Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Scalable Secure Development Program Rajiv Sharma, CSSLP Sr. Principal Program.

Similar presentations


Presentation on theme: "1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Scalable Secure Development Program Rajiv Sharma, CSSLP Sr. Principal Program."— Presentation transcript:

1 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Scalable Secure Development Program Rajiv Sharma, CSSLP Sr. Principal Program Manager, Oracle Global Product Security Front Range OWASP Conference, March 22 nd, 2012

2 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Agenda Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

3 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

4 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. IT Security Challenges…  Complex regulatory and privacy frameworks  Continued requirement to demonstrate compliance  Difficulty of managing risks in global ever- changing business environment  Increasingly complex security requirements for networked applications and systems  Need for maintaining “security in depth”  Potential risks associated with insider threats It’s not just about malicious hackers!

5 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Multi-Dimensional Aspects Of Security IP theft and economic espionage Financial fraud and organized crime Sophisticated hackers Opportunistic insiders Today’s threats Intellectual property Customer, employee, citizen, corporate data Financial loss Reputational loss Fines & penalties What’s at stake Internal and external audits Supply chain security Changing regulatory landscape Data and systems consolidation Changing environments (mobile devices, cloud, etc.) Other challenges 

6 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security In Depth Considerations How degraded is your overall security posture when individual security mechanisms fail, are compromised or circumvented? How degraded is your overall security posture when system environment and use cases change?

7 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security In Depth Considerations How effective are your security controls? Have you been able to set proper security controls on each layer of your IT infrastructure to ensure a security in depth posture? How many of these IT security controls are software- enforced? Have they been turned ON? Will these security features function as you expect? Is your software free of security defects?

8 8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Why Do Organizations Get Hacked? OWASP Top A1 – Injection A2 – Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References A5 – Cross Site Request Forgery (CSRF) A6 – Security Misconfiguration A7 – Insecure Cryptographic Storage A8 – Failure to Restrict URL Access A9 – Insufficient Transport Layer Protection A10 – Unvalidated Redirects and Forwards https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

9 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Why Do Organizations Get Hacked? Keeping up with security patches is good security practice Would you knowingly run on a vulnerable system for an extended period of time? –The publication of security fixes by vendors often result in making potentially malicious hackers aware of the flaw: Reverse-engineering of the fixes for the purpose of developing malware or exploits Inclusion of the exploit in hacking toolsets (e.g., Metasploit) –Apply security patches in a timely fashion –Keeping up with newer releases is also good security practice! Newer releases may include additional fixes, which cannot always be backported to previous releases And of course… Follow your vendor’s deployment recommendations

10 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

11 11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Software Security Assurance The process of ensuring that software is designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects. Definition

12 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Importance of Software Security Assurance Customers must be assured that: 1. The software they purchase from their vendors is designed and developed securely, e.g.: Does the software do what it is designed to do and nothing more? How resilient to threats is software? 2.The vendors have effective procedures to deal with security vulnerabilities and provide ongoing security assurance in their products.

13 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. What Is Software Security Assurance? Implications for software 1.Software must have been designed securely –Security must be “built in, not bolted on” –Software must provide adequate security controls (e.g. reflecting the data it will store, the threat environment in which it will operate, etc.) 2.Software must have been securely developed –Secure design and coding principles must have been followed –Software must have been developed in a secure environment under a securely designed development process 3.Software must provide reasonably secure posture by default –Hardening instructions must be documented and available

14 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. What Is Software Security Assurance? Implications for software vendor/developer Security must be embedded in the organization’s DNA Organization must recognize that there is no “magic bullet” but that security is an ongoing commitment

15 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

16 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Software Security Assurance Oracle Software Security Assurance (OSSA) encompasses all the constantly-evolving processes, procedures, and technologies implemented by Oracle to ensure that Oracle’s products are meeting our customers’ security requirements, while providing for the most cost-effective ownership experience. Definition

17 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Software Security Assurance Maintaining the security posture of ALL Oracle customers is one of the greatest priorities of Oracle Applies to ALL Oracle software products, including software components of hardware products (e.g. firmware), throughout their lifecycle, and constantly evolving to adapt to new technologies, threats, and product use cases Highlights

18 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Software Security Assurance Major programs include: –Secure Development Standards –Secure Configuration Initiative –Internal and external security assessments (i.e. external security validations under FIPS and Common Criteria) –Critical Patch Update & Security Alert –Etc. Oracle security programs affect the entire product lifecycle

19 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The Race is On! Security must be “built in, not bolted on” Ongoing assurance doesn’t stop when a product is released –Security requirements change when the product is no longer used in the way it was designed for –Need to address new attacks and exploit methods –Need to effectively deal with vulnerabilities that made their way into released code –Etc. Security throughout the product lifecycle

20 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Throughout The Product Lifecycle Examples Examples of Oracle Software Security Assurance requirements Security requirements to be documented in product definition, specifications, and design phases Mandatory use of previously vetted security code for complex security functions (crypto, authentication, etc.) Ongoing reviews to validate compliance with: Secure Development Standards, previously documented security specifications, etc. Extensive use of automated vulnerability discovery tools as part of the development lifecycle and extensive use of penetration testing Mandatory use of security checklists Disclosure of vulnerability when a fix is available on all supported release and platform combinations Equality of all customers Vulnerability fixed in severity order Product Definition Product Development Ongoing Assurance

