Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ......
Transcript of Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ......
![Page 1: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/1.jpg)
Framework Solution for Life Cycle Security
Bar Biszick-Lockwood, cisa, cissp, csqaIT Quality and Security Assurance
http://www.securityprocessprofessional.com
![Page 2: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/2.jpg)
2
Agenda
IEEE P1074 StandardBusiness Justification for different approachISO 15408 as guideLife Cycle Security Process Framework modelKey additions to the Life CycleQ&A
© Copyright Bar Biszick-Lockwood/QualityIT Redmond, WA 2003 All Rights Reserved.
![Page 3: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/3.jpg)
3
The Standard
IEEE P1074STANDARD FOR DEVELOPING A
SOFTWARE PROJECT LIFE CYCLE PROCESS
![Page 4: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/4.jpg)
4
IEEE P1074
“Chinese menu”Large Trace-ability matrix of activitiesNearly closed systemAssumes no model, process or sequenceEncompasses entire software lifecycle from conception to retirementSupports projects engaged in any part of a software lifecycle process
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 5: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/5.jpg)
5
Structure of the Standard
5 Activity Groups
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 6: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/6.jpg)
6
Organization
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 7: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/7.jpg)
7
Implementation Strategy
Evaluate scope of project Chose a software development methodology model (ie. waterfall, spiral, “V” etc)Consult the standard and populate the Activities to the chosen model
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 8: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/8.jpg)
8
V” model example
Business Needs
Design System
Integration Test
System Test
Acceptance Test
Code System
Unit Test
Define Requirements
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 9: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/9.jpg)
9
Originating Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 10: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/10.jpg)
10
Receiving Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 11: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/11.jpg)
11
Standards revision problem
Has the business and technology environment change enough as to warrant increased attention to security in a general engineering process standard?
![Page 12: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/12.jpg)
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
IEEE Standards
![Page 13: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/13.jpg)
13
Increase in security standards
![Page 14: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/14.jpg)
14
Overall IEEE constituent activities
![Page 15: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/15.jpg)
15
IEEE P1074ISA Team Conclusion
Efforts that do not treat security as an integral part of systems engineering and architecture fail to provide security
It no longer makes any business sense to spend any money, apply any resources and proceed with any software development project unless corporate assets and private customer data will be sufficiently secure
Source: http://www.qualityit.net/Resources/WhitePapers/JustificationForElevatingTheVisibilityAndPriorityOfSecurityActivitiesInTheRevisedIEEEP1074Standard.pdf
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 16: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/16.jpg)
16
Validating the benefit
Evidence warrants increasing the visibility and priority of security activities in the software life cycle process.
How much attention should it get?What’s the practical value?What is the benefit relative to other security improvement approaches?
![Page 17: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/17.jpg)
17
Overview of Security Approacheslast 20 years
Firewalls, IDS
Security Awareness
Detection and Response
Secure codingeducation
(current focus)
Effectiveness decreasing, doesn’t address insider threat
Doesn’t stop dishonest/disgruntled employees
Viruses too fast to detect and contain
Deflects attention from the root cause of the problem
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 18: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/18.jpg)
18
SANS Top Vulnerabilities Q1 2005
Microsoft ProductsWindows License Logging Service Overflow (MS05-010) Microsoft Server Message Block(SMB) Vulnerability (MS05-011) Internet Explorer Vulnerabilities (MS05-014 and MS05-008) Microsoft HTML Help ActiveX Control Vulnerability (MS05-001) Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013) Microsoft Cursor and Icon Handling Overflow (MS05-002) Microsoft PNG File Processing Vulnerabilities (MS05-009) Computer Associates License Manager Buffer Overflows DNS Cache Poisoning VulnerabilityMultiple Antivirus Products Buffer Overflow VulnerabilitiesOracle Critical Patch UpdateMultiple Media Player Buffer Overflows (RealPlayer, Winamp and iTunes)
![Page 19: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/19.jpg)
19
Secure Coding Practices7. Bound and mask input fields8. Limit inputs to buffers9. Apply rigorous error
handling10. Release threads11. Clear temp data/objects12. Remove unnecessary code13. Log and audit appropriately
1. Enforce security policy consistently
2. Operate with least privilege
3. Manage sensitive data4. Require strong
passwords5. Protect the kernel6. Fail safely
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 20: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/20.jpg)
20
Microsoft’s Secure Development Life Cycle (SDL)
![Page 21: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/21.jpg)
21
SDL Vendor Value
![Page 22: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/22.jpg)
22
FUNCTIONALITY
Does what it’s supposed to do
Recovers successfullyErrors helpful in recovery
Applications get resources needed
Assures high availability
SECURITY
Does ONLY what it’s supposed to doFails securelyErrors don’t provide clues to technology
Applications never exceed range of resources needed
Makes sure anyone who doesn’t need to know doesn’t have the means, motive or opportunity to do so
Shifting to Security Mindset
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 23: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/23.jpg)
23
Root cause of failure
Time and money
(Requirements Prioritization)
which is a life cycle issue outside the hands of developers
![Page 24: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/24.jpg)
24
Developing secure software requires a fundamental shift in perspective, not just by
developers, but by the entire organization.
