Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare...

Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved. Securing Our Customers’ Trust.

Software Security, Healthcare and the BSIMMBSIMM Europe 2015-05-14 Jim

Jacobson

Click Here to Initializeinteractive macro-driven content

2015-05-14

Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.

Siemens Healthcare Diagnostics, Product Security & Privacy Office

Who is Siemens Healthcare Diagnostics (DX)?

2015-05-14



The Big Picture at Siemens

Wind Power and RenewablesPower and Gas Power Generation Services Energy Management

Building Technologies Mobility Digital Factory Process Industries and Drives

Corporate TechnologyHealthcare

Strategy and Metrics

2015-05-14



The Big Picture at Siemens: Software Security Initiative at Siemens – PSS

PSS = Product & Solution Security (Siemens) = Software Security (BSIMM)

GUIDANCE

GOVERNANCEHEALTHCAREGlo

bal

Pro

cedu

re

-Hea

lthca

re-

Strategy and Metrics Standards and Requirements

2015-05-14



Organization

CEO

Chief PSS Officer

Project++

Product Security

Champion++

Product Security Lead++

Oversight++

Process Review++

Technical Review++

Extended Security Team

PSS Experts++

Expert Program Manager

PSS Experts++

Government & Business

Opportunities

Strategic Initiative Manager

Data Protection

Advisor

BU PSS Officers++

Business Unit Software Security Group (x4)Translation, Execution & Support

DX Software Security GroupStrategy, Governance & Solutions

BU Product Security Office Siemens Healthcare DX Product Security & Privacy Office

Satellite

Strategy and Metrics Compliance and Policy Security Features and Design

Architectural Analysis Penetration Testing

2015-05-14



PSS Drivers in Siemens Healthcare

PSS

Standards• Industry• Siemens

Regulation• Patient Safety• Privacy

Customers• Government• Commercial

Competition


Strategy and Metrics Compliance and Policy

2015-05-14



FDA

Regulation• Patient

Safety• Privacy


PSS Drivers

Regulation• Patient Safety

Pre-Market

Approval

Quality

SystemAudits

Field

Actions

Compliance and Policy

2015-05-14



The Quality System Drives Compliance (Not the Other Way Around)

Product Development

Product Development

Process

Secure Software

Development

Integrated Security Testing

OEMs and Suppliers

Product Health

Incident Handling

Vulnerability Monitoring

Patch Management

Risk Management

Training and Expertise

Global Procedure GP-099

Evolving Security Landscape

FDA & Other Regulation

Industry Standards

SiemensPSS Guide

Customer Requirements

Competitive Benchmarking

Strategy and Metrics Compliance and Policy

2015-05-14



Key Components of the Global Procedure

GP

-099

Threat & Risk Analysis


Incident & Vuln. Handling

Project Templates

Overall Security Plan

Secure Supplier Plan

Commercialization Checklist

Customer Security Documents

IH-VH Task Force Registration

SVM Registration

Patch Management Plan

Incident Quality Goals

Incident Quality Report

Master Requirements List

Expertise

Training Requirements

Expert Requirements

Strategy and Metrics Compliance and Policy Standards and Requirements

Architectural Analysis

Security TestingPenetration Testing Configuration & Vulnerability Mgmt.

2015-05-14



Project Activities Defined by the Global Procedure

Planning Feasibility Implementation Verification Controlled Release Commercialization

PSS classification

threat & risk analysis

information access control

documentation restrictions

usability

static code analysis

coding standards

code reviews

design reviews

vulnerability scanning

fuzz testing

pen testing

patch management

Strategy and Metrics Attack Models Standards and Requirements

Architectural Analysis

Code Review

Penetration TestingSecurity Testing

2015-05-14



What About Compliance?

