1 copyright © 2011, oracle and/or its affiliates. all rights reserved. a scalable secure...

1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

A Scalable Secure Development Program

Rajiv Sharma, CSSLPSr. Principal Program Manager, Oracle Global Product SecurityFront Range OWASP Conference, March 22nd, 2012


Agenda

• Importance of Software Security

• What is Software Security Assurance?

• Oracle Software Security Assurance

• Cultivating Security Community in Development


IT Security Challenges…

Complex regulatory and privacy frameworks

Continued requirement to demonstrate compliance

Difficulty of managing risks in global ever-changing business environment

Increasingly complex security requirements for networked applications and systems

Need for maintaining “security in depth”

Potential risks associated with insider threats

It’s not just about malicious hackers!


Multi-Dimensional Aspects Of Security


Security In Depth Considerations

• How degraded is your overall security posture when individual security mechanisms fail, are compromised or circumvented?

• How degraded is your overall security posture when system environment and use cases change?


Security In Depth ConsiderationsHow effective are your security controls?

Have you been able to set proper security controls on each layer of your IT infrastructure to ensure a security in depth posture?

How many of these IT security controls are software-enforced? Have they been turned ON?

Will these security features function as you expect?Is your software free of security defects?


Why Do Organizations Get Hacked?OWASP Top 10 - 2010

• A1 – Injection

• A2 – Cross Site Scripting (XSS)

• A3 – Broken Authentication and Session Management

• A4 – Insecure Direct Object References

• A5 – Cross Site Request Forgery (CSRF)

• A6 – Security Misconfiguration

• A7 – Insecure Cryptographic Storage

• A8 – Failure to Restrict URL Access

• A9 – Insufficient Transport Layer Protection

• A10 – Unvalidated Redirects and Forwardshttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


Why Do Organizations Get Hacked?Keeping up with security patches is good security practice

• Would you knowingly run on a vulnerable system for an extended period of time?– The publication of security fixes by vendors often result in making

potentially malicious hackers aware of the flaw:• Reverse-engineering of the fixes for the purpose of developing malware or

exploits• Inclusion of the exploit in hacking toolsets (e.g., Metasploit)

– Apply security patches in a timely fashion– Keeping up with newer releases is also good security practice!

• Newer releases may include additional fixes, which cannot always be backported to previous releases

• And of course… Follow your vendor’s deployment recommendations


Software Security Assurance

The process of ensuring that software is designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability, or misuse of the data and resources that it uses, controls, and protects.

http://en.wikipedia.org/wiki/Software_Security_Assurance

Definition


Importance of Software Security Assurance

Customers must be assured that:1. The software they purchase from their

vendors is designed and developed securely, e.g.:

• Does the software do what it is designed to do and nothing more?

• How resilient to threats is software?

2. The vendors have effective procedures to deal with security vulnerabilities and provide ongoing security assurance in their products.


What Is Software Security Assurance?Implications for software

1. Software must have been designed securely– Security must be “built in, not bolted on”– Software must provide adequate security controls (e.g. reflecting the data it will

store, the threat environment in which it will operate, etc.)

2. Software must have been securely developed– Secure design and coding principles must have been followed– Software must have been developed in a secure environment under a securely

designed development process

3. Software must provide reasonably secure posture by default

– Hardening instructions must be documented and available


What Is Software Security Assurance?Implications for software vendor/developer

• Security must be embedded in the organization’s DNA

• Organization must recognize that there is no “magic bullet” but that security is an ongoing commitment


Oracle Software Security Assurance

Oracle Software Security Assurance (OSSA) encompasses all the constantly-evolving processes, procedures, and technologies implemented by Oracle to ensure that Oracle’s products are meeting our customers’ security requirements, while providing for the most cost-effective ownership experience.

