Presentation on theme: "A Scalable Secure Development Program"— Presentation transcript:
1 A Scalable Secure Development Program Rajiv Sharma, CSSLPSr. Principal Program Manager, Oracle Global Product SecurityFront Range OWASP Conference, March 22nd, 2012
2 Agenda Importance of Software Security What is Software Security Assurance?Oracle Software Security AssuranceCultivating Security Community in Development
3 Importance of Software Security What is Software Security Assurance?Oracle Software Security AssuranceCultivating Security Community in Development
4 IT Security Challenges… It’s not just about malicious hackers!Complex regulatory and privacy frameworksContinued requirement to demonstrate complianceDifficulty of managing risks in global ever- changing business environmentIncreasingly complex security requirements for networked applications and systemsNeed for maintaining “security in depth”Potential risks associated with insider threatsIt’s not just about hackers. Security has multiple dimensions. Security is not an end by itself, but a means for an organization to achieve its business objectives, comply with regulatory requirements and internal policies, etc.
5 Multi-Dimensional Aspects Of Security Multi-Dimensional Aspects Of SecurityToday’s threatsIP theft and economic espionageFinancial fraud and organized crimeSophisticated hackersOpportunistic insidersWhat’s at stakeIntellectual propertyCustomer, employee, citizen, corporate dataFinancial lossReputational lossFines & penaltiesOther challengesInternal and external auditsSupply chain securityChanging regulatory landscapeData and systems consolidationChanging environments (mobile devices, cloud, etc.)Approach to security needs to be ‘holistic’:- need to align people, policies, and processes- need to work across the technical infrastructure- need to understand and properly address all threats- etc.
6 Security In Depth Considerations How degraded is your overall security posture when individual security mechanisms fail, are compromised or circumvented?How degraded is your overall security posture when system environment and use cases change?APT is concept “du jour”. Beyond APT, it comes down to ensuring security in depth. Key to successfully fending off persistent attacker is to make sure that you have layered approach to security, and that all layers provide incremental/complementary controls. In chess, all pieces have a role to play for the protection of the king.
7 Security In Depth Considerations How effective are your security controls?Have you been able to set proper security controls on each layer of your IT infrastructure to ensure a security in depth posture?How many of these IT security controls are software- enforced? Have they been turned ON?Will these security features function as you expect?Is your software free of security defects?Top questions to ask yourself? Do you truly know the answer to all these questions?
8 Why Do Organizations Get Hacked? OWASP TopA1 – InjectionA2 – Cross Site Scripting (XSS)A3 – Broken Authentication and Session ManagementA4 – Insecure Direct Object ReferencesA5 – Cross Site Request Forgery (CSRF)A6 – Security MisconfigurationA7 – Insecure Cryptographic StorageA8 – Failure to Restrict URL AccessA9 – Insufficient Transport Layer ProtectionA10 – Unvalidated Redirects and ForwardsOWASP top 10 is a valuable list of the top 10 problems affecting web applications. This affects your homegrown web applications, as well as the COTS you have purchased and exposed on the Internet.
9 Why Do Organizations Get Hacked? Keeping up with security patches is good security practiceWould you knowingly run on a vulnerable system for an extended period of time?The publication of security fixes by vendors often result in making potentially malicious hackers aware of the flaw:Reverse-engineering of the fixes for the purpose of developing malware or exploitsInclusion of the exploit in hacking toolsets (e.g., Metasploit)Apply security patches in a timely fashionKeeping up with newer releases is also good security practice!Newer releases may include additional fixes, which cannot always be backported to previous releasesAnd of course… Follow your vendor’s deployment recommendations
10 Importance of Software Security What is Software Security Assurance? Oracle Software Security AssuranceCultivating Security Community in DevelopmentThe security practices of your suppliers play a key role in maintaining your security in depth posture. What is Software Security Assurance?
11 Software Security Assurance DefinitionThe process of ensuring that software is designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects.Definition.
12 Importance of Software Security Assurance Customers must be assured that:The software they purchase from their vendors is designed and developed securely, e.g.:Does the software do what it is designed to do and nothing more?How resilient to threats is software?The vendors have effective procedures to deal with security vulnerabilities and provide ongoing security assurance in their products.Note that it’s not just about making sure that the software is reasonably secure at the time of the purchase/deployment, but also that the vendor can be trusted to do the right thing throughout the life of the software and keep up with security. Have you ever considered that your ability to upgrade is an important part of the equation (as more recently released software is generally more secure)?
