SlideShare ist ein Scribd-Unternehmen logo

Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final

Als PPTX, PDF herunterladen
John M. Willis
John M. Willis

A tool and methodology to enumerate security functional requirements arising in the solution space is described. A proof of concept tool for use by security architects and security engineers is described. The tool facilitates use of community-developed security requirements packages, security functional requirements, threat model taxonomy including mitigations. A risk-based decision making process is facilitated. Tool outputs used for change checklist, new test requirements, system security plan, risk decision documentation, deferred controls, and inherited controls.

Software
1 von 63
Enumerating software security design flaws throughout the SSDLC John M. Willis Turnaround Security, Inc. October 5, 2016 23rd International Computer Security Symposium and 8th SABSA World Congress Killashee House Naas, Ireland © 2016 Turnaround Security, Inc., All Rights Reserved
Speaker Background • Security architect/engineer with a history of electronics engineering, programming, and configuration management. • First computer was a wire-wrap Z80 board programmed in assembly. • Nowadays, seeks to build security in by coming up with new and different ways of doing things. • Long list of security certifications including: • Stanford University, Advanced Computer Security Professional • Certified Secure Software Lifecycle Professional (CSSLP) • CISSP-ISSAP (Information Systems Security Architecture Professional) 2
Acknowledgments • Mike Willis has helped by creating the prototype Ruby application code for the Qt-based GUI that uses neo4j-core to interface to the Neo4j database • An un-named esteemed Informatics professor who highly recommended we use Neo4j 3
Theory By employing the methodology/tool described here, we should: • Be able to establish order where there is currently chaos regarding the identification and satisfaction of security requirements • Not only in the solution space—but throughout the Secure Software Development Life Cycle (SSDLC) as well. 4
This is a Work In Progress • Will provide background information • Reason for creating – lack of security engineering formal discipline • Initial Proof of Concept, Prototype • Specify requirements for an application security requirements modeling tool • Mock-ups for screens • Progress to-date on screens • Progress on graph database backend • Path forward to include community developed requirements and threat libraries • Low level technical security requirements/controls—not at code level (almost, though) 5
This Tool Will Go from This … • Add web user TLS connection during the architecture and design process OR • Add web user TLS connection to mitigated Man-in-the-Middle (MITM) threat modeling finding 6
To This … Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 7
What Makes it Different &Who Would Use It • This tool would facilitate capture of detailed architecture and design requirements during the solution phase of a project, and enable testing and documentation of those requirements • Facilitate enumeration of requirements using a user configurable library of hierarchical security requirements packages, and standardized Threat Model taxonomy with mitigating controls. • The requirements library and taxonomy could be community developed • Initially, security architects / engineers and consultants would use the tool • Ultimately, it should be simple enough for developers to use 8
Brief History of Security Engineering • Once upon a time there was a lot of interest in Security Engineering as a scientific discipline even in the commercial sector • Then, COTS products began to evolve and they filled a gap—whether completely or not • Build vs. Buy cost trade-off considerations • Business pushed back and dropped support for applying full Security Engineering (except perhaps with Defense security) • As a result, at least in non-research circles, we do the best we can with the COTS products we are given – leaving gaps that may or may not be addressed • Security Engineering as a formal discipline does not exist 9
Requirements & Security • Operating Environment / Concept of Operations • Business Requirements • Security Functional Requirements • (Security) Non-Functional Requirements • Drivers: • Users • Law/Regulations • Organizational Policy • Risk Assessments are performed inconsistently, at varying levels of depth – or not at all • Not everyone includes misuse and abuse cases 10
Solution Space Security Engineering Challenges • Code has vulnerabilities originating from various sources • About 1/3rd of all Common Weaknesses and Enumerations (CWEs) fall into the category of Design Errors – This is significant • Nonfunctional security requirements often do not get translated into real/documented technical security design features, or controls • Security design features have their own dependencies • Threat Modeling approaches are often subjective and may or may not uncover the above • Relevant technical security controls often do not get considered in Unit, Integration or QA test cases 11
Common Criteria Security Functional Requirements • Common Criteria is an international framework for certifying that products are secure within a specific environmental context • This talk has nothing to do with certifying products • It has a detailed list of 134 Security Functional Requirements • These requirements have dependencies on each other • We are repurposing these requirements as a starting point for a standardized security requirements library 12
Uncommon Body of Knowledge – Modeling Research • We have had code generation from CASE tool models for decades, yet today only 4% of code is automatically generated using these tools • UMLsec has been around for at least 10 years, but requires significant effort to utilize properly (XML with security expressed in equation form), and coverage is limited • A significant body of research exists for reusing the Common Criteria Security Functional Requirements (CC SFRs) • There has been work to integrate the CC SFRs and UMLsec • Security patterns and pattern languages exist at various levels of abstraction for architecture as well as for design. Use is limited to very large organizations • There is a distinct lack of integration & automation between modeling tools & techniques used at various stages of the development lifecycle 13
Modeling Capabilities vs. OWASP Top 10 Source: Why Model Driven Security will not secure your Web Application Hochreiner, et al. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, volume: 5, number: 3, pp. 44-62 14
Current State of Insecurity Engineering • There is no commonly accepted complete standard security engineering maturity model (merge SSE-CMM, now ISO/IEC 21827:2008, & BSIMM). Then there’s NIST SP 800-160 (Draft) • Misuse/abuse cases not always specified, not complete in coverage • Security pattern modeling is still early-stage and there are few, if any, open source UML repositories (do you know of any?) • Security engineering modeling needs to flow from architecture & design pattern models in order to achieve significant adoption • There is little SDLC end-to-end modeling integration even for systems engineering tools… everything is market-driven… • Different tools/methods exist in various stages of maturity • A number of tools/methods are inexact, incomplete, and must be applied in a subjective manner to be effective (e.g., Threat Modeling) • Threat Modeling is a Best Practice that is not widely implemented 15
Architect / Design / Solution Space Activities • Design of security functionality and features to implement non- functional security requirements • A Security Architect &/or Engineer should be on board to allocate & develop technical security controls for all requirements • Control requirements should accompany security architecture and design patterns • Technical security requirements that are addressed need to be captured for testing and documentation purposes • Need a formal discipline for the security engineer to follow • Security engineering methods, which must be well defined, need to be applied consistently and completely – there needs to be a formal discipline 16
Unit, Integration & QA Testing of Security Testing should have the following inputs for test planning and test case design: • Requirements • Need to be complete—including requirements enumerated during the architecture and design phase • We cannot rely on the Requirements document to provide everything we need • Security Architecture & Design Patterns • Threat Model • Security Assessment These should always be included, so we do not have gaps 17
How to Establish Order from Chaos • Identify key factors • Identify those which are highly variable • Characterize (describe) these highly variable key factors as well as contributing variables • Control the factors that affect variability 18
Variables to Capture, Characterize & Control • Identify what information assets you are trying to protect • Technical security controls flowing from Requirements • Allocation of design to technical security controls, including nonfunctional security requirements (solution space) • Design phase Threat Modeling and resulting mitigations (lead to new technical security controls) (solution space) • Mitigations from Security/Risk Assessments (from various SSDLC phases) 19
Variables to Capture, Characterize & Control (cont’d) • Security requirements dependencies • Risk-Benefit Analysis of each security requirement • Which technical security controls should be implemented? • Which technical security controls are being, or should be, tested? Doing so will facilitate determining which technical security controls are missing from our design in a reproducible manner 20
Reusing Common Criteria (CC) Security Functional Requirements (SFRs) • There is an established body of literature pertaining to the reuse of Common Criteria Security Functional Requirements. This is a good starting point • Dependencies exist between different SFRs, so this helps us expand what we think our controls are into something more comprehensive • But where do we start? • Dan Wu doctoral thesis SFR Reusable Packages. Security Functional Requirements Analysis for Developing Secure Software, Doctoral Thesis, Dan Wu, May 2007 • Security Tactics and Goals. Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements. 21
TLS Use Case • From this point forward, we will provide examples of security functional requirements relating to implementation of Transport Layer Security (TLS) 22
SFR Reusable Packages – Security Requirements Packages 23
Security Requirements Packages (cont’d) 24 Source: Wu, D. (2007). Security Functional Requirements Analysis for Developing Secure Software (Doctoral dissertation) SFR Packages for Integrity
Security Tactics & Goals – Authenticate Users 25
Security Tactics & Goals – Confidentiality 26 Source: Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements.
Security Tactics & Goals – Integrity 27
CC SFR Dependency Tables (example) 28 Source: Common Criteria for Information Technology Security Evaluation (CC v3.1), Revision 2, Part 2: Security functional components.
STRIDE Based Threat Modeling 29Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
Spoof Client Threat Tree (Partial) 30 Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
Codifying Standard Threat Model (Example) Spoof.Client Spoof.Client.AuthenticationUI Spoof.Client.AuthenticationUI.LocalLogin Spoof.Client.AuthenticationUI.PrivilegedAccess Spoof.Client.AuthenticationUI.RemoteSpoof Spoof.Client.BackupAuthentication Spoof.Client.BackupAuthentication.ChainedAuthentication Spoof.Client.BackupAuthentication.InformationDisclosure Spoof.Client.BackupAuthentication.KnowledgeBasedAuthentication Spoof.Client.InsufficientAuthentication Spoof.Client.InsufficientAuthentication.DowngradeAuthentication 31 Spoof.Client.InsufficientAuthentication.NullCreds Spoof.Client.InsufficientAuthentication.PredicatbleCreds Spoof.Client.NoAuthentication Spoof.Client.ObtainCredentials Spoof.Client.ObtainCredentials.ChangeManagement Spoof.Client.ObtainCredentials.FederationIssues Spoof.Client.ObtainCredentials.Storage Spoof.Client.ObtainCredentials.Storage.at3rdParty Spoof.Client.ObtainCredentials.Storage.atClient Spoof.Client.ObtainCredentials.Storage.atKDC Spoof.Client.ObtainCredentials.Storage.atServer Spoof.Client.ObtainCredentials.Transit Spoof.Client.OtherAuthenticationAttack Derived from Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
Standardizing Threat Mitigations (Example) 32Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
Standardized Tool-Based Threat Modeling • Context needed in certain cases (External Entity, Process, Data Flow, Data Store, Security Requirements Package selection & options) • Tool should know what type of connection it is based on context (e.g., TLS for a web app) • Define a standardized taxonomy (e.g., using Threat Trees), codify them, along with mitigations based on context • Define your model – start somewhere and build from there • Always ensure all attacks are accounted for when you are performing your threat modeling 33
Proof of Concept • Very rough shell script version • Threat Modeling – concern about a web application user login and man-in-the-middle attack -- recommended mitigation of SSL (TLS) • Does not include navigation via Threat Tree to select mitigation • User authentication, confidentiality of password and integrity of data are the applicable Goals/Tactics (Security Requirements Packages) • For illustrative purposes, we’re not going to show the Requirements document as a source of input 34
Proof of Concept – Threat Modeling Input Enter Project Name: POC Enter Location Reference: userLogon1 Select Location Type [1]: 1 - External Entity 2 - Process 3 - Data Flow 4 - Data Store 1 Security Requirements Packages to Apply 1 - Authenticate Users: Robust authentication mechanism 2 - Authenticate Users: Protected authentication session 3 - Authenticate Users: Protected authentication session: Session Termination 4 - Authenticate Users: Protected authentication session: Limit Access 5 - Maintain Data Confidentiality: Protected confidentiality of transmitted data 6 - Maintain Integrity: Protected integrity of externally transmitted data Enter list of goals (numbers separated by space): 1 2 3 4 5 6 Generating list of requirements... 35
Requirements Output Result is 26 unique Common Criteria Security Functional Requirement statements, e.g.: • FCS_CKM.2: The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [assignment: cryptographic key distribution method] that meets the following: [assignment: list of standards]. • FCS_CKM.4: The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [assignment: cryptographic key destruction method] that meets the following: [assignment: list of standards]. • TSF = TOE (Target of Evaluation) Security Functions 36