Definition



• Maintaining the security posture of ALL Oracle customers is one of the greatest priorities of Oracle

• Applies to ALL Oracle software products, including software components of hardware products (e.g. firmware), throughout their lifecycle, and constantly evolving to adapt to new technologies, threats, and product use cases

Highlights



• Major programs include:– Secure Development Standards

– Secure Configuration Initiative

– Internal and external security assessments (i.e. external security validations under FIPS and Common Criteria)

– Critical Patch Update & Security Alert

– Etc.

• Oracle security programs affect the entire product lifecycle


The Race is On!

• Security must be “built in, not bolted on”

• Ongoing assurance doesn’t stop when a product is released– Security requirements change when the

product is no longer used in the way it was designed for

– Need to address new attacks and exploit methods

– Need to effectively deal with vulnerabilities that made their way into released code

– Etc.

Security throughout the product lifecycle


Security Throughout The Product LifecycleExamples

Examples of Oracle

Software Security

Assurance requirements

• Security requirements to be documented in product definition, specifications, and design phases

• Mandatory use of previously vetted security code for complex security functions (crypto, authentication, etc.)

• Security requirements to be documented in product definition, specifications, and design phases

• Mandatory use of previously vetted security code for complex security functions (crypto, authentication, etc.)

• Ongoing reviews to validate compliance with: Secure Development Standards, previously documented security specifications, etc.

• Extensive use of automated vulnerability discovery tools as part of the development lifecycle and extensive use of penetration testing

• Mandatory use of security checklists

• Ongoing reviews to validate compliance with: Secure Development Standards, previously documented security specifications, etc.

• Extensive use of automated vulnerability discovery tools as part of the development lifecycle and extensive use of penetration testing

• Mandatory use of security checklists

• Disclosure of vulnerability when a fix is available on all supported release and platform combinations

• Equality of all customers

• Vulnerability fixed in severity order

• Disclosure of vulnerability when a fix is available on all supported release and platform combinations

• Equality of all customers

• Vulnerability fixed in severity order

Product Definition

Product Development

Ongoing Assurance


Secure Development Standards

• Codified security standards are at the core of Oracle Software Security Assurance

• Coding guidelines– Secure coding principles

– Examples of what not to do

– Requirements to use previously vetted security code for complex security functions (crypto, authentication, etc.)

– Minimum secure design requirements (e.g., weak/old crypt algorithms are banned)

– Etc.

• Mandatory training


Product Definition

• Security requirements are expressed as early as design and engineering specifications phases

• Security requirements include:– Requirements born from Secure Coding

Standards– Product-specific requirements (such as

those resulting from new security features)

• Established security criteria must be satisfied and reviewed at each step of the development and release process


Product Development

• Ongoing reviews to validate compliance with:– Secure Coding Standards– Previously documented security

specifications

• Additional design reviews for security

• Extensive use of scanning and testing tools to provide ongoing feedback to development team in regards to quality of produced code– Proactive security testing– Destructive security testing


Ongoing Assurance

• Security testing take place throughout useful life of the product– Pre-release security scanning and testing:

• Automated and ad hoc tests throughout development phase

• Compliance with security release checklist is mandatory before release

– Post-release security activities: • Targeted security review to assess resistance to

new and emerging threats, or validate absence of vulnerabilities

• Submission of security flaws by customers and security researchers

– Ethical hacking (internal security assessment)

• Updated secure configuration best practices are available online

• Independent Security Evaluations– Common Criteria (ISO-15408) , FIPS 140-2


Oracle Vulnerability Remediation PracticesIntroduction

• While our #1 priority is the prevention of security vulnerabilities in released code, Oracle has very mature security vulnerability remediation practices– Security patching is a “necessary evil” and most public evidence of

ongoing assurance effort:• Need to address vulnerabilities uncovered during ongoing assurance effort• Need to address vulnerabilities resulting from new attack methods or use case

scenario by our customers• Need to address vulnerabilities reported by external security researchers

– Critical Patch Update program is designed to maintain the security posture of Oracle customers at lowest possible cost for them


