joe.jarzembek.dhs swa overview 7dec06 · us department of homeland security december 7, 2006 ......
TRANSCRIPT
Software Assurance:Software Assurance:A Strategic Initiative of the U.S.A Strategic Initiative of the U.S.Department of Homeland SecurityDepartment of Homeland Securityto Promote Integrity, Security, andto Promote Integrity, Security, andReliability in SoftwareReliability in Software
Joe Jarzombek, PMPDirector for Software Assurance
National Cyber Security DivisionUS Department of Homeland Security
December 7, 2006
Considerations in Advancing theNational Strategy to Secure Cyberspace
2
What if…Government, in collaboration with industry / academia, raised expectationsfor product assurance with requisite levels of integrity and security:♣ Helped advance more comprehensive software assurance diagnostic capabilities to mitigate
risks stemming from exploitable vulnerabilities;♣ Promoted use of methodologies and tools that enabled security to be part of normal business.
Acquisition managers & users factored risks posed by the supply chain aspart of the trade-space in risk mitigation efforts:♣ Information on suppliers’ process capabilities (business practices) would be used to
determine security risks posed by the suppliers’ products and services to the acquisitionproject and to the operations enabled by the software.
♣ Information about evaluated products would be available, along with responsive provisions fordiscovering exploitable vulnerabilities, and products would be securely configured in use.
Suppliers delivered quality products with requisite integrity and madeassurance claims about the IT/software safety, security and dependability:♣ Relevant standards would be used from which to base business practices & make claims;♣ Qualified tools used in software lifecycle enabled developers/testers to mitigate security risks;♣ Standards and qualified tools would be used to certify software by independent third parties;♣ IT/software workforce had requisite knowledge/skills for developing secure, quality products;♣ Sales increased in the public and private sectors that demanded high assurance products.
4
Cyberspace & physical space are increasinglyintertwined and software controlled/enabled
Chemical Industry♣ 66,000 chemical plants
Banking and Finance♣ 26,600 FDIC institutions
Agriculture and Food♣ 1.9M farms♣ 87,000 food processing plants
Water♣ 1,800 federal reservoirs♣ 1,600 treatment plants
Public Health♣ 5,800 registered hospitals
Postal and Shipping♣ 137M delivery sites
Transportation♣ 120,000 miles of railroad♣ 590,000 highway bridges♣ 2M miles of pipeline♣ 300 ports
Telecomm♣ 2B miles of cable
Energy♣ 2,800 power plants♣ 300K production sites
Key Assets♣ 104 nuclear power plants♣ 80K dams♣ 5,800 historic buildings♣ 3,000 government facilities♣ commercial facilities / 460 skyscrapers
An Asymmetric Target-rich Environmenta well-crafted cyber attack could be just as disastrous as a physical one,because it could happen at any time and could come from anywhere.
5
Cyberspace & physical space are increasinglyintertwined and software controlled/enabled
Energy
Banking and Finance
Agriculture and Food
Water Public Health
Chemical Industry
Telecommunications Key Assets
Transportation Postal and Shipping
FarmsFood Processing Plants
ReservoirsTreatmentPlants
Hospitals
Chemical Plants
CableFiber
Power PlantsProduction Sites
Railroad TracksHighway BridgesPipelinesPorts
DeliverySites
Nuclear Power PlantsGovernment facilitiesDamsFDIC institutions
Control Systems• SCADA• PCS• DCS
Software• Financial System• Human Resources
Services• Managed Security• Information Services
Internet• Domain Name System• Web Hosting
Hardware• Database Servers• Networking Equipment
Critical Infrastructure / Key Resources
Sectors
Physical Assets
Cyber Assets
Cyber Infrastructure
Physical Infrastructure
Need for secure software applications
“In an era riddled with asymmetric cyber attacks, claims aboutsystem reliability, integrity and safety must also includeprovisions for built-in security of the enabling software.”
6
Cyber-related Disruptions and the Economy¬ Network disruptions lead to loss of:
• Money and Time• Products and Sensitive information• Reputation• Life (through cascading effects on critical
systems and infrastructure)
Meta-trends:• Worms & viruses increasingly sophisticated• More variants of older, successful worms• New vulnerabilities have black market value;
increasing “zero-day” exploits
Love Bug:$15B in damages;
3.9M systemsinfected
2000
Code Red:$1.2B in
damages;$740M for
recovery efforts2001
Slammer:$1B in damages
2002
Blaster:$50B in damages
2003
My Doom:$38B in damages
2004
Business Losses and Damages
Zotob:Damages TBD
2005
Over $40 million in spyware damages – attacks now are"designed to silently steal data for profit or advantage without leavingbehind the system damage that would be noticeable to the user.“(Congressional Testimony, HE &Commerce Telecomm/Internet Subcommittee, Sep 12, 2006)
• $67.2 Billion a year is lost tocyber crime in the USA (FBI 2005)
• $50-200M in averageshareholder losses (CRS 2006)
• 80% of hack attacks emanatefrom outside of user enterprise(2005 US-CERT-CSO E-crime Survey)
• 9 out of 10 businesses affectedby cyber crime last year (FBI 2005)
8
DHS and the National Cyber Security Division
AssistantSecretary for
Policy
NationalCapitalRegionDirector
AssistantSecretary forGrants and
Training
FireAdministration
ChiefMedicalOfficer
Assistant Secretaryfor Cyber Security &Telecommunications
AssistantSecretary forInfrastructure
Protection
UnderSecretary for
Science &Technology
UnderSecretary forPreparedness
UnderSecretary forManagement
SecretaryDept of Homeland
Security
NationalCommunications
System
National CyberSecurityDivision
14
DHS National Cyber Security Division (NCSD)provides the framework for addressing cybersecurity and software assurance challenges
US-CERT
LawEnforcementand Intelligence
Outreach andAwareness
StrategicInitiatives
Key StakeholderGroups
Com
munication
Collaboration
Aw
areness
NCSD
Cross-Sector:Public and
Private
Cross-Agency:Federal, State
And Local
Cross-National:American public,
international
Key Functions of the DHSCybersecurity Partnership Program
15
CommunicationsMessagingOutreach to StakeholdersCyber Security AwarenessPartnerships
DHS National Cyber Security Division (NCSD)
Situational AwarenessAnalytical CellProductionFederal Coordination
CIP Cyber SecurityControl Systems SecurityExercise Planning & CoordinationR&D CoordinationTraining & EducationStandards & Best PracticesSoftware Assurance
Intel RequirementsLE CoordinationNCRCG
DHS Cyber Security Partner ProgramOffice of DirectorStrategic PlanningPolicyInternationalManagement (Budget, HR)COOPPCII
Acting DirectorJerry Dixon
Acting Deputy DirectorCheri McGuire
US-CERT/OperationsMike Witt
LE/IntelligencePatrick Morrissey
Outreach/AwarenessLiesyl Franz
Strategic InitiativesJeff Wright
Software Assurance is a NCSD Strategic Initiative
18
Software and IT vulnerabilities jeopardize infrastructure operations, businessoperations & services, intellectual property, and consumer trustAdversaries have capabilities to subvert the IT/software supply chain:θ Software & IT lifecycle processes offer opportunities to insert malicious code and to poorly
design and build software which enables future exploitationθ Government and businesses rely on COTS products and commercial developers using foreign
and non-vetted domestic suppliers to meet majority of IT requirementsθ Off-shoring magnifies risks and creates new threats to security, business property and processes,
and individuals’ privacy – requires domestic strategies to mitigate those risks
Growing concern about inadequacies of suppliers’ capabilities to build/deliversecure IT/software – too few practitioners with requisite knowledge and skillsθ Current education & training provides too few practitioners with requisite competencies in secure
software engineering – enrollment down in critical IT and software-related degree programsθ Competition in higher-end skills is increasing – implications for individuals, companies, & countriesθ Concern about suppliers and practitioners not exercising “minimum level of responsible practice”
National-level focus needed to stay competitive in a global IT environment:θ Computing education & training needs to evolve with changing nature of IT/software businessθ Educational policy and investment needed to foster innovation and increase IT-related
enrollmentsθ Improvements needed in the state-of-the-practice and state-of-the-art for IT & software
capabilities
Processes and technologies are required to build trust into IT and software
Needs in IT/Software Assurance
Strengthen operational resiliency
IMPACT ON THE BUSINESSof software flaws, vulnerabilities & malicious code
2
2
1111
36
37
38
46
4649
56
59
61
0 10 20 30 40 50 60 70
Other
DK unsure
No negative experiences
Hindered complianceLimited benefits to internal clients
Adverse impact to external customers
Didn't implement desired features or functions
Reduced end-user Productivity
Unanticipated patch mgt costsDelayed Projects
Reduced end-user productivity
Increased IT costs
Redeploy staff to deal with problems
Percent
Survey conducted September 12-24, 2006
Respondents: 84 CIO Executive Councilmembers & deputy members
MOST IMPORTANT ATTRIBUTES
0
11
27
32
55
70
95
0 20 40 60 80 100
Other
Rich Feature Set
Convenience & Ease of Use
Software conforms to Requirements
& Industry Standards
Ease of Integration & Configuration
Software free from security
vulnerabilities and malicious code
Reliabile software that functions as
promised
Percent
PITAC* Findings Relative to Needs for SecureSoftware Engineering & Software Assurance
Commercial software engineering today lacks thescientific underpinnings and rigorous controls needed toproduce high-quality, secure products at acceptable cost.
