Beyond ISO 27034 - Intel's Product Security Maturity Model .
Beyond ISO 27034- Intel's Product SecurityMaturity Model (PSMM)Harold ToomeySr. Product Security Architect & PSIRT ManagerIntel Corp.2 October 2015@NTXISSA #NTXISSACSC3
AgendaApplication / Product / Software Security The What The How The When Agile SDL(Security Dev. Lifecycle) ISO 27034SDLCNTX ISSA Cyber Security Conference – October 2-3, 2015PSMMOrg structure20 ParametersMetricsMS Office@NTXISSA #NTXISSACSC32
The WhatNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC33
ISO 27034 .ISO 27001/2: IT SecurityISO 27034: Application Security Part 1: Overview & concepts (Nov. 2011)Part 2: Organization normative framework (Aug. 2015)Part 3: Application security management processPart 4: Application security validationPart 5: Protocols and application security controls datastructurePart 6: Security guidance for specific applicationsIndicates what needs to be doneProcess focusedNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC34
Agile cklogPSISprintsEvolving ArchitectureSprint 1 NTX ISSA Cyber Security Conference – October 2-3, 2015Sprint nAttack TXISSA #NTXISSACSC35
Agile SDLCPlan ofIntentProgramBacklogTeamBacklogInvestment Themes,Epics (Viability,Feasibility, umDevelopment& TestSprintReview &RetrospectiveRelease toCustomer1-4 WeeksDevelop on a Cadence, Release on DemandPlan-Of-Intent Release Planning Sprint PlanningCheckpointCheckpointCheckpointSprint / ReleaseReadiness CheckpointNTX ISSA Cyber Security Conference – October 2-3, 2015Release LaunchCheckpointPost ReleaseSustainment@NTXISSA #NTXISSACSC36
The WhenNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC37
Agile SDL ActivitiesPlan of Intent: Security activity mapping Answer 7 key security questions Initial privacy review initiatedRelease Planning: Security plan creation Threat modeling Security architecture review Open source & 3rd party COTS whitelist Initial privacy review completedSprint Planning: Security plan execution Iterative threat model updates All security activities mapped in backlog Security backlog prioritization Static, dynamic & fuzzing activities Security Definition of Done (DoD) Black Duck Protex, license complianceDevelopment & Test: Security plan executed Security backlog verified Static, dynamic & fuzzing executedSprint Review & Retrospective: Iterative security plan completed Security defects at “zero” Security exceptions tracked Open source & 3rd party COTS approved PSI security metrics achieved Security tools (tunes & optimized)Release Launch Checkpoint: Security plan archived Security activities completed & reported on Security Definition of Done (DoD) achieved Threat model fully implemented All security exceptions documented Open source & 3rd party COTS exceptions Final privacy review & sign-offPost Release Sustainment: PSIRT program Security metricsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC38
Agile SDL ngBuildStaticAnalysisWebVuln.FuzzingSecure CodingCode ReviewSprintnNTX ISSA Cyber Security Conference – October 2-3, 2015SprintCheckpoint@NTXISSA #NTXISSACSC39
Product Security esSDLPSIRTPolicyProcessTrainingReporting &Tracking ToolsTechnical1. Security Requirements Plan [Waterfall] /Definition of Done (DoD) [Agile]2. Architecture and Design Reviews3. Threat Modeling4. Security Testing5. Static Analysis6. Dynamic Analysis7. Fuzz Testing8. Vulnerability Scans / Penetration Testing9. Manual Code Reviews10. Secure Coding Standards11. Open Source / 3rd Party COTS Libraries12. PrivacyNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC310
Problem Statement Problem: We have an SDL. How well arethe product teams following it?NTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC311
Maturity ModelsCommon SDL Maturity Models BSIMM: Build Security In Maturity Model – Cigital SAMM: Software Assurance Maturity Model –OWASP DFS: Design For Security – IntelNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC312
The HowNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC313
SolutionThe Intel Security Product Security MaturityModel (PSMM) Measures how well the operational and technicalaspects of product security are being done Provides a simple, yet powerful, model which hasbeen adopted and used company-wide Don’t worry about perfect data, you have to startsomewhereNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC314
PSMM Constraints1. No budget for cool applications Use COTS tools2. No budget for additional auditors Peer review3. Be simple Automated, not weighted, minimal training4. Low overhead Not a big burden on engineering teams5. Produce insightful metricsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC315
Rollout Feedback1. Provide a detailed Word doc fully listingrequirements for each parameter level Include both Process and Quality of Execution2.3.4.5.Provide simple drop-down lists in XLSAllow and adjust for 0 – Not Appli a leMap PSMM to other maturity modelsAllow for phased roll-out, reporting atdifferent org. levelsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC316