Compliance and Policy Standards and Requirements

2015-05-14



How We Work Together


PSS Experts++


Opportunities

Strategic Project

Manager

Data Protection

Advisor

CEO

Project++

Product Security

Champion++

Product Security Lead++

Oversight++

Process Review++

Technical Review++

Extended Security Team

PSS Experts++

BU PSS Officers++

Chief PSS Officer

2015-05-14



Product Security & Privacy Office

How We Work Together

Common Solutions Shared Expertise One Quality System Local Implementations

Joint Strategy

StrategyQuarterly Strategy Sessions

MaturityAssessment

Uncovering Unique

Challenges

Establish & Maintain Roadmap

Resulting inStrategic Initiatives



Opportunities

Strategic Project

Manager

Data Protection

Advisor

BU PSS Officers++

Chief PSS Officer

PSS Experts++

2015-05-14



PSS Maturity From The Beginning

(3/3

) _x0

00d_

(2+/

3) _

x000

d_

(3/3

) _x0

00d_

(2+/

3) _

x000

d_

(2+/

3) _

x000

d_

(0+/

3) _

x000

d_

(1+/

3) _

x000

d_

(0+/

3) _

x000

d_

(0+/

3) _

x000

d_

(3/3

) _x0

00d_

(1/2

) _x0

00d_

(0+/

2) _

x000

d_0.00

0.10

0.20

0.30

0.40

0.50

0.60

0.70

0.80

0.90

1.00

Q3FY12: 07.7%

Q4FY12: 08.9%

Q1FY13: 10.0%

Q2FY13: 12.5%

Q3FY13: 17.2%

Q1FY14: 27.0%

Q2FY14: 45.6%

Q4FY14: 60.1%

Q2FY15: 72.6%

2015-05-14



Product Security Dashboard

Strategy and Metrics

Dashboard Redacted for Distribution

2015-05-14



Challenges and Initiatives

Challenge Initiative

Insecure Legacy Products ALPS: Assessment of Legacy Product Security

Selling to the US DoD Managed DoD Program

Unpatchable Products PoP: Patch our Products

Too Many Hardening Activities SBI: Secure Baseline Image

PSS Expert Shortage in the BUs PSS Expert Program

2015-05-14



Challenges and Initiatives

Challenge Initiative

Insecure Legacy Products ALPS: Assessment of Legacy Product Security

PSS Expert Shortage in the BUs PSS Expert Program

Selling to the US DoD Managed DoD Program

Unpatchable Products PoP: Patch our Products

Too Many Hardening Activities SBI: Secure Baseline Image

2015-05-14



PSS Expert Program

Guidance DocumentsSharePoint CollabDistribution ListsSecurity Tooling

PSS FoundationalSecurity Boot CampSecure CodingPen Testing CertificationHCISPP, CISSP, CISLP

Hardening MeasuresVulnerability Scans

Pen and Fuzz TestingRisk AssessmentsIncident Handling

Patch Management

Quarterly Round-RobinAnnual Black Hat F2F

DX Internal Bug Bounty

Contribution

ResourcesEvents

Education

Strategy and Metrics Training Security Features and Design

Code ReviewSecurity TestingPenetration Testing

2015-05-14



PoP: Patch our Products

Customer Participates Siemens Healthcare End-to-end

Gold Self-Administered Remote Update

Silver Secure Download Remote Session

Bronze Send Media Service Call

Knowledge DB, Vendor update

Scanning, filtering, analysis

Process, Investigate, consolidate

Monitoring

Product Sustaining Engineer (also responsible for complete cycle)

Notification

Verification Engineer Product Support Engineer

Patch Delivery Engineer

ReportPackage

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.123rf.com/photo_16720802_abstract-word-cloud-for-regression-testing-with-related-tags-and-terms.html&ei=08DsVJPrN4PDPeuZgMAB&bvm=bv.86475890,d.cWc&psig=AFQjCNFO0ZapW9WfOxQn-nzQwPjbWaPTsQ&ust=1424888347733300

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.vehiclestrategies.co.uk/reduce-motoring-costs/save-money-on-motoring/&ei=HOfsVNmBH4nXggSciYLACg&psig=AFQjCNHHUTBDpA72rqpoTtFshI8X-qYwlQ&ust=1424898201701452

2015-05-14



SBI: Secure Baseline Image Program

Siemens Security Suite – built in anti-malware, patch management and remote support

Security Checked – hardened, tested and maintained compliant with security standards

blank hard drive hardening hardened testing hardened and tested product development

Old

For every security updateFor every product

Used in multiple products

New

Built-in by the supplier

Security Features and Design

2015-05-14



Security Tooling – Centrally Provided and/or Coordinated

Direct TrainingVendor TrainingLicense CoordinationLicense Seeding

WhitelistingTraditional AV (Blacklisting)Patch ManagementRemote SupportRemote Monitoring

Code AnalysisCode Signing

Project ClassificationThreat & Risk Analysis


Vulnerability ScanningHardening Standards

Fuzzing

Development

Training & Licensing

Testing

In the Product

Training Attack Models Architectural Analysis

Code ReviewSecurity TestingSoftware Environment

2015-05-14



Supply Chain Management

Suppliers

Custom Software &

OEM

Gold Silver Bronze

COTS & Other OTS

Qualified Unqualified

Combined H/W & S/W

Strategic Non-strategic

Cloud Computing

Compliance and Policy

2015-05-14



Training Required by Global Procedure

Training Description

Product Security Awareness Posters, flyers, in person presentations, interactive self-guided version pending

Basic Security Concepts 2 day classroom session through Learn@Siemens, web-based pending

Secure Coding Basics Self-guided web-based

General Secure Coding 2 day classroom session / self-guided web based

Expert-level Security Training Part of comprehensive Siemens program (external & internal)

Security Incident Coding Self-guided through Learn@Siemens

Security Vulnerability Monitoring Recorded webinar and online PSS Guide

Security Incident Handling Self-guided document review and online PSS Guide

Secure Product Development Self-guided presentation

PSS Officer 4 day classroom session through PSS Initiative

Training Attack Models Code Review

Configuration & Vulnerability Mgmt.

