-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
1/26
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
2/26
CERT Conference 99CERT Conference 99
The Perfect Solution...
2
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
3/26
CERT Conference 99CERT Conference 99
...How Secure Is It?...
3
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
4/26
CERT Conference 99CERT Conference 99
...Absolutely Impenetrable!!!...
4
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
5/26
CERT Conference 99CERT Conference 99
We need to
communicate with
the world to do our
jobs.
...T
he Problem...
5
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
6/26
CERT Conference 99CERT Conference 99
...T
he Solution...
6
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
7/26
CERT Conference 99CERT Conference 99
The BIGGER Problem...
7
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
8/26
CERT Conference 99CERT Conference 99
...T
he REAL Solution.
8
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
9/26
CERT Conference 99CERT Conference 99
Lets Cover... A quick review of a typical product development
lifecycle
Where are folks CURRENTLY implementing
security procedures?
Where SHOULD you implement security?
What can you do to decrease your cost for ITsecurity?
How can you make your IT security program more
effective?
9
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
10/26
CERT Conference 99CERT Conference 99
Typical Product Development
Explore a concept
Determine what the requirements are Turn the requirements into a valid design
Convert the design into a viable product
Put the product to daily use Perform maintenance as needed
10
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
11/26
CERT Conference 99CERT Conference 99
Where does security get implemented?
Concept Exploration?
Requirements?
Design?
Development?
Operations?
Maintenance?
11
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
12/26
CERT Conference 99CERT Conference 99
Maintenance
Where currently MOST security is executed.
Closing the door after the cows left.
Many COTS products
Cost 100x
12
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
13/26
CERT Conference 99CERT Conference 99
Operations
(1/2)
Where currently most security problems are
identified.
Found by...
trial and error
intrusion corrupt data
problems
13
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
14/26
CERT Conference 99CERT Conference 99
Operations
(2/2)
Where currently most security problems are
identified.
Attacks occur here
Problems trigger search for resolution
Some attempt to be proactive Help from CERT/CC
Cost 90x
14
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
15/26
CERT Conference 99CERT Conference 99
Development
A good start
Product inspections: invite security folks
Consider Ada; advantages
Cost 50x
15
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
16/26
CERT Conference 99CERT Conference 99
Design
A better start
Design security INTO the product
Have security folks assist with design
Keep it flexible Cost 10x
16
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
17/26
CERT Conference 99CERT Conference 99
Requirements
An even BETTER start
Include security features in the requirements
Defer any feature that may cause security
problems Cost 2x
17
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
18/26
CERT Conference 99CERT Conference 99
Concept Exploration
Best Place to Start Looking at Security!!!
Think security from the very beginning
Involve security in the whole process
Cheapest cost to implement security: 1x
18
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
19/26
CERT Conference 99CERT Conference 99
*PC Computings Helpful Hints
Operations: Hack your own site
Use a port scanner to see what doors are open
Download Rhino9s Ogre 0.9b at
www.hackers.com/files/portscanners/ogre.zip
*PC Computing magazine Sep 99 issue.
19
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
20/26
CERT Conference 99CERT Conference 99
*PC Computings Helpful Hints
Development: Encrypt everything that leaves
your control.
If using Windows, will need 3rd party product.
PC Computing recommends Network
Associates McAfee PGP Personal Privacy6.5.1. Others include WinMagics SecureDoc
and RSA Data Securitys SecurPC.
20
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
21/26
CERT Conference 99CERT Conference 99
*PC Computings Helpful Hints
Design: You need to get up to speed on...
security issues now.
Useful sites:
www.microsoft.com/
securitywww.ntbugtraq.com
21
www.ntsecurity.net
www.cert.org
www.hackers.comwww.icsa.net
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
22/26
CERT Conference 99CERT Conference 99
+Software Developments Helpful Hints
Requirements: Be aware of all vulnerabilities
of your hardware, software, and comm.
Useful tools:
www.smartcardforum.org
E-commerce:
www.visualcommerce.com
Linux: www.unify.com
Mobile code:
www.security7.com
22+Software DevelopmentMagazine,
Aug 99 issue
Dynamic passwords:
www.cryptocard.com
Black box: www.bardon.com
Net scanner: www.iss.net
SW Dongle :
www.softlocx.com
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
23/26
CERT Conference 99CERT Conference 99
Tom Neffs Helpful Hints
Concept Exploration: Attend CERT Conf 00
www.omaha.com/cert
www.omaha.org/spin
www.sdmagazine.com
www.pccomputing.com/getnow23
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
24/26
CERT Conference 99CERT Conference 99
Tom Neffs Helpful Hints
Process is EVERYTHING!
Climb the process improvement ladder
Form a CERT & Red Team
Register with CERT/CC
Info Cons
Remember superchicken
24
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
25/26
CERT Conference 99CERT Conference 99
T
om Neffs Helpful Hints
You cant control what you cant control
Outsourcing is a double-edged sword
Gives you flexibility and possible savings
Gives others intimate access to your system
(Gardner Group: Y2K)
25
-
8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)
26/26
CERT Conference 99CERT Conference 99
24
Final thoughts:
READ (you can get a free subscription to
almost any magazine.
Use the web
Think like a hacker, act like a CEO