PSMM Data Collection Levels PSMM Data Levels1.2.3.4.5.6.7.8.Entire Corp.All Corp. BUsSingle Corp. BUAll Product Groups in a singleCorp. BUSingle Product GroupSingle Product LineAgile Team (optional)Individual (training only) Data can be collected at anylevel; the lower the better Data should be refreshed every 6 monthsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC317
Organizational StructureEVP & GM3. Single Corp. BUProduct Quality GroupProduct SecurityGroupPrinciple ProductSecurity Architect Sr. DirectorSr. Product SecurityArchitectEngineering Product Development GroupEngineering Group #2Engineering Group #2PSC LeadProduct #2 PSCProduct PSEVPSr. ArchitectSVP Engineering Engineering Group #nVP Engineering Engineering Group #nArchitect Product #m PSCSr. EngineerProduct PSEQA EngineerPSC LeadNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC318
Roles & ResponsibilitiesRoleResponsibilitiesSr. Director Product SecurityOwns all product security within BUProduct Security Architect (PSA)Mentor PSCs for threat modeling, securityarchitecture reviews, security reviews,tools, PSIRT, trainingPSC Product Group LeadOver all Product Group PSCs andproducts w/out PSCsProduct Security Champion (PSC)Collocated security engineer / architectPOC for a productSoftware / Security Architect(See PSC)Product Security Evangelist (PSE)Collocated security QA POC for a productTS Subject Matter Expert (SME)Tech Support champion for a productPrivacy Champion(See PSC)NTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC319
Objectively Measuring PSMM LevelsHow do we keep it honest? (Validation) Individual PSCs score their own products If they do not know the answers then they should engage their productteams to get accurate answers PSCs from one product group are assigned to review metricsfrom their peers in a different product group PSC Leads score their product group from their perspective PSC Leads review the scores of other product group leads toidentify and correct gross inaccuracies The Product Security and Privacy Governance Team performsrolling audits to ensure compliance, accuracy, and consistencyNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC320
PSMM cesSDLPSIRTPolicyProcessTrainingReporting &Tracking ToolsTechnical1. Security Requirements Plan [Waterfall] /Definition of Done (DoD) [Agile]2. Architecture and Design Reviews3. Threat Modeling4. Security Testing5. Static Analysis6. Dynamic Analysis7. Fuzz Testing8. Vulnerability Scans / Penetration Testing9. Manual Code Reviews10. Secure Coding Standards11. Open Source / 3rd Party COTS Libraries12. PrivacyNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC321
TechnicalIntel PSMM Level 4: Acceptable.1. Security Requirements Plan/DoD: Product teams conduct and report on required securitytasks as defined in their security plan for their project milestones2. Architecture and Design Reviews: Frequent architecture reviews are conducted3. Threat Modeling: Trained security architects oversee frequent reviews accounting for allknown attack vectors4. Security Testing: Security testing performed completely several times5. Static Analysis: Majority of products analyzed frequently, defect rate decreasing6. Dynamic Analysis: Applicable products analyzed frequently, high and medium severityissues fixed. Defect rate near zero (0) in finished product.7. Fuzz Testing : Scans run frequently, high and medium severity issues fixed, new customscripts created8. Penetration Testing: Resident pen testing expert available, defects in Bugzilla9. Manual Code Reviews: Conducted on all potentially risky code using a shared tool10. Secure Coding Standards: Following adopted standards11. Open Source/3rd Party COTS Libraries: Fully maintaining all documented 3rd partylibraries and versions shipped across all supported releases12. Privacy: Privacy is integrated with product securityNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC322
Detailed Word Doc5.4 Security TestingThis parameter measures how well software security requirements are being performed andverified by both engineering and QA.Level 1 None No security plan. No security plan testing or validation performed.Level 2 Initial Security plan created. Security plan testing and validation performed occasionally.Level 3 Basic Security plan testing and validation performed completely at least once before release Functional Testing (what you know) performed to verify intended behaviorLevel 4 Acceptable Security plan testing and validation performed completely several times beforerelease Negative Space Testing (what hackers know) performed to identify non-intendedbehaviorLevel 5 Mature Security plan testing and validation performed continuously and completely bothbefore and after releaseProcess vs. Quality ofExecution Compliant vs. SecureNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC323
The SpreadsheetNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC324
XLS Drop Down ListsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC325
Simple Scoring1-NoneConsideredMin. Score Max. ScoreIn Acceptable809970-895-Mature10010090-100PSMM Level Simple addition to compute scores Non-weighted Operational, Technical, and Combined scoresNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC326
XLS Product ScorecardNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC327