21 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Secure Development Standards Codified security standards are at the core of Oracle Software Security Assurance Coding guidelines –Secure coding principles –Examples of what not to do –Requirements to use previously vetted security code for complex security functions (crypto, authentication, etc.) –Minimum secure design requirements (e.g., weak/old crypt algorithms are banned) –Etc. Mandatory training

22 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Product Definition Security requirements are expressed as early as design and engineering specifications phases Security requirements include: –Requirements born from Secure Coding Standards –Product-specific requirements (such as those resulting from new security features) Established security criteria must be satisfied and reviewed at each step of the development and release process

23 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Product Development Ongoing reviews to validate compliance with: –Secure Coding Standards –Previously documented security specifications Additional design reviews for security Extensive use of scanning and testing tools to provide ongoing feedback to development team in regards to quality of produced code –Proactive security testing –Destructive security testing

24 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Ongoing Assurance Security testing take place throughout useful life of the product –Pre-release security scanning and testing: Automated and ad hoc tests throughout development phase Compliance with security release checklist is mandatory before release –Post-release security activities: Targeted security review to assess resistance to new and emerging threats, or validate absence of vulnerabilities Submission of security flaws by customers and security researchers –Ethical hacking (internal security assessment) Updated secure configuration best practices are available online Independent Security Evaluations –Common Criteria (ISO-15408), FIPS 140-2

25 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Vulnerability Remediation Practices Introduction While our #1 priority is the prevention of security vulnerabilities in released code, Oracle has very mature security vulnerability remediation practices –Security patching is a “necessary evil” and most public evidence of ongoing assurance effort: Need to address vulnerabilities uncovered during ongoing assurance effort Need to address vulnerabilities resulting from new attack methods or use case scenario by our customers Need to address vulnerabilities reported by external security researchers –Critical Patch Update program is designed to maintain the security posture of Oracle customers at lowest possible cost for them

26 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Importance of Software Security What is Software Security Assurance? Oracle Software Security Assurance Cultivating Security Community in Development

27 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Cultivating Security Community in Development Security is a strategic requirement defined by the Global Product Security organization –Braintrust for security topics and expertise –Definition and enforcement of Secure Coding Standards –Security review in support of M&A activities –Development and maintenance of core security modules –Lead ongoing assurance activities –Definition and delivery of security training programs (including remedial effort when required) –Report into the Chief Security Officer Security at Oracle follows a mostly decentralized model to reflect the differences in products and the development groups that produce them

28 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Assurance Within the Corporate Structure Chief Corporate Architect Global Product Security CSO Global Information Security VP Information Security Global Physical Security Sr. Director Physical Security Corporate Security Architecture Security Architect CEO Larry Ellison CEO Larry Ellison

29 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle’ s SPOC Community Global Product Security leads the community and provides consistent baselines for security processes and procedures for all Security Points Of Contact (SPOCs) Community spread throughout all product development –Provides for flexible model consistent with a variety of development styles –Fosters innovation and captures lessons learned from other groups to use

30 30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Delegated Security Model Each product family has a senior level Security Lead –Liaison to Global Product Security and their senior development management for all security matters –Lead a virtual team of Security Points of Contact (SPOCs) that represent security assurance for each component of the product family SPOCs act as the tactical security resource for the product component –In-depth knowledge of component leads to building security in at the lowest level –Receive focused training in software security assurance –Key role throughout the product lifecycle: participate in design reviews, document reviews, code reviews, bug triage, patching, etc.

31 31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPOC Engagement in OSSA Security Points of Contact (SPOC) Community Security Assurance Training Ethical Hacking Secure Coding Standards External Certifications Secure Configuration Security Tools Adoption Security Alerts Security Checklists Security ReviewsSecurity Policies Core Security Modules Customer Feedback The SPOC Community is central to all security assurance activities

32 32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Points of Contact (SPOCs) Key role to achieve baking security in Flexible model, accommodates a variety of development styles Security experts within each product component team –Professional security resource in each product development team –In-depth knowledge of component(s) represented –Receive focused training in security assurance –Liaison between Security Lead and Global Product Security –Participate in design reviews, document reviews, code reviews, bug triage Responsible for and report compliance status for each component in each major product release –Automated Security Checklist System –Security reviews with Security Lead and Global Product Security

33 33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Responsibilities of the SPOC Apply licensed 3rd-party code security updates to component Read security alerts from partner vendors and act as necessary for the component Apply latest Critical Patch Updates and security fixes for underlying Oracle components Monitor hacker exploits and news Ensure component security bugs are included in the next Critical Patch Update Knowledge of publicly known security bugs in old releases of the component and verify that all are fixed in the current release Communicate all security news to the development team

34 34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. The Ideal SPOC Avoids potential security vulnerabilities and associated costs for patching – for both Oracle and the customer Guards Oracle’s reputation and sales against security issues Ensures the government and regulatory requirements in the security area are satisfied

35 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Binding the Community Together SPOC identification “tag” in corporate directory Monthly SPOC newsletter –More than SPOCs, widely read Annual SPOC Summits –Internal and External Speakers Comprehensive, centralized Global Product Security wiki –Key component is the Secure Coding Practices SPOC Web Conferences on specific topics Internal Oracle Social group for SPOCs OraTweet for security-related questions

36 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Community Membership is Growing Not just Development SPOCs…. QA SPOCs Architects Security Features Developers Other Groups –IT organizations –Consultants –SaaS Staff

37 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Q&A

38 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.


Download ppt "1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. A Scalable Secure Development Program Rajiv Sharma, CSSLP Sr. Principal Program."

Similar presentations


Ads by Google