Commonly used software engineering practices permitdangerous errors, such as improper handling of bufferoverflows, which enable hundreds of attack programs tocompromise millions of computers every year.
In the future, the Nation may face even more challengingproblems as adversaries – both foreign and domestic –become increasingly sophisticated in their ability to insertmalicious code into critical software.
Recommendations for increasing investment incyber security provided to NITRD InteragencyWorking Group for Cyber Security & InformationAssurance R&D
* President’s Information Technology Advisory Committee (PITAC) Report to the President,“Cyber Security: A Crisis of Prioritization,” February 2005 identified top 10 areas in need ofincreased support, including: ‘secure software engineering and software assurance’ and‘metrics, benchmarks, and best practices’ [Note: PITAC is now a part of PCAST]
33
Why Software Assurance is Critical
Software is the core constituent of modern products andservices – it enables functionality and business operations
Dramatic increase in mission risk due to increasing:♣ Software dependence and system interdependence (weakest link syndrome)♣ Software Size & Complexity (obscures intent and precludes exhaustive test)♣ Outsourcing and use of un-vetted software supply chain (COTS & custom)♣ Attack sophistication (easing exploitation)♣ Reuse (unintended consequences increasing number of vulnerable targets)♣ Number of vulnerabilities & incidents with threats targeting software♣ Risk of Asymmetric Attack and Threats
Increasing awareness and concern
Software and the processes for acquiring and developing softwarerepresent a material weakness
36
Defects
IntentionalVulnerabilities
UnintentionalVulnerabilities
Note: Chart is not to scale – notional representation -- for discussions
Software Assurance Addresses Exploitable Software:Outcomes of non-secure practices and/or m aliciousintent
EXPLOITABLE SOFTWARE
Exploitation potential of vulnerability is independent of “intent”
*Intentional vulnerabilities: spyware & malicious logic deliberately imbedded (might not be considered defects)
“Software Assurance” (from http://en.wikipedia.org/wiki/Software_Assurance)
Software Assurance (SwA) is: “the level of confidence that software is free fromvulnerabilities, either intentionally designed into the software or accidentallyinserted at anytime during its lifecycle, and that the software functions in theintended manner”
— Source: Committee on National Security Systems (CNSS) Instruction No. 4009, “National InformationAssurance Glossary”, Revised 2006 — http://www.cnss.gov/instructions.html
Alternate definitions:
[1] Software Assurance (SwA) addresses:♣ Trustworthiness - No exploitable vulnerabilities exist, either maliciously or unintentionally inserted;♣ Predictable Execution - Justifiable confidence that software, when executed, functions as intended;♣ Conformance - Planned and systematic set of multi-disciplinary activities that ensure software processes and
products conform to requirements, standards/ procedures. - Source: Department of Homeland Security “Build Security In” web portal – https://buildsecurityin.us-cert.gov/portal
[2] Software Assurance (SwA) relates to "the level of confidence that software functions as intended and is free ofvulnerabilities, either intentionally or unintentionally designed or inserted as part of the software."
