Presentation on theme: "EOSC Generic Application Security Framework"— Presentation transcript:
1 EOSC Generic Application Security Framework Daniel FischerEuropean Space Agency
2 Mission Operations Infrastructure Information Security Management System The Mission Operations Infrastructure (MOI) comprises assets and services supporting the ESA multi-mission model in all phases: development, launch and operationsThe Information Security Management System (ISMS) is the implementation of the security directives resulting in requirements (SSRS) and procedures (SECOPS)
3 MOI ISMS Risk Assessment – Rationale for secure SW engineering The MOI ISMS risk assessment has identified software engineering and applications as a critical area that requires urgent improvement The new MOI SSRS and SECOPS include requirements and procedures for secure software engineeringThe SECOPS could be grouped at high level in:Service-oriented SECOPSISMS Management oriented SECOPSSystems Development oriented SECOPS:…Procedure for defining security requirements for software developments and major maintenance activities, but…ESA engineering standards for software development do not address security!
4 Ensuring Secure Software Engineering HSO-G started the development of the GASF - Generic Application Security FrameworkGASF Main ObjectivesEnsure compliance with ISMS secure software engineering requirementsIntroduce a Secure Software Development Lifecycle (SSDLC) to make newly developed software more resilientLimit the security-related overhead for technical officers and developersAll software developments make use of ESA/ECSS software development standards with different grades of tailoringIt seemed natural to consider this asset as a baseline for implementing an approach for developing the SSDLCESOC has started the development of the Generic Applications Security Framework (GASF) as an answer to the risk identified during the risk assessment exerciseThus the main objective is to be able to mitigate the ISMS risk related to software engineering and enhance the overall security of the ground systems infrastructure.The core of the GASF is the introduction of a Secure Software Development Lifecycle (SSDLC) which is based on the traditional development lifecycle but adding, where necessary, additional steps that are required for producing secure software. These steps are applicable for technical officers and/or developersThe above mentioned extension of the traditional software development steps of course implies additional overhead in terms of effort/cost on the software development process. The intention of the GASF is to keep this overhead as small as possible by supporting the developers and technical officers with tools and providing a big level of automationThe activity will also help to amend the software engineering standards in use at ESA today. Currently they do not address security. The GASF helps to prepare a standardisation activity in this respect.
5 GASF Secure Software Development Lifecycle Based on ECSS-E-ST-40 C/Q80 C, amended with processes from well known sources (e.g. ISO 27001, Common Criteria, NIST SP , ESA Security Directives)Requirements EngineeringSpecification of hierarchical security functional and assurance requirementsAssigning security requirements to target documentation (e.g. SRS)DesignUse of security control design patternsDetailed security designImplementation & TestingSecurity Code ReviewVulnerability ScanningSecurity TestingUse of off-the-shelf tools for the aboveOperations & EvolutionDeploy security controlsSecurity Risk Assessment at every step of the SSDLC
6 GASF Requirements Engineering: Requirements Database GASF provides a hierarchical security requirements databaseCategorisation of requirements regarding target document e.g. SoW, contract, SRS, SUM, etc.Organised according to ISO andUsing well known requirement sources e.g. ISO 27001, NIST, CWEFor each low level technical requirement, the recommended best practise to implement is referenced
7 GASF Requirements Engineering: Specific SW Requirements Selection Not all software has the same security needsGASF implements requirements tailoring using templatesTemplates are filters that are applied to the requirements baseThe CIA template selects requirements according to the confidentiality, integrity, and availability level identified by the risk assessmentThe Environment Template identifies requirements applicable to well identified target deployment environments: e.g. Operational LAN, Pre Operational LANs, DMZ, etcThe Project Template identifies requirements applicable to typology of projects: e.g. Earth Observation missions, Provision of services to external users, etcTemplates are re-usableOnly the first-of-a-kind system will have to go through a detailed selection processFollow-up systems in the same environment can re-use the templates
8 GASF Implementation: Security Best Practises GASF requirement base links security best practises when possibleBest practises source is Common Weakness Enumeration (CWE)CWE is built and maintained by MIT from multiple well known sources e.g OWASPEach CWE entry explains how to mitigate the weakness concrete help for developersExample: Buffer OverflowRequirement: All buffer operations shall check input sizesCWE-120: Buffer Copy without Checking Size of InputThis helps developers implementing security requirements fast and in a standard wayNo need for proprietary approachLends to later software verification
9 GASF Testing & Validation: Assuring correct implementation GASF strongly supports security requirements validation & acceptanceValidation is specified in the assurance security requirementsGASF specifies validation procedures and guidelinesStatic Source Code AnalysisPenetration TestsVulnerability ScanningGASF supports certificationUsing assurance requirements the software owner can use GASF to aid certification e.g. NIST 140-2/3 or Common Criteria
10 GASF Deliverables/ Output Consolidated set of high-level security requirementsTo be used by DSM / TO in preparation of SOW and STCThe process is assisted by an intuitive tool that automates the selection of applicable requirements based on templatesGASF formal specificationFormal specification of all processes required for execution of an SSDLC based on ECSS-E-ST-40 C /Q-80 C standardsFor each process, identification of additional activities and mapping to ECSS-E-ST-40 C standardAdditional activities coming from well identified sources e.g. ISO 27001, Common Criteria, NIST SP , ESA Security DirectivesGASF governanceMaintenance and evolution of GASF documentationMaintenance and periodic review of security requirements
11 GASF Project Status (June 2013) GASF High Level Requirements for SOW and STC – AvailableQ4 2013GASF Tool SDDGASF specification + DSM/TO procedures (1st issue)Complete top-down set of security requirements (1st issue)Q1 2014GASF Tool + complete documentation setGASF specification (final)Final version of the complete set of security requirementsGASF Security Governance Strategy (DSM/TO and development team procedures in applying GASF)Result of pilot project: software security analysis of existing system based on code review and GASF tool recommendations
12 BSSC Secure SW Engineering WG: Involvement in GASF Reviews The main GASF review will take place later this yearContribution and participation of WG members is highly welcomeMain review items:GASF Requirements Database (Structure & Contents)Review starts 02/09GASF Process Documentation (based on ECSS)Review starts 14/10GASF Tool and tool documentation
13 References and Sources ISO Information security management systems — RequirementsISO Code of practice for Information security managementISO – Common Criteria for Information Technology Security EvaluationNIST Recommended Security Controls for Federal Information Systems and OrganizationsCommon Weakness Enumeration (CWE) -ESA Security Directives