All TLS SFRs Primary SFRs Secondary SFRs Tertiary SFRs FCS_CKM.2 FCS_CKM.4 FDP_ITT.1 FDP_UCT.1 FDP_UIT.1 FDP_UIT.2 FDP_UIT.3 FIA_AFL.1 FIA_UAU.1 FIA_UID.1 FIA_UAU.3 FIA_UAU.4 FIA_UAU.6 FIA_UAU.7 FIA_UAU.1 FIA_UID.1 FMT_SAE.1 FMT_SMR.1, FPT_STM.1 FIA_UID.1 FPT_ITC.1 FTA_LSA.1 FTA_MCS.1 FIA_UID.1 FTA_MCS.2 FIA_UID.1 FTA_SSL.1 FIA_UAU.1 FTA_SSL.3 FTA_TSE.1 FTP_ITC.1 FTP_TRP.1 37
Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 38
What We Demonstrated • For a given component type (reusable security function), you can specify applicable groupings of security requirements (SRPs) • Each SRP can be configured as a set of detailed requirements • They can include dependent requirements • We can associate Threat Modeling mitigations to standardized requirements packages—and their dependencies • We can expand the list of requirements for later use 39
Requirements for a Complete Tool The high-level re-entrant workflow concept to be used throughout the Secure Software Development Lifecycle (SSDLC) includes: • Build the security model – • Direct input of instance of security component • Select component by way of threat model taxonomy • Expand the requirements utilizing a configurable library of Security Requirements Packages, plus their dependencies • Design status check-off of items already addressed, or inherited • Enter level of effort and risk scoring data and provide a Risk-Benefit Analysis ranking 40
Requirements for a Complete Tool (cont’d) • Risk decision step to fix or accept risk, documenting any risk acceptance justification • Document any items deferred • Generate list of security requirements changes to be addressed, and update design status as fixed • Output list of all security requirements implemented, or being implemented, for documentation and testing purposes • Output list of implemented, inherited, and deferred security controls in desired format (ISO or NIST) 41
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Select Application Type Desktop Mobile Server Web Application Name Demo
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls New ComponentUser Server Component Type User Server TLS Many more to follow… Input Mode Threat Model Direct 42 Component Name userLogon1
Location External Entity Process Data Flow Data Store Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls New ComponentUser Server Component Name userLogon1 Spoof Client Obtain credentials Authentication UI No authentication Other authentication attack Insufficient authentication Backup authentication Obtain Credentials Transit Change management Federation issues Storage Mitigation SSL IPsec TLS Other Input Mode Threat Model Direct 43
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 44 Security Functional Requirements Component Type: TLS Used by: userLogon1 userLogon2 The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1]
44 Neo4j Graph Database
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Already Implemented The TSF shall prevent reuse of authentication data related to [assignment: identified authentication mechanism(s)]. [FIA_UAU.4] The TSF shall re-authenticate the user under the conditions [assignment: list of conditions under which re-authentication is required]. [FIA_UAU.6] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] Y Y
Create Model Builder Expand Requirements Design Status Risk-Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Defer Until Release 2.3
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Accept The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 No The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Enter Justification Not critical. Can re-initiate session
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Affected Component(s) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] accessControl.java The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] ldap.java
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: Outputs requirements that are implemented, or are being implemented, as well as those that have been deferred
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: List all requirements – • previously implemented (for regression testing purposes) • those that are being newly implemented (new test cases needed)
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 NIST The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] SC-8, SC-8(1) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] SC-8, SC-8(1)
Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Library Maintenance Select Library Component Type Security Requirements Packages Security Functional Requirements Threat Tree Threat Mitigations Select Action Import Export Edit
What Makes This Approach Unique • Assists in enumerating requirements by applying standardized Security Requirements Packages, then expanding the requirements based on well-defined dependencies • Includes chosen or default mitigations from a standardized Threat Model taxonomy & generates more detailed security requirements and controls • Enables Risk-Benefit Analysis of each security requirement/control • Facilitates generating documentation needed for testing and compliance purposes 57
Benefits of Such a Methodology/Tool • Enable characterizing security variables so that they may be controlled, which is the key to establishing order from chaos • Provide a way of enumerating design flaws, errors and omissions— which may account for 1/3rd of vulnerabilities (CWEs) • Enable enumeration of security functionality • Identified in the solution space • Not detailed in the original Requirements Document 58
Benefits of Such a Methodology/Tool (cont’d) • Facilitate decision-making using Risk-Benefit Analysis of each technical security control, generating acceptance of risk documentation and record of deferred items • Enable us to generate details needed to implement enumerated requirements—for design and coding changes, plus unit, integration, and QA testing • Provide details for system security plans in ISO and NIST formats • Integrate with systems engineering modeling tools via SysML 59
Theory – Did we come close to proving? • Enable establishing order where there is currently chaos regarding the identification and satisfaction of security requirements during software development? • Is this approach part of what is needed to establish security engineering as a formal discipline? • Does it solve a real problem? Which one? 60
Future of this Tool • Basic functionality in prototype • Support for requirement decision-making dialogues, context inputs • Enable tailoring and completion of requirements language • Provide support for configurable standardized Threat library & associated mitigations • Make freely available as an online service • Open up Security Requirements Packages and Threat Library for community development • Three phases of development: • Standalone/online (open source/funding/partners ?) • Shared / Systems Roll-up / Performance Testing / Enterprise version • SysML-capable / Integration with other tools 61
Wrap-Up • Does this make sense? • Is it useful? • Who would use it? • Who would buy it? • Who would invest in it? • If open sourced, would anybody really work on it? • Should support for architecture and design patterns be included? • If so, when? Scope? For requirements only? • Questions & Discussion? 62
Contact Info John M. Willis Turnaround Security, Inc. 554 N Frederick Ave #244 Gaithersburg MD 20877 USA (240) 720-7678 John.M.Willis@TurnaroundSecurity.com LinkedIn.com/in/johnmwillis 63