- Source: DoD Software Assurance Initiative, 13 September 2005 - https://acc.dau.mil/CommunityBrowser.aspx?id=25749
[3] Software Assurance (SwA) – is “the planned and systematic set of activities that ensures that software processes andproducts conform to requirements, standards, and procedures to help achieve:♣ Trustworthiness - No exploitable vulnerabilities exist, either malicious or unintentionally origin, and♣ Predictable Execution - Justifiable confidence that software, when executed, functions as intended.- Source: National Institute for Standards and Technology (NIST) - http://samate.nist.gov
[4] Software Assurance - "Planned and systematic set of activities that ensures that software processes and productsconform to requirements, standards, and procedures. It includes the disciplines of Quality Assurance, QualityEngineering, Verification and Validation, Nonconformance Reporting and Corrective Action, Safety Assurance, andSecurity Assurance and their application during a software life cycle.“
- Source: NASA-STD-2201-93 "Software Assurance Standard", 10 November 1992 - http://satc.gsfc.nasa.gov/assure/astd.txt
[5] Software Assurance (SwA) is “justifiable trustworthiness in meeting established business and security objectives.”- Source: Object Management Group (OMG) – http://adm.org/SoftwareAssurance.pdf and http://swa.omg.org/docs/softwareassurance.v3.pdf
Suppliers must considerenabling technologies andlifecycle processes
Holistic approach must factorin all relevant technologies,protection initiatives andcontributing disciplines
Standards are required tobetter enable national andinternational commerce andto provide basis forcertification
Software Assurance contributes toTrustworthy Software Systems
Adopted from the TrustSoft Graduate School on Trustworthy SoftwareSystems, started April 2005; funded by the German ResearchFoundation (DFG). See German Oldenburg http://trustsoft.uni-oldenburg.de
44
DHS Software Assurance Program OverviewProgram based upon the National Strategy to SecureCyberspace - Action/Recommendation 2-14:
“DHS will facilitate a national public-private effort to promulgatebest practices and methodologies that promote integrity,security, and reliability in software code development, includingprocesses and procedures that diminish the possibilities oferroneous code, malicious code, or trap doors that could beintroduced during development.”
DHS Program goals promote the security of software across thedevelopment, acquisition and implementation life cycleSoftware Assurance (SwA) program is scoped to address:♣ Trustworthiness - No exploitable vulnerabilities exist, either maliciously or
unintentionally inserted♣ Predictable Execution - Justifiable confidence that software, when
executed, functions as intended♣ Conformance - Planned and systematic set of multi-disciplinary activities
that ensure software processes and products conform to requirements,standards/ procedures
CNSS Instruction No. 4009, "National Information Assurance Glossary," Revised 2006,defines Software Assurance as: "the level of confidence that software is free fromvulnerabilities, either intentionally designed into the software or accidentally inserted atanytime during its lifecycle, and that the software functions in the intended manner".
45
As part of the DHS risk mitigation effort, the SwA Program seeks toreduce software vulnerabilities, minimize exploitation, and addressways to improve the routine development of trustworthy softwareproducts and tools to analyze systems for hidden vulnerabilities.The SwA framework encourages the production, evaluation andacquisition of better quality and more secure software; leveragesresources to target the following four areas:
♣ People – education and training for developers and users
♣ Processes – sound practices, standards, and practicalguidelines for the development of secure software
♣ Technology – diagnostic tools, cyber security R&D andmeasurement
♣ Acquisition – due-diligence questionnaires, contract templatesand guidelines for acquisition management and outsourcing
DHS Software Assurance Program Structure *
* July 28, 2006 statement of George Foresman, DHS UnderSecretary for Preparedness, beforethe U.S. Senate Committee on Homeland Security and Governmental Affairs, Subcommittee onFederal Financial Management, Government Information, and International Security
46
Disciplines Contributing to Software Assurance *
In Education and Training, Software Assurance could be addressed as:• A “knowledge area” extension within each of the contributing disciplines;• A stand-alone CBK drawing upon contributing disciplines;• A set of functional roles, drawing upon a common body of knowledge; allowing morein-depth coverage dependent upon the specific roles.
Intent is to provide framework for curriculum development and evolution of contributing BOKs
Safety &Security
Project Mgt
SoftwareAcquisition
SoftwareEngineering
SoftwareAssurance
SystemsEngineering
InformationAssurance
* See ‘Notes Page’ view for contributing BOK URLs and relevant links
*Info SystemsSecurity Eng
*Test &Evaluation
The intent is not to create a new profession of Software Assurance; rather, to provide a common body of knowledge: (1)from which to provide input for developing curriculum in related fields of study and (2) for evolving the contributingdisciplines to better address the needs of software security, safety, dependability, reliability and integrity.