13 What Is Software Security Assurance? Implications for softwareSoftware must have been designed securelySecurity must be “built in, not bolted on”Software must provide adequate security controls (e.g. reflecting the data it will store, the threat environment in which it will operate, etc.)Software must have been securely developedSecure design and coding principles must have been followedSoftware must have been developed in a secure environment under a securely designed development processSoftware must provide reasonably secure posture by defaultHardening instructions must be documented and available
14 What Is Software Security Assurance? Implications for software vendor/developerSecurity must be embedded in the organization’s DNAOrganization must recognize that there is no “magic bullet” but that security is an ongoing commitmentVendors need to look at security not as a one time “to do” item, but as an important element of the organizational culture. It is not a one time item. It is a race. An ongoing commitment that should generally follow the same constantly improving principles as other engineering concepts.
15 Importance of Software Security What is Software Security Assurance? Oracle Software Security AssuranceCultivating Security Community in DevelopmentThe security practices of your suppliers play a key role in maintaining your security in depth posture. What is Software Security Assurance?
16 Oracle Software Security Assurance DefinitionOracle Software Security Assurance (OSSA) encompasses all the constantly-evolving processes, procedures, and technologies implemented by Oracle to ensure that Oracle’s products are meeting our customers’ security requirements, while providing for the most cost-effective ownership experience.
17 Oracle Software Security Assurance HighlightsMaintaining the security posture of ALL Oracle customers is one of the greatest priorities of OracleApplies to ALL Oracle software products, including software components of hardware products (e.g. firmware), throughout their lifecycle, and constantly evolving to adapt to new technologies, threats, and product use cases
18 Oracle Software Security Assurance Major programs include:Secure Development StandardsSecure Configuration InitiativeInternal and external security assessments (i.e. external security validations under FIPS and Common Criteria)Critical Patch Update & Security AlertEtc.Oracle security programs affect the entire product lifecycle
19 The Race is On! Security throughout the product lifecycle Security must be “built in, not bolted on”Ongoing assurance doesn’t stop when a product is releasedSecurity requirements change when the product is no longer used in the way it was designed forNeed to address new attacks and exploit methodsNeed to effectively deal with vulnerabilities that made their way into released codeEtc.
20 Security Throughout The Product Lifecycle ExamplesProduct DefinitionProduct DevelopmentOngoing AssuranceExamples of Oracle Software Security Assurance requirementsSecurity requirements to be documented in product definition, specifications, and design phasesMandatory use of previously vetted security code for complex security functions (crypto, authentication, etc.)Ongoing reviews to validate compliance with: Secure Development Standards, previously documented security specifications, etc.Extensive use of automated vulnerability discovery tools as part of the development lifecycle and extensive use of penetration testingMandatory use of security checklistsDisclosure of vulnerability when a fix is available on all supported release and platform combinationsEquality of all customersVulnerability fixed in severity order
21 Secure Development Standards Codified security standards are at the core of Oracle Software Security AssuranceCoding guidelinesSecure coding principlesExamples of what not to doRequirements to use previously vetted security code for complex security functions (crypto, authentication, etc.)Minimum secure design requirements (e.g., weak/old crypt algorithms are banned)Etc.Mandatory training
22 Product DefinitionSecurity requirements are expressed as early as design and engineering specifications phasesSecurity requirements include:Requirements born from Secure Coding StandardsProduct-specific requirements (such as those resulting from new security features)Established security criteria must be satisfied and reviewed at each step of the development and release process
23 Product Development Ongoing reviews to validate compliance with: Secure Coding StandardsPreviously documented security specificationsAdditional design reviews for securityExtensive use of scanning and testing tools to provide ongoing feedback to development team in regards to quality of produced codeProactive security testingDestructive security testing
24 Ongoing AssuranceSecurity testing take place throughout useful life of the productPre-release security scanning and testing:Automated and ad hoc tests throughout development phaseCompliance with security release checklist is mandatory before releasePost-release security activities:Targeted security review to assess resistance to new and emerging threats, or validate absence of vulnerabilitiesSubmission of security flaws by customers and security researchersEthical hacking (internal security assessment)Updated secure configuration best practices are available onlineIndependent Security EvaluationsCommon Criteria (ISO-15408) , FIPS 140-2
25 Oracle Vulnerability Remediation Practices IntroductionWhile our #1 priority is the prevention of security vulnerabilities in released code, Oracle has very mature security vulnerability remediation practicesSecurity patching is a “necessary evil” and most public evidence of ongoing assurance effort:Need to address vulnerabilities uncovered during ongoing assurance effortNeed to address vulnerabilities resulting from new attack methods or use case scenario by our customersNeed to address vulnerabilities reported by external security researchersCritical Patch Update program is designed to maintain the security posture of Oracle customers at lowest possible cost for them
26 Importance of Software Security What is Software Security Assurance? Oracle Software Security AssuranceCultivating Security Community in DevelopmentThe security practices of your suppliers play a key role in maintaining your security in depth posture. What is Software Security Assurance?