Why is this so hard?
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 25: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/25.jpg)
25
What We Lack
“Wide angle view” of organizational risk and responsibility as it relates to technology security
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 26: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/26.jpg)
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 27: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/27.jpg)
27
IEEE P1074Revision Revelations
Security is a cross-disciplinary organizational risk problemWe can use organizational risk methods to help prioritize securityWe can use the project life cycle as the pivot point for effecting incremental organizational change
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 28: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/28.jpg)
28
1074 Revision Recommendations
1. Determine Security Objectives during Envisioning (preferably before project approval for work)
2. Make PMs accountable for assuring the priority of security on the project
3. Execute mandatory Threat Modeling before finalizing design
4. Establish a final Accreditation gate
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 29: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/29.jpg)
29
ISO 15408 “Common Criteria”
Common Criteria for Information Technology Security Evaluation
International standard used to rate trustworthiness of productsUsed by vendors to certify their productsUsed by consumers to compare product securityCan be used to guide development of products to a known trust level
![Page 30: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/30.jpg)
30
Common Criteria Validated Products
Citrix MetaFrame XP Presentation Server with Feature Release 3—EAL2Check Point VPN-1/FireWall-1© NG –EAL4IBM WebSphere Application Server V5.0.2.8 EAL2+Oracle7 Release 7.2.2.4.13 –EAL4Cisco IPSec Crypto System –EAL4Red Hat Enterprise Linux AS, Version 3 Update 3 –EAL3+Windows 2000 Professional, Server, and Advanced Server with SP3 and Q326886 –EAL4+
![Page 31: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/31.jpg)
31
Protection Profiles (PP)
Controlled Access Protection Profile--EAL3Firewall with strict requirements –EAL5+Labeled Security Protection Profile—EAL3Role-Based Access Control Protection Profile –EAL2+Trusted Computing Platform Alliance Trusted Platform Module PP—EAL3+Smartcard Integrated Circuit Protection Profile—EAL4+
![Page 32: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/32.jpg)
32
SECURITY
Security Objectives
Compliance & Standards
Security Assessment
Documentation
ISO 15408 Common Criteria “glue”
+Vision Revision
PRODPenTestingSupport
SDLC
Requirements
ConstructionTesting
Arch. / Design
Planningand controls
Acceptance & Release
Common Criteria
Accreditation(Sign Off)
Protection Profiles /EAL Criteria
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
SecurityProfile
Security Target (initial)
![Page 33: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/33.jpg)
33
Hackers (internal & external)
Administrators (executive & tactical)
Physical Environment
Application/System Developers
System Hardware & Software
CC Threat Roles
Authorized User
T
H
R
E
A
T
S
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 34: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/34.jpg)
34
ISO 15408 Common Criteria Threat Categories
Administrative error of commissionAdministrative error of omissionAdministrative hostile modificationAdministrator privacy policy violationAuthorization abuseComponent failureData smugglingDenial of receipt Denial of sendDenial of service AttackDistributed system component failureEavesdroppingEncryption hackingError invoked breach of confidentialityError invoked data inaccessibilityError related breach of data integrity
Error related breach of trusted security function
Faulty CodeHacker undetected accessIdentify spoofing (masquerading)Malicious code attacksMan in the middle attacks
(intercept and modification)Misuse of available resourcesNon-repudiation controls
circumventionPhysical system attacks, profiling
and transmission attacksPower supply attacksSocial engineeringUnauthorized modificationUser transmission abuses
![Page 35: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/35.jpg)
35
ISO 15408 Common Criteria Threat Categories
Administrative error of commissionAdministrative error of omissionAdministrative hostile modificationAdministrator privacy policy violationAuthorization abuseComponent failureData smugglingDenial of receipt Denial of sendDenial of service AttackDistributed system component failureEavesdroppingEncryption hackingError invoked breach of confidentialityError invoked data inaccessibilityError related breach of data integrity
Error related breach of trusted security function
Faulty CodeHacker undetected accessIdentify spoofing (masquerading)Malicious code attacksMan in the middle attacks