Empfohlen

Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4
MLG College of Learning, Inc
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
Kevo Meehan
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
3 secure design principles
3 secure design principles3 secure design principles
3 secure design principles
drewz lin
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 

Empfohlen

Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4Information Assurance And Security - Chapter 2 - Lesson 4
Information Assurance And Security - Chapter 2 - Lesson 4
MLG College of Learning, Inc
 
Secure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working ArchitectSecure by Design - Security Design Principles for the Working Architect
Secure by Design - Security Design Principles for the Working Architect
Eoin Woods
 
Reduce Third Party Developer Risks
Reduce Third Party Developer RisksReduce Third Party Developer Risks
Reduce Third Party Developer Risks
Kevo Meehan
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
3 secure design principles
3 secure design principles3 secure design principles
3 secure design principles
drewz lin
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
dma1965
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
Priyanka Aash
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
GoQA
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
Mohammed Fazuluddin
 
Soc
SocSoc
Soc
Mukesh Chaudhari
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
Tonex
 
Multi project security exception reports - Oracle Primavera P6 Collaborate 14
Multi project security exception reports - Oracle Primavera P6 Collaborate 14Multi project security exception reports - Oracle Primavera P6 Collaborate 14
Multi project security exception reports - Oracle Primavera P6 Collaborate 14
p6academy
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Tonex
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
imec
 
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORKSECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
Ramez Al-Fayez
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216
William Linder
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Security life cycle
Security life cycleSecurity life cycle
Security life cycle
Juan Perez
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
Tonex
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Tonex
 
Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216
William Linder
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Security life cycle
Security life cycleSecurity life cycle
Security life cycle
Juan Perez
 

Was ist angesagt? (20)

Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 
Security Design Concepts
Security Design ConceptsSecurity Design Concepts
Security Design Concepts
 
Soc
SocSoc
Soc
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
 
Cyber security applied to embedded systems
Cyber security applied to embedded systemsCyber security applied to embedded systems
Cyber security applied to embedded systems
 
Multi project security exception reports - Oracle Primavera P6 Collaborate 14
Multi project security exception reports - Oracle Primavera P6 Collaborate 14Multi project security exception reports - Oracle Primavera P6 Collaborate 14
Multi project security exception reports - Oracle Primavera P6 Collaborate 14
 
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
Cybersecurity Applied to Embedded Systems, Fundamentals of Embedded Systems a...
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
Wouter Joosen, iMinds Security Department, iMinds The Conference 2013
 
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORKSECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216Linder,William H IT Auditor 0216
Linder,William H IT Auditor 0216
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Security life cycle
Security life cycleSecurity life cycle
Security life cycle
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 

Ähnlich wie Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final

Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
PECB
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 

Ähnlich wie Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final (20)

Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
Agile security
Agile securityAgile security
Agile security
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Unit5
Unit5Unit5
Unit5
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Lecture 10.pptx
Lecture 10.pptxLecture 10.pptx
Lecture 10.pptx
 
7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx7.2-0-D8-October2021 (Software Development Security).pptx
7.2-0-D8-October2021 (Software Development Security).pptx
 
Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 

Kürzlich hochgeladen

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 

Kürzlich hochgeladen (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 

Enumerating software security design flaws throughout the ssdlc cosac - 2016 - final