Cultivating Security Community in Development

• Security is a strategic requirement defined by the Global Product Security organization– Braintrust for security topics and expertise– Definition and enforcement of Secure Coding Standards– Security review in support of M&A activities– Development and maintenance of core security modules– Lead ongoing assurance activities– Definition and delivery of security training programs (including remedial effort

when required)– Report into the Chief Security Officer

• Security at Oracle follows a mostly decentralized model to reflect the differences in products and the development groups that produce them


Security Assurance Within the Corporate Structure

Chief Corporate Architect

Global Product Security

CSO

Global Information Security

VP Information Security

Global Physical Security

Sr. Director Physical Security

Corporate Security Architecture

Security Architect

CEOLarry Ellison

CEOLarry Ellison


Oracle’ s SPOC Community

• Global Product Security leads the community and provides consistent baselines for security processes and procedures for all

• Security Points Of Contact (SPOCs) Community spread throughout all product development– Provides for flexible model consistent

with a variety of development styles– Fosters innovation and captures lessons

learned from other groups to use


Delegated Security Model

• Each product family has a senior level Security Lead– Liaison to Global Product Security and

their senior development management for all security matters

– Lead a virtual team of Security Points of Contact (SPOCs) that represent security assurance for each component of the product family

• SPOCs act as the tactical security resource for the product component– In-depth knowledge of component

leads to building security in at the lowest level

– Receive focused training in software security assurance

– Key role throughout the product lifecycle: participate in design reviews, document reviews, code reviews, bug triage, patching, etc.


SPOC Engagement in OSSA

Security Points of Contact (SPOC)

Community

Security Assurance Training

Ethical Hacking

Secure Coding Standards

External Certifications

Secure Configuration

Security Tools Adoption

Security Alerts

Security Checklists

Security Reviews Security Policies

Core Security Modules

Customer Feedback

The SPOC Community is central to all security assurance activities


Security Points of Contact (SPOCs)

• Key role to achieve baking security in• Flexible model, accommodates a variety of development

styles• Security experts within each product component team

– Professional security resource in each product development team– In-depth knowledge of component(s) represented– Receive focused training in security assurance– Liaison between Security Lead and Global Product Security– Participate in design reviews, document reviews, code reviews,

bug triage

• Responsible for and report compliance status for each component in each major product release – Automated Security Checklist System– Security reviews with Security Lead and Global Product Security


Responsibilities of the SPOC

• Apply licensed 3rd-party code security updates to component

• Read security alerts from partner vendors and act as necessary for the component

• Apply latest Critical Patch Updates and security fixes for underlying Oracle components

• Monitor hacker exploits and news

• Ensure component security bugs are included in the next Critical Patch Update

• Knowledge of publicly known security bugs in old releases of the component and verify that all are fixed in the current release

• Communicate all security news to the development team


The Ideal SPOC

• Avoids potential security vulnerabilities and associated costs for patching – for both Oracle and the customer

• Guards Oracle’s reputation and sales against security issues

• Ensures the government and regulatory requirements in the security area are satisfied


Binding the Community Together

• SPOC identification “tag” in corporate directory

• Monthly SPOC newsletter– More than SPOCs, widely read

• Annual SPOC Summits– Internal and External Speakers

• Comprehensive, centralized Global Product Security wiki – Key component is the Secure Coding Practices

• SPOC Web Conferences on specific topics

• Internal Oracle Social group for SPOCs

• OraTweet for security-related questions


Community Membership is Growing

• Not just Development SPOCs….

• QA SPOCs

• Architects

• Security Features Developers

• Other Groups– IT organizations– Consultants– SaaS Staff


Q&A

1 copyright © 2011, oracle and/or its affiliates. all rights reserved. a scalable secure...

Documents

security patches

security challenges

security vulnerabilities

level of security

ongoing security assurance

overall security posture

proper security controls

oracle global product