(intercept and modification)Misuse of available resourcesNon-repudiation controls
circumventionPhysical system attacks, profiling
and transmission attacksPower supply attacksSocial engineeringUnauthorized modificationUser transmission abuses
![Page 36: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/36.jpg)
36
Secure Life Cycle Framework
Security Objectives
Security Accreditation
Security Project Controls
Acceptance and Release
Security Target(initial)
CC –PP/EAL criteria orAcceptability Criteria
Application Architecture
Mandatory Threat Modeling
Security Target(final)
Security Profile
CompareCompare
© Bar Biszick/QualityIT Redmond, WA 2003
![Page 37: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/37.jpg)
37
Inputs to Security Objectives
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 38: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/38.jpg)
38
Influence of Security Objectives
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 39: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/39.jpg)
39
Inputs to Architecture Design
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 40: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/40.jpg)
40
Influence of Architecture Design after Threat Modeling
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 41: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/41.jpg)
41
Inputs to Accreditation Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 42: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/42.jpg)
42
Influence of Accreditation Activity
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 43: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/43.jpg)
43
Current Security Standards
GAISPISO 17799SSE-CMMISO 15408NIST 800x
SANS GIACITILCobiTISFISACA/ISSA collaboration
![Page 44: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/44.jpg)
44
What is needed
An organizational framework for coordinating
software security efforts
across all disciplines
over the lifetime of the software
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 45: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/45.jpg)
45
Framework Solution for Life Cycle Security
Security Objectives
Security Accreditation
Security Project Controls
Acceptance and Release
Security Target(initial)
PP or EAL orAcceptability Criteria
Application Architecture
Threat Modeling
Security Target(final)
Security Protection Profile
CompareCompare
© Bar Biszick/QualityIT Redmond, WA 2003
![Page 46: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/46.jpg)
46
Conclusions
Security is an old problem that has become a new priorityGuidance must address business prioritization problemsInjecting security guidance into general process standards will be far more effective than creating dedicated security life cycle guidance.
![Page 47: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/47.jpg)
47
Unique EffortA timely, aggressive response to compelling business need stressing a Defense in Depth approachThe first effort to formally adapt Common Criteria principles and assets for direct use in the development processThe first effort to comprehensively address Information Security Assurance in an IEEE process standardThe only IEEE standard suggesting overview guidance for security
![Page 48: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/48.jpg)
48
What you can do to help
IEEE P1074 will ballot in June 6.If you’re an IEEE Standards Society member, please register & voteIf you are not an IEEE member, express interest to IEEE in this revised standard.http://standards.ieee.org/myballot
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 49: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/49.jpg)
49
Framework For Software Life Cycle Security Workshop
Two day workshop7 hours instruction, 5 hours labsFor PMs, Tech Leads, Devs and TestersWalks through entire security life cycle framework using real world examplesCovers Security Objectives identification, Threat Modeling, PM Responsibilities, Coding and Testing Approaches, Risk communicationSupports Sarbanes-Oxley etc.Integrates ISO 17799 and ISO 15408 Common Criteria principles into SDLCIncludes a metric tool
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003
![Page 50: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/50.jpg)
http://www.securityprocessprofessional.com
![Page 51: Framework Solution for Life Cycle Security - WordPress.com · Overview of Security Approaches ... SANS Top Vulnerabilities Q1 2005 Microsoft Products Windows License Logging Service](https://reader033.fdocuments.net/reader033/viewer/2022050523/5fa668351bbf1777e40cdbcd/html5/thumbnails/51.jpg)
51
Contact Info
Bar Biszick, cisa, cissp, csqaIT Quality and Security [email protected]
http://www.securityprocessprofessional.com
PRESENTATION:http://www.qualityit.net/Resources/Presentations/FrameworkSolution.pdf
Note: Bar Biszick-Lockwood is not a representative of IEEE
© Bar Biszick-Lockwood/QualityIT Redmond, WA 2003