  • 1. Enumerating software security design flaws throughout the SSDLC John M. Willis Turnaround Security, Inc. October 5, 2016 23rd International Computer Security Symposium and 8th SABSA World Congress Killashee House Naas, Ireland © 2016 Turnaround Security, Inc., All Rights Reserved
  • 2. Speaker Background • Security architect/engineer with a history of electronics engineering, programming, and configuration management. • First computer was a wire-wrap Z80 board programmed in assembly. • Nowadays, seeks to build security in by coming up with new and different ways of doing things. • Long list of security certifications including: • Stanford University, Advanced Computer Security Professional • Certified Secure Software Lifecycle Professional (CSSLP) • CISSP-ISSAP (Information Systems Security Architecture Professional) 2
  • 3. Acknowledgments • Mike Willis has helped by creating the prototype Ruby application code for the Qt-based GUI that uses neo4j-core to interface to the Neo4j database • An un-named esteemed Informatics professor who highly recommended we use Neo4j 3
  • 4. Theory By employing the methodology/tool described here, we should: • Be able to establish order where there is currently chaos regarding the identification and satisfaction of security requirements • Not only in the solution space—but throughout the Secure Software Development Life Cycle (SSDLC) as well. 4
  • 5. This is a Work In Progress • Will provide background information • Reason for creating – lack of security engineering formal discipline • Initial Proof of Concept, Prototype • Specify requirements for an application security requirements modeling tool • Mock-ups for screens • Progress to-date on screens • Progress on graph database backend • Path forward to include community developed requirements and threat libraries • Low level technical security requirements/controls—not at code level (almost, though) 5
  • 6. This Tool Will Go from This … • Add web user TLS connection during the architecture and design process OR • Add web user TLS connection to mitigated Man-in-the-Middle (MITM) threat modeling finding 6
  • 7. To This … Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 7
  • 8. What Makes it Different &Who Would Use It • This tool would facilitate capture of detailed architecture and design requirements during the solution phase of a project, and enable testing and documentation of those requirements • Facilitate enumeration of requirements using a user configurable library of hierarchical security requirements packages, and standardized Threat Model taxonomy with mitigating controls. • The requirements library and taxonomy could be community developed • Initially, security architects / engineers and consultants would use the tool • Ultimately, it should be simple enough for developers to use 8
  • 9. Brief History of Security Engineering • Once upon a time there was a lot of interest in Security Engineering as a scientific discipline even in the commercial sector • Then, COTS products began to evolve and they filled a gap—whether completely or not • Build vs. Buy cost trade-off considerations • Business pushed back and dropped support for applying full Security Engineering (except perhaps with Defense security) • As a result, at least in non-research circles, we do the best we can with the COTS products we are given – leaving gaps that may or may not be addressed • Security Engineering as a formal discipline does not exist 9
  • 10. Requirements & Security • Operating Environment / Concept of Operations • Business Requirements • Security Functional Requirements • (Security) Non-Functional Requirements • Drivers: • Users • Law/Regulations • Organizational Policy • Risk Assessments are performed inconsistently, at varying levels of depth – or not at all • Not everyone includes misuse and abuse cases 10
  • 11. Solution Space Security Engineering Challenges • Code has vulnerabilities originating from various sources • About 1/3rd of all Common Weaknesses and Enumerations (CWEs) fall into the category of Design Errors – This is significant • Nonfunctional security requirements often do not get translated into real/documented technical security design features, or controls • Security design features have their own dependencies • Threat Modeling approaches are often subjective and may or may not uncover the above • Relevant technical security controls often do not get considered in Unit, Integration or QA test cases 11
  • 12. Common Criteria Security Functional Requirements • Common Criteria is an international framework for certifying that products are secure within a specific environmental context • This talk has nothing to do with certifying products • It has a detailed list of 134 Security Functional Requirements • These requirements have dependencies on each other • We are repurposing these requirements as a starting point for a standardized security requirements library 12
  • 13. Uncommon Body of Knowledge – Modeling Research • We have had code generation from CASE tool models for decades, yet today only 4% of code is automatically generated using these tools • UMLsec has been around for at least 10 years, but requires significant effort to utilize properly (XML with security expressed in equation form), and coverage is limited • A significant body of research exists for reusing the Common Criteria Security Functional Requirements (CC SFRs) • There has been work to integrate the CC SFRs and UMLsec • Security patterns and pattern languages exist at various levels of abstraction for architecture as well as for design. Use is limited to very large organizations • There is a distinct lack of integration & automation between modeling tools & techniques used at various stages of the development lifecycle 13
  • 14. Modeling Capabilities vs. OWASP Top 10 Source: Why Model Driven Security will not secure your Web Application Hochreiner, et al. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, volume: 5, number: 3, pp. 44-62 14
  • 15. Current State of Insecurity Engineering • There is no commonly accepted complete standard security engineering maturity model (merge SSE-CMM, now ISO/IEC 21827:2008, & BSIMM). Then there’s NIST SP 800-160 (Draft) • Misuse/abuse cases not always specified, not complete in coverage • Security pattern modeling is still early-stage and there are few, if any, open source UML repositories (do you know of any?) • Security engineering modeling needs to flow from architecture & design pattern models in order to achieve significant adoption • There is little SDLC end-to-end modeling integration even for systems engineering tools… everything is market-driven… • Different tools/methods exist in various stages of maturity • A number of tools/methods are inexact, incomplete, and must be applied in a subjective manner to be effective (e.g., Threat Modeling) • Threat Modeling is a Best Practice that is not widely implemented 15
  • 16. Architect / Design / Solution Space Activities • Design of security functionality and features to implement non- functional security requirements • A Security Architect &/or Engineer should be on board to allocate & develop technical security controls for all requirements • Control requirements should accompany security architecture and design patterns • Technical security requirements that are addressed need to be captured for testing and documentation purposes • Need a formal discipline for the security engineer to follow • Security engineering methods, which must be well defined, need to be applied consistently and completely – there needs to be a formal discipline 16
  • 17. Unit, Integration & QA Testing of Security Testing should have the following inputs for test planning and test case design: • Requirements • Need to be complete—including requirements enumerated during the architecture and design phase • We cannot rely on the Requirements document to provide everything we need • Security Architecture & Design Patterns • Threat Model • Security Assessment These should always be included, so we do not have gaps 17
  • 18. How to Establish Order from Chaos • Identify key factors • Identify those which are highly variable • Characterize (describe) these highly variable key factors as well as contributing variables • Control the factors that affect variability 18
  • 19. Variables to Capture, Characterize & Control • Identify what information assets you are trying to protect • Technical security controls flowing from Requirements • Allocation of design to technical security controls, including nonfunctional security requirements (solution space) • Design phase Threat Modeling and resulting mitigations (lead to new technical security controls) (solution space) • Mitigations from Security/Risk Assessments (from various SSDLC phases) 19
  • 20. Variables to Capture, Characterize & Control (cont’d) • Security requirements dependencies • Risk-Benefit Analysis of each security requirement • Which technical security controls should be implemented? • Which technical security controls are being, or should be, tested? Doing so will facilitate determining which technical security controls are missing from our design in a reproducible manner 20
  • 21. Reusing Common Criteria (CC) Security Functional Requirements (SFRs) • There is an established body of literature pertaining to the reuse of Common Criteria Security Functional Requirements. This is a good starting point • Dependencies exist between different SFRs, so this helps us expand what we think our controls are into something more comprehensive • But where do we start? • Dan Wu doctoral thesis SFR Reusable Packages. Security Functional Requirements Analysis for Developing Secure Software, Doctoral Thesis, Dan Wu, May 2007 • Security Tactics and Goals. Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements. 21
  • 22. TLS Use Case • From this point forward, we will provide examples of security functional requirements relating to implementation of Transport Layer Security (TLS) 22
  • 23. SFR Reusable Packages – Security Requirements Packages 23
  • 24. Security Requirements Packages (cont’d) 24 Source: Wu, D. (2007). Security Functional Requirements Analysis for Developing Secure Software (Doctoral dissertation) SFR Packages for Integrity
  • 25. Security Tactics & Goals – Authenticate Users 25
  • 26. Security Tactics & Goals – Confidentiality 26 Source: Preschern, C. 2012. Catalog of Security Tactics linked to Common Criteria Requirements.
  • 27. Security Tactics & Goals – Integrity 27
  • 28. CC SFR Dependency Tables (example) 28 Source: Common Criteria for Information Technology Security Evaluation (CC v3.1), Revision 2, Part 2: Security functional components.
  • 29. STRIDE Based Threat Modeling 29Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
  • 30. Spoof Client Threat Tree (Partial) 30 Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
  • 31. Codifying Standard Threat Model (Example) Spoof.Client Spoof.Client.AuthenticationUI Spoof.Client.AuthenticationUI.LocalLogin Spoof.Client.AuthenticationUI.PrivilegedAccess Spoof.Client.AuthenticationUI.RemoteSpoof Spoof.Client.BackupAuthentication Spoof.Client.BackupAuthentication.ChainedAuthentication Spoof.Client.BackupAuthentication.InformationDisclosure Spoof.Client.BackupAuthentication.KnowledgeBasedAuthentication Spoof.Client.InsufficientAuthentication Spoof.Client.InsufficientAuthentication.DowngradeAuthentication 31 Spoof.Client.InsufficientAuthentication.NullCreds Spoof.Client.InsufficientAuthentication.PredicatbleCreds Spoof.Client.NoAuthentication Spoof.Client.ObtainCredentials Spoof.Client.ObtainCredentials.ChangeManagement Spoof.Client.ObtainCredentials.FederationIssues Spoof.Client.ObtainCredentials.Storage Spoof.Client.ObtainCredentials.Storage.at3rdParty Spoof.Client.ObtainCredentials.Storage.atClient Spoof.Client.ObtainCredentials.Storage.atKDC Spoof.Client.ObtainCredentials.Storage.atServer Spoof.Client.ObtainCredentials.Transit Spoof.Client.OtherAuthenticationAttack Derived from Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014
  • 32. Standardizing Threat Mitigations (Example) 32Source: Adam Shostack. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., 2014 (B-1)
  • 33. Standardized Tool-Based Threat Modeling • Context needed in certain cases (External Entity, Process, Data Flow, Data Store, Security Requirements Package selection & options) • Tool should know what type of connection it is based on context (e.g., TLS for a web app) • Define a standardized taxonomy (e.g., using Threat Trees), codify them, along with mitigations based on context • Define your model – start somewhere and build from there • Always ensure all attacks are accounted for when you are performing your threat modeling 33
  • 34. Proof of Concept • Very rough shell script version • Threat Modeling – concern about a web application user login and man-in-the-middle attack -- recommended mitigation of SSL (TLS) • Does not include navigation via Threat Tree to select mitigation • User authentication, confidentiality of password and integrity of data are the applicable Goals/Tactics (Security Requirements Packages) • For illustrative purposes, we’re not going to show the Requirements document as a source of input 34
  • 35. Proof of Concept – Threat Modeling Input Enter Project Name: POC Enter Location Reference: userLogon1 Select Location Type [1]: 1 - External Entity 2 - Process 3 - Data Flow 4 - Data Store 1 Security Requirements Packages to Apply 1 - Authenticate Users: Robust authentication mechanism 2 - Authenticate Users: Protected authentication session 3 - Authenticate Users: Protected authentication session: Session Termination 4 - Authenticate Users: Protected authentication session: Limit Access 5 - Maintain Data Confidentiality: Protected confidentiality of transmitted data 6 - Maintain Integrity: Protected integrity of externally transmitted data Enter list of goals (numbers separated by space): 1 2 3 4 5 6 Generating list of requirements... 35
  • 36. Requirements Output Result is 26 unique Common Criteria Security Functional Requirement statements, e.g.: • FCS_CKM.2: The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [assignment: cryptographic key distribution method] that meets the following: [assignment: list of standards]. • FCS_CKM.4: The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [assignment: cryptographic key destruction method] that meets the following: [assignment: list of standards]. • TSF = TOE (Target of Evaluation) Security Functions 36
  • 37. All TLS SFRs Primary SFRs Secondary SFRs Tertiary SFRs FCS_CKM.2 FCS_CKM.4 FDP_ITT.1 FDP_UCT.1 FDP_UIT.1 FDP_UIT.2 FDP_UIT.3 FIA_AFL.1 FIA_UAU.1 FIA_UID.1 FIA_UAU.3 FIA_UAU.4 FIA_UAU.6 FIA_UAU.7 FIA_UAU.1 FIA_UID.1 FMT_SAE.1 FMT_SMR.1, FPT_STM.1 FIA_UID.1 FPT_ITC.1 FTA_LSA.1 FTA_MCS.1 FIA_UID.1 FTA_MCS.2 FIA_UID.1 FTA_SSL.1 FIA_UAU.1 FTA_SSL.3 FTA_TSE.1 FTP_ITC.1 FTP_TRP.1 37
  • 38. Summary of Requirements for TLS Connection - Key distribution - Behavior when security attributes expire - Secure back-end connections - Define & maintain roles - Confidentiality, integrity & availability - Associate users with roles - Replay protection - Provide reliable time stamps - Error recovery - Scope session security attributes - Authentication failure behavior - Limit concurrent sessions - Permitted pre-authentication actions - Inactivity lock/unlock behavior - Prevent & detect authentication forgery - Inactivity session termination - Prevent & detect use of copied authentication data - Segmentation of different types of communication (e.g., user vs. admin) - Different privileges of local vs. remote users - Specify which endpoints initiate connection - Limit authentication feedback - Deny session based on attributes - Control who can change security attributes - Force re-authentication when needed - Key destruction 38
