Building Trustworthy Systems With Cisco Secure Development .

Building Trustworthy Systems withCisco Secure Development LifecycleJanuary 2016

Foundation of TrustProcessTechnologyPolicySecure ProcessTrustworthy Systems TechnologySecure StandardsLifecycle/Security BaselineCommon Modules and HardwareInformation Assurance (IA)PerformGAPAnalysisRegister andValidateUpdate ThirdRequirementsand ResiliencyParty SoftwareDetectSecurityDefectsVisibility and ControlISO 27034Identify andAddressSecurityPrevent ThreatsSecurityAttacksSecure CommunicationsFIPS/USGv6Platform IntegrityTCGCSDLPreventionDetectionRecovery

Cisco Secure Development LifecyclePerformGAPAnalysisRegister andUpdate ThirdParty SoftwareValidateRequirementsand cksIdentify andAddressSecurityThreatsEnsures consistent productsecurity through proventechniques and technologies,reducing the number and severityof vulnerabilities in softwareConforms with the guidelinesof ISO 27034

Product Security Baseline (PSB)Gap AnalysisPSB ArchitectureAdministrative Access SecurityLogging and AuditingApplication SecurityOperational ProcessAuthentication and AuthorizationBoot and System IntegrityPrivacy and Data SecuritySession ManagementCryptographic SupportThreat Surface ReductionDevelopment ProcessTraffic and Protocol ProtectionHosted Services HardeningVulnerability ManagementWeb Security

Third Party SoftwareFundamentalsMinimize exposure by Perform gap analysis Establish maintenance plan Verify no backdoors Address all known vulnerabilities before FCSManages third party security alerts Register components with in a centralized database Contract support for critical security fixesPlanned response to security issues Follow established maintenance plan

Secure DesignThreat ModelingFocus on how a feature can be attacked andhow best to mitigate the attack

Secure Coding Boot Time Integritywith Run Time Defenses ASLR X-Space OSC “Safe” libraries Input validation Best Practices Guidelines for each OS Signed Images

Static Analysis Security Checkers find key vulnerability types Buffer overflow Tainted input Integer overflow Maximizes efficacy and reduce false positives

Vulnerability TestingCheck Protocol RobustnessDuplicate Hacker AttacksCSDL Security TestingNetwork Device TestingCodenomiconProtocol RobustnessTest Suites for 50 Protocols, including:DNS, H.323, IKEv2,IPv4, IPv6, HTTP, SIP,SNMP, SSH, TLS andmany moreOpen Source“Hacker” Tools20 Open Sourcesecurity tools,including: Amap, Curl,Dsniff, Hydra, Naptha,Nessus, Nikto, Nmap,Xprobe and many moreApplication TestingIBM Rational AppScanFamily of applicationattack and test tools,including: risk analysis,security standardcompliance testing,vulnerability scan andmany more

ISO 27034 & CSDLISO 27034 ISO 27034 is the standard for “Information Technology – SecurityTechniques – Application Security” Addresses Security Lifecycle for development and deployment Aligns with existing international, national, and industry standards Section 1 is adopted, sections 2-6 (implementation details) still indraftCSDL conforms with the guidelines of ISO 27034 Following CSDL is part of Cisco’s ISO compliance In 2013, Cisco used ISO/IEC 27034-1, as a baseline to evaluateCSDL. “All current mandatory application security related policies, standards, andprocedures along with their supporting people, processes, and tools meet orexceed the guidance in ISO/IEC 27034-1 as published in 2011.”With Cisco’s CSDL processes, policies and technologies applied throughout the design and development phases,customers have a strong secured focused foundations on which to build their secured infrastructures.10

Security is Everyone’s JobAccelerating to A Security Aware CultureEstablished ngLearning11

Cisco Security and Trust Spectrum“Cradle to Grave”CloudEnterprise SecurityPrivacy and Data ProtectionSecurity and Trust Built InDesignEngineeringManufacturingDelivery /DeploymentOngoingOperation

Thank you.

ISO 27034 is the standard for “Information Technology –Security Techniques –Application Security” Addresses Security Lifecycle for development and deployment Aligns with existing international, national, and industry standards Section 1 is adopted, sections 2-6 (implementation details) still in draft CSDL conforms with the guidelines of ISO 27034 Following CSDL is .