47
DHS Software Assurance: PeopleProvide Guide to Software Assurance Common Body of Knowledge (CBK) as aframework to identify workforce needs for competencies and leverage standardsand “best practices” to guide curriculum development for Software Assuranceeducation and training**♣ Hosted Working Group sessions with participation from academia, industry &
Government (since April 2005 held WG sessions six times a year)♣ Addressing three domains: “acquisition & supply,” “development,”
and “post-release assurance” (sustainment)♣ Distributed CBK draft v1.1 on 25 Sep 2006♣ Updates aligned content with other works & clarified guiding principles♣ After Sep 2006 draft, integrating other contributing “ilities” beyond “security”
♣ Updating CBK awareness materials, including articles & FAQs
♣ Update CBK -- identifying prioritization of practices and knowledge areas indomains, contributing disciplines and curricula, and “use” aids
♣ Develop pilot training/education curriculum consistent with CBK inconjunction with early adopters for distribution by September 2007
48
Software Assurance:A Guide to the Common Body of Knowledge to Produce,Acquire and Sustain Secure Software, draft v1.1, Sep 2006
Further review and comments have beensolicited for feedback -- broaderstakeholder community being contactedTo provide comments, people havejoined the Software Workforce Educationand Training Working Group tocollaborate through the US CERT Portal(https://us-cert.esportals.net/) usingOrganization ID 223
Version 0.9 released in Jan 2006 viaFederal Register Notice, accessiblevia “buildsecurityin.us-cert.gov”draft v1.1 released Sep 2006Offered for informative use; it is notintended as a policy or a standard
Information forEducators & Trainers
(last draft released Sep 2006)
Initial focus on “Secure Software”
Shares a Common Glossary with other SwA Documents
49
Reaching Relevant StakeholdersLeverage Evolving Efforts in Universities, Standards Organizations & Industry
• Curriculum• Accreditation Criteria
• Continuing Education• Certification
• Standards of Practice• Training programs
Education ProfessionalDevelopment
Training andPractices
CNSS IA Courseware Eval
IEEE/ACM SW Eng 2004curriculum
AACSB & ABETAIS IS & MSIS curriculum
Certified SW DevelopmentProfessional (CSDP), IEEE
IEEE CSDP Prep Course
IEEE CS SWE Book Series
IEEE CS SW & SystemsEngineering Standards
Committee (S2ESC)ISO/IEC JTC1/SC7 & SC27
and other committees
Universityacceptance
Individualacceptance
Industryacceptance
Adopted from “Integrating Software Engineering Standards” by IEEE Computer SocietyLiaison to ISO/IEC JTC 1/SC 7, [email protected], 23 February 2005
63
DHS Software Assurance: Process
Provide practical guidance in software assurance practices andprocess improvement methodologies**♣ Launched a web-based repository “Build Security In” on US-CERT web site
“buildsecurityin.us-cert.gov on October 3, 2005 with subsequent updates
♣ Publishing developers’ guide “SECURING THE SOFTWARE LIFECYCLE”
♣ Developing business case analysis to support software security throughoutlifecycle practices
♣ Completed DHS/DoD co-sponsored review of the NIAP & use of theCommon Criteria
♣ Continuing to seek broader participation of relevant stakeholderorganizations and professional societies
♣ Participate in relevant standards bodies; identify software assurance gapsin applicable standards from ISO/IEC, IEEE, NIST, ANSI, OMG, CNSS,and Open Group and support effort through DHS-sponsored SwAProcesses and Practices Working group
64
DHS Software Assurance: Process (cont.)
Provide practical guidance in software assurance practices and processimprovement methodologies**
♣ Launched a web-based central repository “Build Security In” on US-CERTweb site https://buildsecurityin.us-cert.gov on October 3, 2005-- referenced in Congressional testimony July 28, 2006 *
♣ Updating site to include additional development guidance and add new focusfor acquisition and ops/sustainment
– Provides dissemination ofrecommended “sound” practicesand technologies for securesoftware development
– Continuing to sponsor workwith CMU Software EngineeringInstitute and industry to furtherdevelop practical guidance andupdate the web-based repository
* July 28, 2006 statement of George Foresman, DHS UnderSecretary for Preparedness, beforethe U.S. Senate Committee on Homeland Security and Governmental Affairs, Subcommittee onFederal Financial Management, Government Information, and International Security
65
Process Agnostic Lifecycle
Architecture & DesignArchitectural risk analysisThreat modelingPrinciplesGuidelinesHistorical risksModeling toolsResources
CodeCode analysisAssembly, integration& evolutionCoding practicesCoding rulesCode analysisResources
TestSecurity testingWhite box testingAttack patternsHistorical risksResources
SystemPenetration testingIncident managementDeployment & operationsBlack box testingResources
RequirementsRequirements engineeringAttack patternsResources
FundamentalsRisk managementProject managementTraining & awarenessMeasurementSDLC processBusiness relevanceResources
KeyBest (sound) practicesFoundational knowledgeToolsResources
https://buildsecurityin.us-cert.gov
Touch Points& Artifacts
Launched 3 Oct 2005
66
DHS Software Assurance: Process (cont.)