  • 39. What We Demonstrated • For a given component type (reusable security function), you can specify applicable groupings of security requirements (SRPs) • Each SRP can be configured as a set of detailed requirements • They can include dependent requirements • We can associate Threat Modeling mitigations to standardized requirements packages—and their dependencies • We can expand the list of requirements for later use 39
  • 40. Requirements for a Complete Tool The high-level re-entrant workflow concept to be used throughout the Secure Software Development Lifecycle (SSDLC) includes: • Build the security model – • Direct input of instance of security component • Select component by way of threat model taxonomy • Expand the requirements utilizing a configurable library of Security Requirements Packages, plus their dependencies • Design status check-off of items already addressed, or inherited • Enter level of effort and risk scoring data and provide a Risk-Benefit Analysis ranking 40
  • 41. Requirements for a Complete Tool (cont’d) • Risk decision step to fix or accept risk, documenting any risk acceptance justification • Document any items deferred • Generate list of security requirements changes to be addressed, and update design status as fixed • Output list of all security requirements implemented, or being implemented, for documentation and testing purposes • Output list of implemented, inherited, and deferred security controls in desired format (ISO or NIST) 41
  • 44. Location External Entity Process Data Flow Data Store Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls New ComponentUser Server Component Name userLogon1 Spoof Client Obtain credentials Authentication UI No authentication Other authentication attack Insufficient authentication Backup authentication Obtain Credentials Transit Change management Federation issues Storage Mitigation SSL IPsec TLS Other Input Mode Threat Model Direct 43
  • 45. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 44 Security Functional Requirements Component Type: TLS Used by: userLogon1 userLogon2 The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1]
  • 47. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Already Implemented The TSF shall prevent reuse of authentication data related to [assignment: identified authentication mechanism(s)]. [FIA_UAU.4] The TSF shall re-authenticate the user under the conditions [assignment: list of conditions under which re-authentication is required]. [FIA_UAU.6] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] Y Y
  • 48. Create Model Builder Expand Requirements Design Status Risk-Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17
  • 49. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes
  • 50. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Fix Decision The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Defer Until Release 2.3
  • 51. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Risk LOE Ranking Accept The TSF shall be able to deny session establishment based on [assignment: attributes]. [FTA_TSE.1] M $ 50,000 10 Defer The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] H $ 20,000 50 Yes The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to recover from [assignment: list of recoverable errors] with the help of the source trusted IT product. [FDP_UIT.2] L $ 30,000 3 No The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] M $ 30,000 17 Yes Enter Justification Not critical. Can re-initiate session
  • 52. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 Affected Component(s) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] accessControl.java The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] ldap.java
  • 53. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: Outputs requirements that are implemented, or are being implemented, as well as those that have been deferred
  • 54. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 TBD: List all requirements – • previously implemented (for regression testing purposes) • those that are being newly implemented (new test cases needed)
  • 55. Create Model Builder Expand Requirements Design Status Risk- Benefit- Analysis Risk Decision Requirements Change Checklist Finalize Requirements Output Test Requirements Output Security Controls 42 Security Functional Requirement Component Type: TLS; Used by: userLogon1, userLogon2 NIST The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to be able to [selection: transmit, receive] user data in a manner protected from unauthorised disclosure. [FDP_UCT.1] SC-8, SC-8(1) The TSF shall enforce the [assignment: access control SFP(s) and/or information flow control SFP(s)] to prevent the [selection: disclosure, modification, loss of use] of user data when it is transmitted between physically-separated parts of the TOE. [FDP_ITT.1] SC-8, SC-8(1)
  • 57. What Makes This Approach Unique • Assists in enumerating requirements by applying standardized Security Requirements Packages, then expanding the requirements based on well-defined dependencies • Includes chosen or default mitigations from a standardized Threat Model taxonomy & generates more detailed security requirements and controls • Enables Risk-Benefit Analysis of each security requirement/control • Facilitates generating documentation needed for testing and compliance purposes 57
  • 58. Benefits of Such a Methodology/Tool • Enable characterizing security variables so that they may be controlled, which is the key to establishing order from chaos • Provide a way of enumerating design flaws, errors and omissions— which may account for 1/3rd of vulnerabilities (CWEs) • Enable enumeration of security functionality • Identified in the solution space • Not detailed in the original Requirements Document 58
  • 59. Benefits of Such a Methodology/Tool (cont’d) • Facilitate decision-making using Risk-Benefit Analysis of each technical security control, generating acceptance of risk documentation and record of deferred items • Enable us to generate details needed to implement enumerated requirements—for design and coding changes, plus unit, integration, and QA testing • Provide details for system security plans in ISO and NIST formats • Integrate with systems engineering modeling tools via SysML 59
  • 60. Theory – Did we come close to proving? • Enable establishing order where there is currently chaos regarding the identification and satisfaction of security requirements during software development? • Is this approach part of what is needed to establish security engineering as a formal discipline? • Does it solve a real problem? Which one? 60
  • 61. Future of this Tool • Basic functionality in prototype • Support for requirement decision-making dialogues, context inputs • Enable tailoring and completion of requirements language • Provide support for configurable standardized Threat library & associated mitigations • Make freely available as an online service • Open up Security Requirements Packages and Threat Library for community development • Three phases of development: • Standalone/online (open source/funding/partners ?) • Shared / Systems Roll-up / Performance Testing / Enterprise version • SysML-capable / Integration with other tools 61
  • 62. Wrap-Up • Does this make sense? • Is it useful? • Who would use it? • Who would buy it? • Who would invest in it? • If open sourced, would anybody really work on it? • Should support for architecture and design patterns be included? • If so, when? Scope? For requirements only? • Questions & Discussion? 62
  • 63. Contact Info John M. Willis Turnaround Security, Inc. 554 N Frederick Ave #244 Gaithersburg MD 20877 USA (240) 720-7678 John.M.Willis@TurnaroundSecurity.com LinkedIn.com/in/johnmwillis 63