XLS Product Spider DiagramNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC328
XLS Product Group ScorecardNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC329
XLS Product Group Spider DiagramsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC330
All BU Products ScorecardNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC331
XLS All Product GroupsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC332
The MetricsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC333
Most Accurate – From Product DataNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC334
Somewhat Accurate – From PSC LeadsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC335
Least Accurate – From PSG EstimatesNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC336
PSMM – OperationalLevel ofMaturity Awareness No budget No reviews Few tools No PSIRT Tribalknowledge EmailtrackingNone SVP commitment Tier-1 PSCs Mandatorytraining 3 toolsintegrated PgM milestones Plan created BU PSCs 1 tools PSIRT is CSIRT SDL adoptedInitial Continuedimprovement 2 PSAs Developer-centric Self-sustainingX PSIRT defined SDL used Extended team PSIRT XLS Tier-2 PSCs Extensive traininglibrary Tool experts Dedicated PSIRT Single crisis ISO 27034compliance Tracking DBw/dashboardBasicAcceptableNTX ISSA Cyber Security Conference – October 2-3, 2015 Scalable BU PSAs Tier-3 PSCs PSEs Corp. SME training Tools budget Proactive PSIRT Multiple crises Agile waterfall / HW SW SDL Tight corp. integration Policy executive support Metrics integrated into riskmgt. toolsPSMMPhaseMature@NTXISSA #NTXISSACSC337
PSMM – TechnicalLevel ofMaturity Security reviews Frequentattacks No reviews Noconstraints Major attackvectorsaddressed Freeware toolsused Standardawareness Privacy team Major releasesthreat modeled All primary toolsused BlackDuckX Standardsadopted Privacy security All releases threatmodeled Defect ratesdecreasing Fuzzing scriptswritten Accept risks of 3rdparty libs Tight privacypartnership Early reviews Preventive measuresmodeling Defect rates near 0 Best-in-class tools Continuous securitytesting All products pentested Open source SLAs Standards adapted toenvironment Tight bleNTX ISSA Cyber Security Conference – October 2-3, 2015Mature@NTXISSA #NTXISSACSC338
PSMM – % Overhead Cost
ISO 27034 . ISO 27001/2: IT Security ISO 27034: Application Security Part 1: Overview & concepts (Nov. 2011) Part 2: Organization normative framework (Aug. 2015) Part 3: Application security management process Part 4: Application security validation Part 5: Protocols and application security controls data structure Part 6: Security guidance for specific .
Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. 41 22 749 01 11 Fax 41 22 749 09 47 copyright@iso.org www.iso.org ISO/IEC 27034-2:2015(E) This is a preview of "ISO/IEC 27034-2 .
Intel C Compiler Intel Fortran Compiler Intel Distribution for Python* Intel Math Kernel Library Intel Integrated Performance Primitives Intel Threading Building Blocks Intel Data Analytics Acceleration Library Included in Composer Edition SCALE Intel MPI Library Intel Trace Analyze
& ISO/IEC 27034 (Guidelines for Logistics (IT Service Management) Resiliency Management Model (RMM) ISO/IEC 28000 (Supply ISO/IEC 27034 (Guidelines for Application Security) ISO/IEC TR 24772 (Programming Language Vulnerabilities) 9 Chain Resiliency) ISO Standards development process takes 2-5 years and requires consensus-building among national standards bodies Begins with an .
Document Number: 337029 -009 Intel RealSenseTM Product Family D400 Series Datasheet Intel RealSense Vision Processor D4, Intel RealSense Vision Processor D4 Board, Intel RealSense Vision Processor D4 Board V2, Intel RealSense Vision Processor D4 Board V3, Intel RealSense Depth Module D400, Intel RealSense Depth Module D410, Intel
Lenovo recommends Windows 8 Pro. SPECIFICATIONS PrOCESSOr OPErATING SySTEM I/O (INPUT/OUTPUT) POrTS Mini-Tower / Small Form Factor (SFF) Intel Core i7-4770S 65W Intel Core i7-4770 84W Intel Core i5-4430S 65W Intel Core i5-4430 84W Intel Core i5-4570S 65W Intel Core i5-4570 84W Intel Core i5-4670S 65W Intel Core i5-4670 84W Intel Core i3-4330 65W
ISO 10381-1:2002 da ISO 10381-2:2002 da ISO 10381-3:2001 da ISO 10381-4:2003 da ISO 10381-5:2001 da ISO 10381-6:1993 da ISO 10381-7:2005 ne ISO 10381-8:2006 ne ISO/DIS 18512:2006 ne ISO 5667-13 da ISO 5667-15 da Priprema uzoraka za laboratorijske analize u skladu s normama: HRN ISO 11464:2004 ne ISO 14507:2003 ne ISO/DIS 16720:2005 ne
ISO 10771-1 ISO 16860 ISO 16889 ISO 18413 ISO 23181 ISO 2941 ISO 2942 ISO 2943 ISO 3724 ISO 3968 ISO 4405 ISO 4406 ISO 4407 ISO 16232-7 DIN 51777 PASSION TO PERFORM PASSION TO PERFORM www.mp ltri.com HEADQUARTERS MP Filtri S.p.A. Via 1 Maggio, 3 20060 Pessano con Bornago (MI) Italy 39 02 957
Combined ASTM and ASME for 304L 2 Corrected Acerinox code for HRA Show difference between 523 and 543 Removed 509 3.1.1 Fixed tolerance specification ISO 9444-2 3.1.1.1 Changed lengths for 8-10mm and 10-16mm thickness and added a footnote 3.1.3.1 Removed 3CR12Ti, 3CR12LT and 304H Added 40975, 439 Combined ASTM and ASME for 304L Added gauges for 40920 Added footnote references for 4 and 5 3.1.3 .