2015-05-14



Awareness, Outreach, Collaboration

https://moss-us.healthcare.siemens.com/content/20002385/

Standards and Requirements

https://moss-us.healthcare.siemens.com/content/20002385/

2015-05-14



Thank You

Any questions?

2015-05-14



Via Siemens CorporateJust launchedIn development

Filling Holes

[CP3.2]

[T2.6]

[T3.1]

[SR1.4]

[SR3.2]

[AA2.3]

[CR2.5]

[ST2.1]

[AM1.4]

[AM1.5]

[AM3.1]

[PT3.1]

[SE1.2]

[CP2.1]

[SM3.2]

[CP3.3]

[T3.3]

[SE2.2]

2015-05-14 Siemens Healthcare Diagnostics, Product Security & Privacy Office


Additional Material

2015-05-14



PaSS-Time Events

Hacking Web Applications for Fun and for Profit

Typical Findings in Enterprise Application Hacking Attacks

Privacy by Design

Security Vulnerability Monitoring

Public Key Infrastructure

Mobile Top 10 Security Risks

Security Incident Handling and Vulnerability Handling

PSS Project Classification

Security Certification & Accreditation in a Regulated Environment

Static Code Analysis Supports Secure Coding

Cleaning up the Past: Secure Handling of Credentials in Medical Devices

Training

2015-05-14



Functions Requiring Training per Global Procedure

Software Development

Service & Support

Project Team Members

Engineering Management

Program Management

MarketingProduct Management

Regulatory AffairsQuality Management

Supply Chain Management Procurement

PSS Officer

Legal

Corporate Communications

Training

2015-05-14



Awareness, Outreach, Collaboration

https://intranet.healthcare.siemens.com/cms/DX/en/Departments/PSPO/

https://intranet.healthcare.siemens.com/cms/DX/en/Departments/PSPO/

2015-05-14 Siemens Healthcare Diagnostics, Product Security & Privacy Office


Reference

2015-05-14



Reference: SM

[SM1.1] Publish process (roles, responsibilities, plan), evolve as necessary.[SM1.2] Create evangelism role and perform internal marketing.[SM1.3] Educate executives.

[SM1.4] Identify gate locations, gather necessary artifacts.[SM1.6] Require security sign-off.[SM2.1] Publish data about software security internally.[SM2.2] Enforce gates with measures and track exceptions.[SM2.3] Create or grow social network/satellite system.[SM2.5] Identify metrics and use them to drive budgets.

[SM3.1] Use internal tracking application with portfolio view.[SM3.2] Run external marketing program.

GOVERNANCEStrategy and Metrics

2015-05-14



Reference: CP

[CP1.1] Unify regulatory pressures.[CP1.2] Identify PII obligations.[CP1.3] Create policy.

[CP2.1] Identify PII data in systems (inventory).[CP2.2] Require security sign-off for compliance-related risk.[CP2.3] Implement and track controls for compliance.[CP2.4] Paper all vendor contracts with SLAs compatible with policy.[CP2.5] Promote executive awareness of compliance and privacy obligations.

[CP3.1] Create regulator eye-candy.[CP3.2] Impose policy on vendors.[CP3.3] Drive feedback from SSDL data back to policy (T: strategy/metrics).

Compliance and PolicyGOVERNANCE

2015-05-14



Reference: T

[T1.1] Provide awareness training.[T1.5] Offer role-specific advanced curriculum (tools, technology stacks, bug parade).[T1.6] Create and use material specific to company history.[T1.7] Deliver on-demand individual training.

[T2.5] Enhance satellite through training and events.[T2.6] Include security resources in onboarding.[T2.7] Identify satellite during training.

[T3.1] Reward progression through curriculum (certification or HR).[T3.2] Provide training for vendors or outsource workers.[T3.3] Host external software security events.[T3.4] Require annual refresher.[T3.5] Establish SSG office hours.

TrainingGOVERNANCE

2015-05-14



Reference: AM

[AM1.1] Build and maintain a top N possible attacks list.[AM1.2] Create data classification scheme and inventory.[AM1.3] Identify potential attackers.[AM1.4] Collect and publish attack stories.[AM1.5] Gather attack intelligence.[AM1.6] Build internal forum to discuss attacks (T: standards/req).

[AM2.1] Build attack patterns and abuse cases tied to potential attackers.[AM2.2] Create technology-specific attack patterns.

