• Have any questions?
  • info.zbook.org@gmail.com

Beyond ISO 27034 - Intel's Product Security Maturity Model .

6m ago
99 Views
0 Downloads
1.68 MB
42 Pages
Last View : Today
Last Download : n/a
Upload by : Lilly Kaiser
Share:
Transcription

Beyond ISO 27034- Intel's Product SecurityMaturity Model (PSMM)Harold ToomeySr. Product Security Architect & PSIRT ManagerIntel Corp.2 October 2015@NTXISSA #NTXISSACSC3

AgendaApplication / Product / Software Security The What The How The When Agile SDL(Security Dev. Lifecycle) ISO 27034SDLCNTX ISSA Cyber Security Conference – October 2-3, 2015PSMMOrg structure20 ParametersMetricsMS Office@NTXISSA #NTXISSACSC32

The WhatNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC33

ISO 27034 .ISO 27001/2: IT SecurityISO 27034: Application Security Part 1: Overview & concepts (Nov. 2011)Part 2: Organization normative framework (Aug. 2015)Part 3: Application security management processPart 4: Application security validationPart 5: Protocols and application security controls datastructurePart 6: Security guidance for specific applicationsIndicates what needs to be doneProcess focusedNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC34

Agile cklogPSISprintsEvolving ArchitectureSprint 1 NTX ISSA Cyber Security Conference – October 2-3, 2015Sprint nAttack TXISSA #NTXISSACSC35

Agile SDLCPlan ofIntentProgramBacklogTeamBacklogInvestment Themes,Epics (Viability,Feasibility, umDevelopment& TestSprintReview &RetrospectiveRelease toCustomer1-4 WeeksDevelop on a Cadence, Release on DemandPlan-Of-Intent Release Planning Sprint PlanningCheckpointCheckpointCheckpointSprint / ReleaseReadiness CheckpointNTX ISSA Cyber Security Conference – October 2-3, 2015Release LaunchCheckpointPost ReleaseSustainment@NTXISSA #NTXISSACSC36

The WhenNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC37

Agile SDL ActivitiesPlan of Intent: Security activity mapping Answer 7 key security questions Initial privacy review initiatedRelease Planning: Security plan creation Threat modeling Security architecture review Open source & 3rd party COTS whitelist Initial privacy review completedSprint Planning: Security plan execution Iterative threat model updates All security activities mapped in backlog Security backlog prioritization Static, dynamic & fuzzing activities Security Definition of Done (DoD) Black Duck Protex, license complianceDevelopment & Test: Security plan executed Security backlog verified Static, dynamic & fuzzing executedSprint Review & Retrospective: Iterative security plan completed Security defects at “zero” Security exceptions tracked Open source & 3rd party COTS approved PSI security metrics achieved Security tools (tunes & optimized)Release Launch Checkpoint: Security plan archived Security activities completed & reported on Security Definition of Done (DoD) achieved Threat model fully implemented All security exceptions documented Open source & 3rd party COTS exceptions Final privacy review & sign-offPost Release Sustainment: PSIRT program Security metricsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC38

Agile SDL ngBuildStaticAnalysisWebVuln.FuzzingSecure CodingCode ReviewSprintnNTX ISSA Cyber Security Conference – October 2-3, 2015SprintCheckpoint@NTXISSA #NTXISSACSC39

Product Security esSDLPSIRTPolicyProcessTrainingReporting &Tracking ToolsTechnical1. Security Requirements Plan [Waterfall] /Definition of Done (DoD) [Agile]2. Architecture and Design Reviews3. Threat Modeling4. Security Testing5. Static Analysis6. Dynamic Analysis7. Fuzz Testing8. Vulnerability Scans / Penetration Testing9. Manual Code Reviews10. Secure Coding Standards11. Open Source / 3rd Party COTS Libraries12. PrivacyNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC310

Problem Statement Problem: We have an SDL. How well arethe product teams following it?NTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC311

Maturity ModelsCommon SDL Maturity Models BSIMM: Build Security In Maturity Model – Cigital SAMM: Software Assurance Maturity Model –OWASP DFS: Design For Security – IntelNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC312

The HowNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC313

SolutionThe Intel Security Product Security MaturityModel (PSMM) Measures how well the operational and technicalaspects of product security are being done Provides a simple, yet powerful, model which hasbeen adopted and used company-wide Don’t worry about perfect data, you have to startsomewhereNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC314

PSMM Constraints1. No budget for cool applications Use COTS tools2. No budget for additional auditors Peer review3. Be simple Automated, not weighted, minimal training4. Low overhead Not a big burden on engineering teams5. Produce insightful metricsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC315

Rollout Feedback1. Provide a detailed Word doc fully listingrequirements for each parameter level Include both Process and Quality of Execution2.3.4.5.Provide simple drop-down lists in XLSAllow and adjust for 0 – Not Appli a leMap PSMM to other maturity modelsAllow for phased roll-out, reporting atdifferent org. levelsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC316

PSMM Data Collection Levels PSMM Data Levels1.2.3.4.5.6.7.8.Entire Corp.All Corp. BUsSingle Corp. BUAll Product Groups in a singleCorp. BUSingle Product GroupSingle Product LineAgile Team (optional)Individual (training only) Data can be collected at anylevel; the lower the better Data should be refreshed every 6 monthsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC317

Organizational StructureEVP & GM3. Single Corp. BUProduct Quality GroupProduct SecurityGroupPrinciple ProductSecurity Architect Sr. DirectorSr. Product SecurityArchitectEngineering Product Development GroupEngineering Group #2Engineering Group #2PSC LeadProduct #2 PSCProduct PSEVPSr. ArchitectSVP Engineering Engineering Group #nVP Engineering Engineering Group #nArchitect Product #m PSCSr. EngineerProduct PSEQA EngineerPSC LeadNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC318

Roles & ResponsibilitiesRoleResponsibilitiesSr. Director Product SecurityOwns all product security within BUProduct Security Architect (PSA)Mentor PSCs for threat modeling, securityarchitecture reviews, security reviews,tools, PSIRT, trainingPSC Product Group LeadOver all Product Group PSCs andproducts w/out PSCsProduct Security Champion (PSC)Collocated security engineer / architectPOC for a productSoftware / Security Architect(See PSC)Product Security Evangelist (PSE)Collocated security QA POC for a productTS Subject Matter Expert (SME)Tech Support champion for a productPrivacy Champion(See PSC)NTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC319

Objectively Measuring PSMM LevelsHow do we keep it honest? (Validation) Individual PSCs score their own products If they do not know the answers then they should engage their productteams to get accurate answers PSCs from one product group are assigned to review metricsfrom their peers in a different product group PSC Leads score their product group from their perspective PSC Leads review the scores of other product group leads toidentify and correct gross inaccuracies The Product Security and Privacy Governance Team performsrolling audits to ensure compliance, accuracy, and consistencyNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC320

PSMM cesSDLPSIRTPolicyProcessTrainingReporting &Tracking ToolsTechnical1. Security Requirements Plan [Waterfall] /Definition of Done (DoD) [Agile]2. Architecture and Design Reviews3. Threat Modeling4. Security Testing5. Static Analysis6. Dynamic Analysis7. Fuzz Testing8. Vulnerability Scans / Penetration Testing9. Manual Code Reviews10. Secure Coding Standards11. Open Source / 3rd Party COTS Libraries12. PrivacyNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC321

TechnicalIntel PSMM Level 4: Acceptable.1. Security Requirements Plan/DoD: Product teams conduct and report on required securitytasks as defined in their security plan for their project milestones2. Architecture and Design Reviews: Frequent architecture reviews are conducted3. Threat Modeling: Trained security architects oversee frequent reviews accounting for allknown attack vectors4. Security Testing: Security testing performed completely several times5. Static Analysis: Majority of products analyzed frequently, defect rate decreasing6. Dynamic Analysis: Applicable products analyzed frequently, high and medium severityissues fixed. Defect rate near zero (0) in finished product.7. Fuzz Testing : Scans run frequently, high and medium severity issues fixed, new customscripts created8. Penetration Testing: Resident pen testing expert available, defects in Bugzilla9. Manual Code Reviews: Conducted on all potentially risky code using a shared tool10. Secure Coding Standards: Following adopted standards11. Open Source/3rd Party COTS Libraries: Fully maintaining all documented 3rd partylibraries and versions shipped across all supported releases12. Privacy: Privacy is integrated with product securityNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC322

Detailed Word Doc5.4 Security TestingThis parameter measures how well software security requirements are being performed andverified by both engineering and QA.Level 1 None No security plan. No security plan testing or validation performed.Level 2 Initial Security plan created. Security plan testing and validation performed occasionally.Level 3 Basic Security plan testing and validation performed completely at least once before release Functional Testing (what you know) performed to verify intended behaviorLevel 4 Acceptable Security plan testing and validation performed completely several times beforerelease Negative Space Testing (what hackers know) performed to identify non-intendedbehaviorLevel 5 Mature Security plan testing and validation performed continuously and completely bothbefore and after releaseProcess vs. Quality ofExecution Compliant vs. SecureNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC323

The SpreadsheetNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC324

XLS Drop Down ListsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC325

Simple Scoring1-NoneConsideredMin. Score Max. ScoreIn Acceptable809970-895-Mature10010090-100PSMM Level Simple addition to compute scores Non-weighted Operational, Technical, and Combined scoresNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC326

XLS Product ScorecardNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC327

XLS Product Spider DiagramNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC328

XLS Product Group ScorecardNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC329

XLS Product Group Spider DiagramsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC330

All BU Products ScorecardNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC331

XLS All Product GroupsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC332

The MetricsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC333

Most Accurate – From Product DataNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC334

Somewhat Accurate – From PSC LeadsNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC335

Least Accurate – From PSG EstimatesNTX ISSA Cyber Security Conference – October 2-3, 2015@NTXISSA #NTXISSACSC336

PSMM – OperationalLevel ofMaturity Awareness No budget No reviews Few tools No PSIRT Tribalknowledge EmailtrackingNone SVP commitment Tier-1 PSCs Mandatorytraining 3 toolsintegrated PgM milestones Plan created BU PSCs 1 tools PSIRT is CSIRT SDL adoptedInitial Continuedimprovement 2 PSAs Developer-centric Self-sustainingX PSIRT defined SDL used Extended team PSIRT XLS Tier-2 PSCs Extensive traininglibrary Tool experts Dedicated PSIRT Single crisis ISO 27034compliance Tracking DBw/dashboardBasicAcceptableNTX ISSA Cyber Security Conference – October 2-3, 2015 Scalable BU PSAs Tier-3 PSCs PSEs Corp. SME training Tools budget Proactive PSIRT Multiple crises Agile waterfall / HW SW SDL Tight corp. integration Policy executive support Metrics integrated into riskmgt. toolsPSMMPhaseMature@NTXISSA #NTXISSACSC337

PSMM – TechnicalLevel ofMaturity Security reviews Frequentattacks No reviews Noconstraints Major attackvectorsaddressed Freeware toolsused Standardawareness Privacy team Major releasesthreat modeled All primary toolsused BlackDuckX Standardsadopted Privacy security All releases threatmodeled Defect ratesdecreasing Fuzzing scriptswritten Accept risks of 3rdparty libs Tight privacypartnership Early reviews Preventive measuresmodeling Defect rates near 0 Best-in-class tools Continuous securitytesting All products pentested Open source SLAs Standards adapted toenvironment Tight bleNTX ISSA Cyber Security Conference – October 2-3, 2015Mature@NTXISSA #NTXISSACSC338

PSMM – % Overhead Cost

ISO 27034 . ISO 27001/2: IT Security ISO 27034: Application Security Part 1: Overview & concepts (Nov. 2011) Part 2: Organization normative framework (Aug. 2015) Part 3: Application security management process Part 4: Application security validation Part 5: Protocols and application security controls data structure Part 6: Security guidance for specific .