27 Cultivating Security Community in Development Security is a strategic requirement defined by the Global Product Security organizationBraintrust for security topics and expertiseDefinition and enforcement of Secure Coding StandardsSecurity review in support of M&A activitiesDevelopment and maintenance of core security modulesLead ongoing assurance activitiesDefinition and delivery of security training programs (including remedial effort when required)Report into the Chief Security OfficerSecurity at Oracle follows a mostly decentralized model to reflect the differences in products and the development groups that produce them
28 Security Assurance Within the Corporate Structure CEOLarry EllisonCEOLarry EllisonChief Corporate ArchitectGlobal Product SecurityCSOGlobal Information SecurityVP Information SecurityGlobal Physical SecuritySr. Director Physical SecurityCorporate Security ArchitectureSecurity Architect
29 Oracle’ s SPOC Community Global Product Security leads the community and provides consistent baselines for security processes and procedures for allSecurity Points Of Contact (SPOCs) Community spread throughout all product developmentProvides for flexible model consistent with a variety of development stylesFosters innovation and captures lessons learned from other groups to use
30 Delegated Security Model Each product family has a senior level Security LeadLiaison to Global Product Security and their senior development management for all security mattersLead a virtual team of Security Points of Contact (SPOCs) that represent security assurance for each component of the product familySPOCs act as the tactical security resource for the product componentIn-depth knowledge of component leads to building security in at the lowest levelReceive focused training in software security assuranceKey role throughout the product lifecycle: participate in design reviews, document reviews, code reviews, bug triage, patching, etc.
31 SPOC Engagement in OSSA Security Points of Contact (SPOC) CommunitySecurity Assurance TrainingEthical HackingSecure Coding StandardsExternal CertificationsSecure ConfigurationSecurity Tools AdoptionSecurity AlertsSecurity ChecklistsSecurity ReviewsSecurity PoliciesCore Security ModulesCustomer FeedbackThe SPOC Community is central to all security assurance activities
32 Security Points of Contact (SPOCs) Key role to achieve baking security inFlexible model, accommodates a variety of development stylesSecurity experts within each product component teamProfessional security resource in each product development teamIn-depth knowledge of component(s) representedReceive focused training in security assuranceLiaison between Security Lead and Global Product SecurityParticipate in design reviews, document reviews, code reviews, bug triageResponsible for and report compliance status for each component in each major product releaseAutomated Security Checklist SystemSecurity reviews with Security Lead and Global Product Security
33 Responsibilities of the SPOC Apply licensed 3rd-party code security updates to componentRead security alerts from partner vendors and act as necessary for the componentApply latest Critical Patch Updates and security fixes for underlying Oracle componentsMonitor hacker exploits and newsEnsure component security bugs are included in the next Critical Patch UpdateKnowledge of publicly known security bugs in old releases of the component and verify that all are fixed in the current releaseCommunicate all security news to the development team
34 The Ideal SPOCAvoids potential security vulnerabilities and associated costs for patching – for both Oracle and the customerGuards Oracle’s reputation and sales against security issuesEnsures the government and regulatory requirements in the security area are satisfied
35 Binding the Community Together SPOC identification “tag” in corporate directoryMonthly SPOC newsletterMore than SPOCs, widely readAnnual SPOC SummitsInternal and External SpeakersComprehensive, centralized Global Product Security wikiKey component is the Secure Coding PracticesSPOC Web Conferences on specific topicsInternal Oracle Social group for SPOCsOraTweet for security-related questions
36 Community Membership is Growing Not just Development SPOCs….QA SPOCsArchitectsSecurity Features DevelopersOther GroupsIT organizationsConsultantsSaaS Staff