[AM3.1] Have a science team that develops new attack methods.[AM3.2] Create and use automation to do what the attackers will do.

Attack ModelsINTELLIGENCE

2015-05-14



Reference: SFD

[SFD1.1] Build and publish security features.[SFD1.2] Engage SSG with architecture.

[SFD2.1] Build secure-by-design middleware frameworks/common libraries (T: code review).[SFD2.2] Create SSG capability to solve difficult design problems.

[SFD3.1] Form review board or central committee to approve and maintain secure design patterns.[SFD3.2] Require use of approved security features and frameworks (T: AA).[SFD3.3] Find and publish mature design patterns from the organization.

INTELLIGENCESecurity Features and Design

2015-05-14



Reference: SR

[SR1.1] Create security standards (T: sec features/design).[SR1.2] Create a security portal.[SR1.3] Translate compliance constraints to requirements.[SR1.4] Use secure coding standards.

[SR2.2] Create a standards review board.[SR2.3] Create standards for technology stacks.[SR2.4] Identify open source.[SR2.5] Create SLA boilerplate.

[SR3.1] Control open source risk.[SR3.2] Communicate standards to vendors.

INTELLIGENCEStandards and Requirements

2015-05-14



Reference: AA

[AA1.1] Perform security feature review.[AA1.2] Perform design review for high-risk applications.[AA1.3] Have SSG lead review efforts.[AA1.4] Use risk questionnaire to rank apps.

[AA2.1] Define and use AA process.[AA2.2] Standardize architectural descriptions (include data flow).[AA2.3] Make SSG available as AA resource/mentor.

[AA3.1] Have software architects lead design review efforts.[AA3.2] Drive analysis results into standard architectural patterns (T: sec features/design).

Architectural AnalysisSSDL TOUCHPOINTS

2015-05-14



Reference: CR

[CR1.1] Create top N bugs list (real data preferred) (T: training).[CR1.2] Have SSG perform ad hoc review.[CR1.4] Use automated tools along with manual review.[CR1.5] Make code review mandatory for all projects.[CR1.6] Use centralized reporting to close the knowledge loop and drive training (T: strategy/metrics).

[CR2.2] Enforce coding standards.[CR2.5] Assign tool mentors.[CR2.6] Use automated tools with tailored rules.

[CR3.2] Build a factory.[CR3.3] Build capability for eradicating specific bugs from entire codebase.[CR3.4] Automate malicious code detection.

SSDL TOUCHPOINTSCode Review

2015-05-14



Reference: ST

[ST1.1] Ensure QA supports edge/boundary value condition testing.[ST1.3] Drive tests with security requirements and security features.

[ST2.1] Integrate black box security tools into the QA process (including protocol fuzzing).[ST2.4] Share security test results with QA.

[ST3.1] Include security tests in QA automation.[ST3.2] Perform fuzz testing customized to application APIs.[ST3.3] Drive tests with risk analysis results.[ST3.4] Leverage coverage analysis.[ST3.5] Begin to build and apply adversarial security tests (abuse cases).

SSDL TOUCHPOINTSSecurity Testing

2015-05-14



Reference: PT

[PT1.1] Use external pen testers to find problems.[PT1.2] Feed results to defect management and mitigation system (T: config/vuln mgmt).[PT1.3] Use pen testing tools internally.

[PT2.2] Provide pen testers with all available information (T: AA & code review).[PT2.3] Periodic scheduled pen tests for application coverage.

[PT3.1] Use external pen testers to perform deep dive analysis(one-off bugs/fresh thinking).[PT3.2] Have SSG customize penetration testing tools and scripts.

DEPLOYMENTPenetration Testing

2015-05-14



Reference: SE

[SE1.1] Use application input monitoring.[SE1.2] Ensure host/network security basics are in place.

[SE2.2] Publish installation guides created by SSDL.[SE2.4] Use code signing.

[SE3.2] Use code protection.[SE3.3] Use application behavior monitoring and diagnostics.

DEPLOYMENTSoftware Environment

2015-05-14



Reference: CMVM

[CMVM1.1] Create/interface with incident response.[CMVM1.2] Identify software defects found in operations monitoring and feed back to development.

[CMVM2.1] Have emergency codebase response.[CMVM2.2] Track software bugs found during ops through the fix process.[CMVM2.3] Develop an operations inventory of apps.

[CMVM3.1] Fix all occurrences of software bugs from ops in the codebase (T: code review).[CMVM3.2] Enhance dev processes (SSDL) to prevent cause of software bugs found in ops.[CMVM3.3] Simulate software crisis.[CMVM3.4] Operate a bug bounty program.

Configuration Management and Vulnerability ManagementDEPLOYMENT

Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare...

Documents

Transcript of Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare...