build it right; build it secure tom neff usaf software engineer & process improvement specialist...
TRANSCRIPT
Build It Right; Build It Secure
Tom NeffUSAF
Software Engineer &Process Improvement Specialist
•CERT Conference ‘99CERT Conference ‘99
CERT Conference ‘99CERT Conference ‘99
The Perfect Solution...
2
CERT Conference ‘99CERT Conference ‘99
...How Secure Is It?...
3
CERT Conference ‘99CERT Conference ‘99
...Absolutely Impenetrable!!!...
4
CERT Conference ‘99CERT Conference ‘99
We need tocommunicate withthe world to do our
jobs.
...The Problem...
5
CERT Conference ‘99CERT Conference ‘99
...The Solution...
6
CERT Conference ‘99CERT Conference ‘99
…The BIGGER Problem...
7
CERT Conference ‘99CERT Conference ‘99
...The REAL Solution.
8
CERT Conference ‘99CERT Conference ‘99
Let’s Cover...
• A quick review of a typical product development lifecycle
• Where are folks CURRENTLY implementing security procedures?
• Where SHOULD you implement security?• What can you do to decrease your cost for IT
security?• How can you make your IT security program more
effective?9
CERT Conference ‘99CERT Conference ‘99
Typical Product Development
• Explore a concept
• Determine what the requirements are
• Turn the requirements into a valid design
• Convert the design into a viable product
• Put the product to daily use
• Perform maintenance as needed
10
CERT Conference ‘99CERT Conference ‘99
Where does security get implemented?
• Concept Exploration?
• Requirements?
• Design?
• Development?
• Operations?
• Maintenance?
11
CERT Conference ‘99CERT Conference ‘99
Maintenance
Where currently MOST security is executed.
• Closing the door after the cows left.
• Many COTS products
• Cost 100x
12
CERT Conference ‘99CERT Conference ‘99
Operations (1/2)
Where currently most security problems are identified.
Found by...
• trial and error
• intrusion
• corrupt data
• problems13
CERT Conference ‘99CERT Conference ‘99
Operations (2/2)
Where currently most security problems are identified.
• Attacks occur here
• Problems trigger search for resolution
• Some attempt to be proactive
• Help from CERT/CC
• Cost 90x14
CERT Conference ‘99CERT Conference ‘99
Development
A good start
• Product inspections: invite security folks
• Consider Ada; advantages…
• Cost 50x
15
CERT Conference ‘99CERT Conference ‘99
Design
A better start
• Design security INTO the product• Have security folks assist with design• Keep it flexible• Cost 10x
16
CERT Conference ‘99CERT Conference ‘99
Requirements
An even BETTER start
• Include security features in the requirements• Defer any feature that may cause security problems• Cost 2x
17
CERT Conference ‘99CERT Conference ‘99
Concept Exploration
Best Place to Start Looking at Security!!!
• Think security from the very beginning
• Involve security in the whole process
• Cheapest cost to implement security: 1x
18
CERT Conference ‘99CERT Conference ‘99
*PC Computing’s Helpful Hints
Operations: Hack your own site
• Use a port scanner to see what doors are open
• Download Rhino9’s Ogre 0.9b at www.hackers.com/files/portscanners/ogre.zip
*PC Computing magazine Sep 99 issue.
19
CERT Conference ‘99CERT Conference ‘99
*PC Computing’s Helpful Hints
Development: Encrypt everything that leaves your control.
• If using Windows, will need 3rd party product.
• PC Computing recommends Network Associates’ McAfee PGP Personal Privacy 6.5.1. Others include WinMagic’s SecureDoc and RSA Data Security’s SecurPC.
Courtesy PC Computing magazine Sep 99 issue. (www.pccomputing.com)
20
CERT Conference ‘99CERT Conference ‘99
*PC Computing’s Helpful Hints
Design: “You need to get up to speed on... security issues now.”
• Useful sites:– www.microsoft.com/
security– www.ntbugtraq.com
21
– www.ntsecurity.net– www.cert.org– www.hackers.com– www.icsa.net
CERT Conference ‘99CERT Conference ‘99
+Software Development’s Helpful Hints
Requirements: Be aware of all vulnerabilities of your hardware, software, and comm.
Useful tools:
• www.smartcardforum.org
• E-commerce: www.visualcommerce.com
• Linux: www.unify.com
• Mobile code: www.security7.com
22+Software Development Magazine,
Aug 99 issue
• Dynamic passwords: www.cryptocard.com
• Black box: www.bardon.com
• Net scanner: www.iss.net
• SW Dongle : www.softlocx.com
CERT Conference ‘99CERT Conference ‘99
Tom Neff’s Helpful Hints
Concept Exploration: Attend CERT Conf ‘00
• www.omaha.com/cert• www.omaha.org/spin
• www.sdmagazine.com• www.pccomputing.com/getnow
23
CERT Conference ‘99CERT Conference ‘99
Tom Neff’s Helpful Hints
Process is EVERYTHING!
• Climb the process improvement ladder
• Form a CERT & Red Team
• Register with CERT/CC
• Info Cons
• Remember superchicken
24
CERT Conference ‘99CERT Conference ‘99
Tom Neff’s Helpful Hints
You can’t control what you can’t control
• Outsourcing is a double-edged sword– Gives you flexibility and possible savings– Gives others intimate access to your system
(Gardner Group: Y2K)
25
CERT Conference ‘99CERT Conference ‘99
Final thoughts:• READ (you can get a free subscription
to almost any magazine.
• Use the web
• Think like a hacker, act like a CEO