CSSLP_Deconstructedx - Strong Crypto

crookpatedspongyΛογισμικό & κατασκευή λογ/κού

2 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

99 εμφανίσεις

CSSLP

Alexander J. Fry

Founder, Strong Crypto

www.strongcrypto.com

De c o n s t r u c t e
d

The

And other topics related to Software
S
ecurity

Who am I?


Founder


Strong Crypto
, a software security consultancy


(ISC)
2

SME


question writer for the CSSLP examination


Member


OWASP Global Industry Committee


Co
-
author
-

The CSSLP Prep Guide


Introduction


I’m a hands
-
on security professional. I perform
code reviews and security testing, work with
software developers, and train personnel.


I’m here to share my perspectives on the CSSLP
and other topics in software security.


This is an informal presentation. Feel free to
contribute to the discussion while it is underway.
Just raise your hand and I’ll call on you when I get
to a stopping point.


All of the opinions expressed in this presentation
are my own, but some of the CSSLP introductory
material is from (ISC)
2
.


What is the CSSLP?


Certified Secure Software Lifecycle Professional
(CSSLP)


It is a top
-
level (base) credential just like the
CISSP


Professional certification program


Takes a holistic approach to security in the
software lifecycle


Tests candidates competency; knowledge, skill,
and abilities (KSAs); to significantly mitigate the
security concerns


Source: (ISC)2


CSSLP Launch Presentation

Purpose


The purpose of the Certification is to provide a
credential that speaks to the individual’s
understanding of and ability to deliver secure
software through the use of best practices.



The target professionals for this Certification
would be anyone who is directly and in some
cases indirectly involved in the Software
Lifecycle.


Source: (ISC)2


CSSLP Launch Presentation

Software Lifecycle Stakeholder Chart

Source: (ISC)2


CSSLP Launch Presentation

Software

Lifecycle

Stakeholders

Top Management

Business Unit Heads

IT Manager

Security Specialists

Application Owners

Developers/

Coders

Project Managers/

Team Leads

Technical

Architects

Quality

Assurance

Managers

Business

Analysts

Industry Group

Delivery Heads

Client Side PM

Auditors

Primary Target

Influencers

Secondary Target

(ISC)
2

CSSLP CBK Domains


Secure Software Concepts


Secure Software Requirements


Secure Software Design


Secure Software Implementation/Coding


Secure Software Testing


Software Acceptance


Software Deployment, Operations,
Maintenance, and Disposal


Secure Software Concepts


fundamental knowledge for understanding the
security implications of software development,
and the mechanisms to impose security
constraints on the behavior, use, and content of
a software system. This includes security
design and information assurance principles,
risk management, software architectures, legal
issues, standards, acquisition methods,
information security and software maturity
models.

Secure Software Requirements


the overall software specification should include
both functional and nonfunctional requirements.
The nonfunctional requirements of secure software
address issues such as how the software
application will: remain dependable under hostile
operating conditions; resist compromise by an
attacker through the exploitation of vulnerabilities
or insertion of malicious code; and be resilient
enough to recover quickly, containing damage to
itself, data, resources, and external components
on which it relies.

Secure Software Design


fundamental activities that approach the
definition of the software from a security
perspective in order to decrease the likelihood
that the design specification will contain flaws.
These activities include identifying and
minimizing the software's attack surface,
performing threat modeling, and following
security design principles.

Secure Software Implementation/Coding


software developers should follow secure
coding best practices and standards,
understand and avoid common vulnerabilities
and implement countermeasures, and use tools
and techniques such as static analysis and
code review to avoid introducing flaws that can
lead to security vulnerabilities.

Secure Software Testing


activities for evaluating a software application in a
runtime environment that most closely resembles its
production environment. Many testing activities require
the application to be functionally complete and follow
standards and methodologies such as ISO 9126, the
SSE
-
CMM, and the Open Source Security Testing
Methodology Manual (OSSTMM). Security testing
should assess the security properties and behaviors of
the software application as it interacts with external
entities and as its own components interact with each
other. An analysis of test results forms the basis for
assessing risk and means of remediation.


Software Acceptance


is concerned with ensuring that the software is
ready to be released. This involves pre
-
release
or pre
-
deployment activities such as generating
test data that shows that all prescribed tests
have been executed and accepted; and post
-
release activities such as an independent
review of the software conducted by a third
-
party or by an independent security team of the
organization.

Software Deployment, Operations,
Maintenance, Disposal


is concerned with maintaining information
assurance during installation, deployment,
operation, maintenance, and disposal of secure
software systems.

Information Assurance

CISSP CBK

Software Assurance

Where is the CSSLP? First Attempt.

CSSLP CBK

CISSP Application Development
Security Domain

Information Assurance

Where is the CSSLP? Second Attempt.

CSSLP

CISSP

ISSEP

CSSLP Certification Requirements


Roughly:


Examination registration form


Signed candidate agreement and adherence to (ISC)
2

Code of ethics


Proof of 4 years of FT experience in the Software Development Life
Cycle (SDLC) process or 3 years plus 1 year waiver of experience for
degree in an IT related field


$599


Candidate will have to pass the official (ISC)
2

CSSLP certification
examination and complete the endorsement process


An Associate of (ISC)
2

Program will apply to those who have passed the
exam but still need to acquire the necessary minimum experience
requirements


See
http://www.isc2.org/csslp
-
certification.aspx

for updated
requirements


Key Players


While there is no indication that other
organizations in this space are addressing the
knowledge areas in the same manner as the
CSSLP, the following are addressing software
development and/or security in the software
lifecycle:


IEEE
: CSDA and CSDP (Software Development)


SANS
: GSSP
-
C, GSSP
-
J (Language specific secure coding)


ISSECO
: CSSE (Entry level education program with certificate of
completion)


DHS
: Software Assurance Initiative (Awareness Program/Forum)


Vendor
-
Specific
: Sun Microsystems SCJP, Microsoft MCSD, Symantec
-

based on internal lifecycle process or technology specific



Source: (ISC)2


CSSLP Launch Presentation

CSSLP


(ISC)²

Professional Certification

Program

CSDA


(IEEE)


Associate Level

Status

CSDP


(IEEE)


Professional

Certification Program

GSSP
-
C


(SANS)


Software Coder

Certification Program

GSSP
-
J


(SANS)


Software Coder

Certification Program

Software

Assurance

Initiative

(DHS)


Awareness Effort


CSSE

(ISSECO)


Entry
-
level

Education Program

Certificate of
Completion

Vendor
-

Specific

Credentials

Source: (ISC)2


CSSLP Launch Presentation

CSSLP CBK Overlap with other

Certifications/Programs

State of the CSSLP


International Marketing Efforts


ANSI/ISO/IEC 17024 accreditation


DoD 8570.1 directive


CSSLP Education Seminars: (ISC)
2

held one
from January 11
-
15, 2010 in Ashburn, VA


The first prep guide is for sale: The CSSLP
Prep Guide.


Do you need the CSSLP?


Certification vs. Legion Against Meaningless Certifications (LAMN)



Anyone who believes that a credential automatically conveys some
magical knowledge that you didn't have before is just as overly
-
simplistic as someone who disparages all credentials equally. It just isn't
a black and white world.


Paco Hope“



Because academia can't produce enough surgeons to satisfy all
security demands (and indeed because entire armies of less specialized
`healthcare professionals’ are necessary), the idea of a certification
makes plenty of practical sense.


Gary McGraw” In reference to the
CISSP
-

http://www.darkreading.com/document.asp?doc_id=123606


“A second term CISSP demonstrates more value than a first year CISSP”


Are you a stakeholder in the SDLC?


Is the CSSLP going to be part of your lifelong learning program?


Is it important to your career to be recognized as a CSSLP?


You are the CEO of YOU INC


How should the CSSLP be pronounced?
C
.
SLIP; C
.
S
.
S
.
L
.
P, CIS
.
LIP (sis
-
lip) Where is the
(ISC)
2

guidance?


Why not the Certified Software (Security)
Assurance Professional C
.
SWAP? Building
Security In is Implied


“Effective career management is going to be
critical to your personal success and attainment
of your individual career goals.”


Lee Kushner
http://www.owasp.org/images/a/af/The_Entrepreneurs_Guide_to_Care
er_Management
-
Lee_Kushner.pdf


The CSSLP Prep Guide


The first and only (for a few more months) prep
guide for the CSSLP


Broad coverage of all seven domains of the
CSSLP CBK


A software security assurance text book disguised
as a certification prep guide


Uses the attacker’s perspective to teach some of
the security concepts


Almost 700 pages, lots of references to other tools
and resources, end of chapter practice questions,
testing engine on CD, comprehensive glossary

Additional Topics


Software Security Risk


Recent Threats


3
rd

Party Software


Addressing Risk for 3
rd

Party
Software



Software Security Risk


Need to follow a risk
-
driven approach to improving the security
of software.


Applications come from: in
-
house, outsourced, commercial,
open source or a combination, e.g., commercial but customized
in
-
house, open source libraries in in
-
house applications


For existing legacy applications, do you deploy real
-
time
protections or take off
-
line and fix?


Compliance should be leveraged to build/acquire more secure
applications


Use the attacker’s perspective to determine risk, e.g., threat
modeling, understanding the deployment environment(s)


Security problems will emerge! To keep up with emerging
threats, you need to perform regular maintenance, periodically
test, and continuously monitor applications.


Recent Threats


“Symantec is grappling with a date
-
stamp
problem that has seen all its security updates
dated 2010 rejected by its own servers.”
-

http://news.zdnet.co.uk/security/


“Adobe Zero
-
Day Attack Solution: Disable
JavaScript”


No patch available: Many corporate
applications use JavaScript in PDFs for important
functions like forms processing and it’s used by
Google Docs for printing support.
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20091214



“NIST
-
certified USB Flash drives with hardware
encryption cracked”


FIPS 140
-
2 Level 2
drives AES 256
-
bit.
http://bit.ly/6X281y



3rd Party Software


Lack of visibility into the third party
software development lifecycle.


Unknown level of software assurance.


Little or no access to source code.


Limited internal resources to address
this risk.


Don’t want to introduce vulnerabilities
into the organization.


Want to be proactive instead of reactive.



Addressing Risk for 3
rd

Party Software


“Contract language should specify that security assurance will be provided
as a condition for accepting deliverable applications.”


Gartner


DHS Build Security In Web Site: “Software Assurance (SwA) in
Acquisition: Mitigating Risks to the Enterprise”


OWASP Legal Project: Contract Annex


For a commercial vendor that does not have the required assurance
evidence, use an expert consultant or a Software as a service (SaaS)
solution that supports static and dynamic testing:


Fortify on Demand: any 3
rd

party development team can test and score
the security of their application, review results, and then publish a report
back to their customer.


Veracode: uses binary analysis (doesn’t require source code) to allow
transparency into the security of COTS or outsourced applications.


Open source software: Fortify Open Review Project identifies and reports
bugs and security vulnerabilities in widely used open source software. Have
the developers submit the software.
https://opensource.fortify.com




Open Web Application Security Project


Focused on improving the security of application software. Mission is
to make application security visible, so that people and organizations
can make informed decisions about true application security risks. All
materials are available under a free and open software license


I’m a member of the Global Industry Committee at OWASP:
http://www.owasp.org/index.php/Global_Industry_Committee


Has monthly meetings like ISSA and hosts worldwide conferences
like OWASP App Sec DC 2009


slides from the presentations are
available at
http://www.owasp.org

Communications


Web Site:
http:
//strongcrypto
.
com


Twitter
:
http://
twitter.com/alexanderjfry


Facebook
:
http://
facebook.com/alexander.j.fry


LinkedIn:
http:
//linkedin
.com/in/alexanderfry