Provide practical guidance in software assurance practices and processimprovement methodologies** (cont.)
♣ Released draft developers’ guide “SECURING THE SOFTWARELIFECYCLE: Making Application Development Processes – and SoftwareProduced by Them – More Secure”
• Collect, develop, and publishpractical guidance and referencematerials for security through thesoftware development life cycle
• Provide an informative aid fordevelopers on software assuranceprocess improvement methodologies.
Information forDevelopers
(version 1.1 released July 2006)
Shares a Common Glossary withother SwA Documents
67
“Securing the Software Lifecycle:Making Application Development Processes – and theSoftware Produced by Them – More Secure”
Initial content from DoD-sponsoredApplication Security Developer Guides:♣ Securing the Software Development Lifecycle♣ Security Requirements Engineering
Methodology♣ Reference Set of Application Security
Requirements♣ Secure Design, Implementation, and
Deployment♣ Secure Assembly of Software Components♣ Secure Use of C and C++♣ Secure Use of Java-Based Technologies♣ Software Security Testing
Content updated, expanded, & revisedbased on documents and inputs fromother sources across SwA community
Information forDevelopers
(version 1.1 released July 2006)
70
DHS Software Assurance: Process (cont.)
Provide practical guidance in software assurance processimprovement methodologies** (cont.)
♣ Participate in relevant standards bodies;♣ identify software assurance gaps in applicable standards from:
– ISO/IEC,– IEEE,– NIST,– ANSI,– OMG,– CNSS, and– Open Group
Support effort through DHS-sponsored SwA Processes andPractices Working group♣ Since April 2005, WG sessions held six times per year♣ Meets in conjunction with semi-annual DHS-DoD Software Assurance Forum
**NCSD Objective/Action 1.4.2
Value of Standards
Jim Moore, 2004 -03 CSEE&T Panel 7
A standard is a A standard is a NameName for an for an otherwise fuzzy conceptotherwise fuzzy concept
In a complex, multidimensional trade space of solutions ...
… a standard gives a name to a bounded region.
It defines some characteristics that a buyer can count on.
• Software Assuranceneeds standards toassign names topractices orcollections ofpractices.
• This enablescommunicationbetween:
θ Buyer and seller
θ Government andindustry
θ Insurer andinsured
Standards represent the “minimum level of responsible practice”and “sound practices” that are consensus-based methods
72
Role of Standards for Software AssuranceStandards are needed to better enable exchange of information amongparticipants and enable interoperability between solutions (provided bymultiple vendors) needed to perform SwA activities.♣ Offer common ground for communication♣ Provide consensus-based, sound practices for contributing disciplines♣ Provide benchmarking criteria for gauging the achievement of objectives♣ Allow different participants to initiate collaboration and activities in area of SwA
through the common framework and achieve greater automation of SwA processesby enabling interoperability between different supporting tools
Standards relevant to Software Assurance would:♣ Increase interoperability among tools and manual processes by creating an open
framework.♣ Provide guidance and criteria for making claims about the integrity (safety, security,
& dependability) of products and systems.♣ Enable generation of new solutions to benefit all sectors (Government, Industry, etc)♣ Better ensure that all sectors are investing within a coordinated strategy.
Using Standards and Best Practices to Close gapsbetween state-of-the-practice and state-of-the-art *1, 2
Information Assurance, CyberSecurity and System Safetytypically treat the concerns ofthe most critical system assets.♣ They prescribe extra practices
(and possibly, extra effort) indeveloping, sustaining andoperating such systems.
However, some of the concernsof Software Assurance involvesimple things that any user ordeveloper should do.♣ They don’t increase lifecycle costs.♣ In many cases, they just specify
“stop making avoidable mistakes.”
