6 Steps for Securing Offshore Development

Agile Outsourcing Conference 2014

@

Delft, Netherlands

Marudhamaran Gunasekaran

• Security Expert @ Prowareness, Bangalore

• Information Security

• Secure Programming Practices

• Compliance (ISO 27001)

• Ec-Council Certified Security Analyst (Ethical hacker), Professional Scrum

Master

• Open source enthusiast - Writes a lot of code, hacks applications

• OWASP Zed Attack Proxy contributer

Who’s presenting?

Security?

Security

FeelingReality

WisdomNo panacea /silver bullet solution

Trade offsIgnorance is no excuse

Security – Lion and Rabbit Analogy

Security – Rabbit’s Good trade off

Security – Rabbit’s Good trade off– Make family

Security – Bad trade off : RIP rabbit

Threat = Potential violation of security

Risk = Perceived threat X value of asset X loss incurred

Threat / Risk

Set of activities undertaken to protect systems from known/unknown threats

and attacks

State of being protected from known/unknown threats and attacks

Security

Perfect Security?

http://infosanity.files.wordpress.com/2010/06/dilbert-securitycia.gif

Security Triangle

• Unlimited access

• Physical security & Data lossLoss of Control

• Exposing intranet to internet

• IntrusionsNetwork complexity

• Uncomprehensive security policies

• Procedures & no audits

Policies and Procedures

6 Risks categories - Outline

• Data breaches

• Breach of confidentiality

Intellectual Property Issues

• Security bugs

• Legacy softwareSoftware Quality

• Malicious Insiders

• Social Engineering BaitsInsider Threats

6 Risks categories - Outline

Loss of control

Unlimited privileged to access internal systems

• Apply principle of least privilege for development teams offshore and for

everybody else as well

• Just in time and time bound access for critical production/deployment

systems intercepted with manual approval [more workflow?]

Unrestricted data access

• Identify roles, define accesses for roles

• Implement Access control lists for file systems, directory access protocols

and other assets

Loss of control

Physical security breaches

• Audit the offshore premises for poor security controls

• Access cards and preferably biometric access - regularly audited by IT

• Securing the trashes – shredders to combat dumpster diving

Data loss

• Ensure data is backed up every night – at secure locations

• Apply snapshot technologies for virtual machine operating systems and

network

• RAID or deduplication backup

Overreacting to Risk

I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible.

- Bruce Schneier

https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html

Network complexity

Exposing intranet to the internet

• Implement a Virtual Private Network

• State of the art / status quo encryption and hashing for VPN

passphrase and tunnels

• Plan and implement a DMZ (demilitarized zone) for offshore

connections

• SSL/TLS everywhere to prevent MiTM (Man in the Middle) attacks

and sniffing

Network complexity

Network intrusions

• Assume a breach, implement network controls with intrusion

isolations and containment

• Strict intrusion prevention rules and firewall traffic monitoring

• [IDS/IPS]

• Implement strict password policies with good complexity and

expiry

Linked password attack and hashes

Security policies and procedures

Uncomprehensive security policies and no audits

• Review the security policies and conduct a review, hire a consultant if

required

• Outline and require custom security policies at offshore. Base it on ISO

27001, HIPAA, PCI-DSS or other standards pertaining to the field of

operation.

• In case of doubt, ask the offshoring partner for security recommendations

• Verify if the offshoring partner has a dedicated team or a Center Of

Excellence for Information Security with certified professionals [CEH,

OSCP, CISSP, and similar certifications]

Security policies and procedures

No Malware protection

• Ensure presence of a client-server based malware protection system

with updated rule sets

• Ensure Intrusion Prevention Systems/Intrusion Detection Systems are

updated with latest rule sets

• Ensure the systems at offshore are updated regularly with security

patches for software and operating systems both

Intellectual property issues

Data breaches

• Identify data that needs to be protected and claim responsibility for

data

• Ensure removable drives/media are disabled at offshore

• Filter/Anonymize production data before transferring to development

teams offshore

• Sanitize/Shred all media before disposing of

Intellectual property issues

Breach of trust and confidentiality

• Sign Non Disclosure Agreements with the offshoring partner

• Define levels of access based on the confidentiality level of data

• Ensure a clean desk policy

Software Quality

Security bugs

• Train the developers/QAs to write secure code

• Write guidelines for writing secure code

• Integrate security tools at development builds for early feedback

Security bugshttp

://ne

ws.te

chw

orld

.co

m/s

ecu

rity/3

33

12

83/b

arc

lays-9

7-p

erc

ent-o

f-da

ta-b

reache

s-s

till-due-to

-sq

l-inje

ctio

n/

Security bugs

Software Quality

Legacy Software

• Rewrite/Migrate/Refresh the technology

• Keeps your systems up to date with patches

Sony PSN hack

Insider threats

Malicious Insiders

• Conduct rigorous background checks on offshore employees

• Trust employees only with enough access to perform the tasks

they are supposed to do

• Strict transparent monitoring of new employee activities, and

limited access during probation period [blacklisting later in case of

an incident]

Insider threats

Social Engineering Baits

• Educate employees on information security policies and security risks

• Provide email access without requiring VPNs

• Educate employees on configuring personal wifi networks

• Educate employees on social engineering aided attacks like email

phishing, phone phishing, baiting, tailgating, clickjacking and similar

attacks

• Converse with employees offshore to gauge and improve security

awareness

1000% secure?

Evolution of technology

=

Evaluation of threats

=

Risks increases

How good are we at Mitigate the risks

Is it worth the trade off?

Prowareness Security Labs

{find}

• Penetration testing applications and networks

{fix}

• Security Consulting

{comply}

• Secure development practices

{prevent}

• Security training and development

Thanks!

Presentation Brochures are close by!