Hinweis der Redaktion

  1. Note that terminology may not be aligned with SABSA
  2. Make sure you have had your coffee, tea, or Guinness
  3. Tool will allow input during architecture and design process, or threat modeling process. For example, adding a TLS connection as the input will result in …
  4. … this more detailed list of requirements to consider… We will come back to this slide later…
  5. Let’s back up a little bit in time… Repeat last bullet – Security Engineering is NOT a formal discipline – yet.
  6. So, let’s jump right in. Software development starts with Requirements. We have to take into consideration…
  7. Now let’s focus on the solution space challenges.
  8. Level set
  9. What do we have to work with? What has been done in researching this?
  10. Aspect is concerned with cross-cutting issues. There has been some progress at integrating security concerns into low level UML models. KAOS modeling is generally used for requirements engineering at a high level for business requirements.
  11. So… what is our current state? Systems Security Engineering Capability Maturity Model / Build Security In Security Model Systems Security Engineering - An Integrated Approach to Building Trustworthy Resilient Systems
  12. What do we need in the architecting & design, or solution phase?
  13. How we should be testing security? We need the following inputs
  14. What are the relevant variables?
  15. What are the relevant variables?
  16. Different types of applications/domains have different statistical distributions of the SFRs. Note complete codes such as for Access control FDP_ACC.1.
  17. Who says the package is right? The security architect. Packages are standardized based on type of platform. During architecture and design phase certain requirements may be excluded based on specific requirements, deign and environment.
  18. Next three slides are just a subset of Preschern’s work. S=Strategy; G=Goal. Note S2, S3 & G10 Note decision diamond (2FA vs single factor). Has to be accommodated by tool. Not yet, though.
  19. Selection of the applicable goals is a function of what you are trying to do and the environment (i.e., use case). These are more broad and not as specific as Wu’s. Point is that there are rational ways to form SRPs. Only G10 (Confidentiality of Transmitted information) relates to TLS
  20. Later we will include G6 for our TLS connection
  21. An “O” in a cell means Optional, based on a decision using information A “-” means it is required indirectly. So far, we have not included optional or indirect requirements in the imported data
  22. Note use of STRIDE and DFD… We are going to focus on Spoofing Authentication from an External Entity (client). Note: B-#s refer to sections in Appendix B.
  23. Entire tree is one possible starting point for a complete taxonomy. Each of these boxes can be encoded, or codified …
  24. And here is Spoof Client. For each of these threats there are mitigations to consider. We are going to focus on Obtain Credentials in Transit
  25. Encryption & authentication needed. Mitigation options include SSL, IPsec & SSH. Because we are working with a web app SSL (TLS) applies. The tool mayneed to have some context awareness.
  26. The key point is to standardize your threat modeling taxonomy – start somewhere. Standardize your process to minimize subjectivity. Findings, impact, LOE are outputs of Threat Modeling. This tool would assist in managing threat information and matching it up with mitigations.
  27. Here we have two examples – creation and destruction of keys. Note the presence of the brackets. Your organization would tailor these in the requirements library based on your standards and preferred methods.
  28. For our purposes, we’ll refer to these as Primary, Secondary and Tertiary SFRs. The Primary SFRs are specified in the SRPs that were selected. 11 instances of dependent requirements. 5 unique secondary requirements, and 1 unique tertiary requirement.
  29. Would you think to address all of these? How about “Deny session based on attributes”? Did you check revocation status of the client certificate? Some of these may not apply to a TLS connection, per se, but you may still need to take them into consideration. For example, how to know what role the user has.
  30. What are the requirements for a complete tool?
  31. Create: Application Type: Web, Desktop, Server, Mobile
  32. Mock-up: Chose Direct Input Mode for architecture and design activities, or Threat Model for Threat Model data input. Here we choose Direct. This screen is a DFD view, with only instances of node types visible.
  33. Mock-up: Example Threat Tree navigation for Threat Model Input Mode. Need to add DFD borders? Repeat: Two different input modes: Direct for design, and Threat Model
  34. userLogon1 & userLogon2
  35. Ranking is basically a product of Risk x inverse of Cost to Fix The higher the Ranking the higher the priority to fix
  36. This screen should be sorted by ranking
  37. This screen should be sorted by ranking
  38. Let’s review
  39. Future tense