Raisingthe
Ceiling
Raisingthe
Floor
Minimumlevel of
responsiblepractice
Bestavailablemethods
*[1] Adopted from Software Assurance briefing on “ISO Harmonization of Standardized Software and System LifeCycle Processes,” by Jim Moore, MITRE, June 2, 2005, *[2] US 2nd National Software Summit, April 29, 2005Report (see http://www.cnsoftware.org) identified major gaps in requirements for software tools and technologies toroutinely develop error-free software and the state-of-the-art and gaps in state-of-the-art and state-of-the-practice
Using Standards and Best Practices to Close gapsbetween state-of-the-practice and state-of-the-art *1, 2
Information Assurance, CyberSecurity and System Safetytypically treat the concerns ofthe most critical system assets.♣ They prescribe extra practices
(and possibly, extra effort) indeveloping, sustaining andoperating such systems.
However, some of the concernsof Software Assurance involvesimple things that any user ordeveloper should do.♣ They don’t increase lifecycle costs.♣ In many cases, they just specify
“stop making avoidable mistakes.”
Raisingthe
Ceiling
Raisingthe
Floor
Minimumlevel of
responsiblepractice
Bestavailablemethods
*[1] Adopted from Software Assurance briefing on “ISO Harmonization of Standardized Software and System LifeCycle Processes,” by Jim Moore, MITRE, June 2, 2005, *[2] US 2nd National Software Summit, April 29, 2005Report (see http://www.cnsoftware.org) identified major gaps in requirements for software tools and technologies toroutinely develop error-free software and the state-of-the-art and gaps in state-of-the-art and state-of-the-practice
75
Relating SW Assurance to Engineering Disciplines
System and SWEngineering and
Information SystemsSecurity Engineering
InformationAssurance
SystemSafety
PredictableExecution
For a safety/securityanalysis to be valid …
The execution of thesystem must bepredictable.
This requires …
– Correctimplementation ofrequirements,expectations andregulations.
– Exclusion ofunwanted functioneven in the face ofattemptedexploitation.
Traditionalconcern
Growingconcern
CyberSecurity
Predictable Execution = requisite enabling characteristic*Adopted from Jim Moore, IEEE CS S2ESC Liaison to ISO SC7
77
Security and Assurance Concerns in ISO
JTC 1InformationTechnology
TMBISO IEC
SC 7 SC 22
Advisory Group onSecurity
IT SecuritySoftware andSystems Engineering
SC 27
ProgrammingLanguages
IEEEComputer
Society
Liaison role between IEEE CS S2ESC and between ISO SCs
79
SwA Concerns of Standards Organizations
JTC1InformationTechnology
TC176 TC56 TC65
TMBISO IEC
SC7 SC27
Risk MgmtVocabulary
Quality Mgmt Dependability Safety
IT SecuritySW & SystemEngineering
SC22
ProgrammingLanguages
* DHS NCSD has membership on SC7, SC27 & IEEE S2ESCleveraging Liaisons in place or requested with other committees
AdvisoryGroup onSecurity
81
Leveraging US & International Efforts
IEEE CSSAB
IEEEComputer
Society
IEEEStandards
Assn
IASC S2ESC
Software andSystems
Engineering
InformationAssurance
ANSIAccreditation
Category ALiaison toSC7
Membershipin US TAG toSC7
NIST
OpenGroup
OMG
CNSS
IEEEReliability
Society
Committee on Nat’lSecurity Systems
ANSI
ISO/IEC
82
Some Current EffortsISO SC7♣ Incorporate “raise the floor” assurance practices into life cycle standards.♣ Incorporate “raise the ceiling” practices into separate standards strongly
related to the life cycle standards.♣ Use Safety & Security practices as a benchmark for measuring success.
ISO SC22♣ Develop coding guidelines for common programming languages.♣ WG established to identify secure constructs in languages
ISO SC27♣ Expand context to include assurance concerns.
IEEE S2ESC♣ Develop criteria for assurance case / argument♣ Use as an “integrator” of standards for packaging / transition to industry.
