to be

aware of this when

they weigh in

4


Mobile: Risk and Value

• Mobile applications can create tremendous value for organizations

– New classes of applications utilizing mobile capabilities: GPS, camera, etc

– Innovating applications for employees and customers

• Mobile devices and mobile applications can create tremendous risks

– Sensitive data inevitably stored on the device (email, contacts)

– Connect to a lot of untrusted networks (carrier, WiFi)

• Most developers are not trained to develop secure applications

– Fact of life, but slowing getting better

• Most developers are new to creating mobile applications

– Different platforms have different security characteristics and capabilities

5


Generic Mobile Application Threat Model

6


What Mobile Users Are You Concerned About?

Mobile Application Users

Enterprise Users

Employees Partners

Customer Users

Paid Application Users

Convenience Users

7


Cloud

• Cost Savings

• Ease of Deployment

• Flexibility

• Security?

8


This is (was) Your Threat Model

9


This is Your Threat Model on “Cloud”

10


Security Team’s First Concern…

11

• Stay in the Conversation

• Identify these initiatives

• Make sure you get to

participate

• This means you have to

add value


Innovation Pressure Leads to Rogue Mobile

Efforts

• “We‟re thinking about doing some mobile applications”

• “Actually your iPhone app went live 6 months ago and your Android

app went live last week…”

• Initiatives being driven from “Office of the CTO”, R&D, and Marketing

12


Cost and Ease of Use Pressures Lead to Rogue

Cloud Deployments

• “What do you mean the CEO‟s IT trouble tickets are handled by a

SaaS provider?”

• “When did we start using BaseCamp and Google Docs to manage

customer projects?”

• Any employee with a $500/month corporate credit card can now be

their own purchasing officer

13


Procurement Challenges

• How do we better

judge risk?

• How can we make the

decision process

simpler?

14


What Are App Stores Promising Stakeholders?

• What does Apple do?

• What does Google

do?

• What does your

enterprise do?

15


Challenges for Both Suppliers and Consumers

• Did you want an automated

scan or a full design

assessment with manual source

code review?

• „Cause that has an impact on

scope and price…

• Consumers of software and

services must be able to

articulate the level of security

assurance they require

– Otherwise it is a financial race

to the bottom

– RFPs: Garbage in, garbage out

16


Service Provider Dilemma

• Certain customers

want some sort of

assurance, but are not

necessarily

sophisticated and do

not know what to ask

for

• Other customers

require deeper

assurance

17


We Need a Better Way To Communicate

• Processes

• Results

18


What Have We Tried in the Past?

• Common Criteria

• PCI-DSS

19


Common Criteria

20

or


Payment Card Industry Data Security Standards

• Initially based on

OWASP Top 10

• Now more open, but

still based on

vulnerability lists

21


Recent Developments

22

• Process:

– OpenSAMM

– BSIMM

• Results:

– Penetration Testing

Execution Standard

(PTES)

– OWASP Application

Security Verification

Standard (ASVS)


Geekonomics by David Rice

• Great insight into

economic and legal

issues for software

security and reliability

• Calls for better

software construction

and testing standards

23


Comparing Software to Food

• Jeff Williams and

nutrition labels for

software

• John Dickson and

restaurant cleanliness

ratings

24


OpenSAMM and BSIMM

• Externally look very similar

– Both are three-level maturity models

– Both have 12 different major areas of concern

• Methodology is very different

– BSIMM based on data from industry leaders

– OpenSAMM based on general industry consensus

25


Penetration Testing Execution Standard

• Emerging standard for

penetration testers

• Suitable for

operational

environments

26


Application Security Verification Standard

• Defines multiple levels

to correspond with the

degree of inspection

• Currently available for

web applications, but

other derivatives in the

works

27


A Case Study

• Service provider for

financial services

industry

• Hounded by small and

large clients

28


A Case Study (continued)

• Used a combination of

OpenSAMM and OWASP

ASVS

• Extended to meet certain

special requirements

• Detailed report provided to

client

• Summary report provided

to interested parties

29


So What Does This Get Us?

• Application consumers can know what they are getting

• Applications providers can clearly communicate the security state of

their offerings

• World peace?

30


And What Are We Still Lacking?

• Is a “standard” being appropriately applied?

• Is the evaluation being done at an appropriate technical granularity?

• How do you report and communicate business risk?

• How do you avoid a “checkbox” mentality?

31


What Can You Do To Be a Winner?

• Involve yourself in these

key conversations

• Discuss your verification

requirements

• Secure your right to test

• Reward the good and

punish the bad

32


References

• Geekonomics

– http://www.geekonomicsbook.com/

• Common Criteria

– https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria

• Building Security In Maturity Model (BSI-MM)

– http://bsimm.com/

• Open Software Assurance Maturity Model (OpenSAMM)

– http://www.opensamm.org/

• Penetration Test Execution Standard (PTES)

– http://www.pentest-standard.org/

• OWASP Application Security Verification Standard (ASVS) – https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

33

http://www.geekonomicsbook.com/

https://secure.wikimedia.org/wikipedia/en/wiki/Common_criteria

http://bsimm.com/

http://www.opensamm.org/

http://www.pentest-standard.org/




https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project


Questions?

Dan Cornell

[email protected]

Twitter: @danielcornell

www.denimgroup.com

blog.denimgroup.com

(210) 572-4400

34

mailto:[email protected]



http://www.denimgroup.com/

http://www.denimgroup.com/

http://blog.denimgroup.com/

http://blog.denimgroup.com/

the need for open software security standards in a mobile and cloudy world

Technology

denim group software

value copyright

cloud copyright

capabilities copyright

norway copyright

danielcornell copyright

marketing copyright

rights reserved2