“System and software assurance focuseson the management of risk and assuranceof safety, security, and dependabilitywithin the context of system andsoftware life cycles.”Terms of Reference changed: ISO/IEC JTC1/SC7 WG9, previously“System and Software Integrity”
Scope of ISO/IEC JTC1 SC7 “System and Software Assurance”
Adopted from Paul Croll’s SSTC May 2005 presentation, “Best Practices for Delivering Safe,Secure, and Dependable Mission Capabilities”
The Assurance Case/Argument – Requires Measurement
Set of structured assurance claims, supported by evidence and reasoning,that demonstrates how assurance needs have been satisfied.♣ Shows compliance with assurance objectives♣ Provides an argument for the safety and security of the product or service.♣ Built, collected, and maintained throughout the life cycle♣ Derived from multiple sources
Sub-parts♣ A high level summary♣ Justification that product or service is acceptably safe, secure, or dependable♣ Rationale for claiming a specified level of safety and security♣ Conformance with relevant standards and regulatory requirements♣ The configuration baseline♣ Identified hazards and threats and residual risk of each hazard and threat♣ Operational and support assumptions
*Adopted from Paul Croll, ISO SC7 WG9 Editor for Systems and Software Assurance
A coherent argument forthe safety and security ofthe product or service
A set of supportingevidence
……
Part 1
Part 2
Structure
SoftwareArtifact
AssuranceCases
Software Assurance Meta-model
Human -generated Machine -generated
Risks
AssuranceClaims
Consequences
The Assurance Case/ArgumentAttributes
θ Clearθ Consistentθ Completeθ Comprehensibleθ Defensibleθ Boundedθ Addresses all life cycle stages
*Adopted from ISO/IEC JTC1 SC7 and OMG SwA
Partition of Concerns in Software-Intensive Systems
Design
Data
Structure
Behavior
Implementation
Architecture
Domain model
Use Case Model
Architecture model
Threats
& HazardsAttackVectors
Failures
Considerations for Assurance Arguments:-- What can be understood and controlled (failures & attack surface/vectors)?
-- What must be articulated in terms of “assurance” claims and how might the bounds of such claims be described?
From facilitated discussions in SwA WG on Practices and Processes, Aug & Nov 2005
Safety: Sustaining predictable,dependable execution in the face ofunpredictable but unintentionalfaults (hazards)Security: Sustaining predictable,dependable execution in the face ofintentional attacks (threats)
Attack Surface
OMG Software Assurance Meta-model
Process of building trust … embodied in software asset evaluation
Claims about software systems…♣ Involve certain Target Requirement (intentions)
– Related to risks– How vendor-specified risk is mitigated– Security requirements– Process requirements (cleanroom, ISO, CMM, etc.; )– Architectural TR (especially when system of systems; integrations of 3rd
party components is involved)♣ Specify the degree to which the target requirement was addressed♣ Levels of certainty of the claim♣ What kind of proof exists to support the certain claim♣ What benchmarks were involved
Process of building/assembling software components
Trust is derived from claims♣ Levels of trust and how vendor-specified risks match buyer’s risks
Interoperability facilitates exchange
In order to facilitate exchange of claims about softwareindustry-wide, there should be (at least):♣ Agreement of common terminology, criteria for claims, properties, etc.♣ Structured way to exchange such claims (templates, XML schemas, etc.)♣ Agreed-upon ways to interpret such claims, properties, etc. (common
meaning, as opposed to simply common format).♣ Archives of such claims (libraries, repositories) that allow search,
comparison, etc. (which again needs shared taxonomy, etc.)♣ Automated methods (supported by tools)
Need for More Comprehensive Diagnostics101
102
Context for IT/Software Security
Implementation of an IA algorithm in a product
The product is the unit of purchaseand frequently has multiple uses
The system is an arrangement of products fulfilling a needConstrains the environment of each product
The environment consists of a changing set of conditions, Policies, and other factors often unknown at the time of implementation but realized during use or consumption
“environment”
“system”
“product”
“feature function”
Domain of Certification and Accreditation(all products, interfaces,configuration and otherIssues)
Domain of NIAP for IA and IAEnabled products
Domain of FIPS
Integrating Software Testing Standards
BSI maintains two well-respected standards for testing:♣ BS 7925-1, SW Testing: Part 1-Vocabulary♣ BS 7925-2, SW Testing: Part 2-SW Component Testing
IEEE maintains two well-respected standards for testing:♣ IEEE Std 829, Software Test Documentation♣ IEEE Std 1008, Software Unit Testing
ISO/IEC JTC 1/SC 7 maintains important contextual standards:♣ ISO/IEC 12207, Software Life Cycle Processes♣ ISO/IEC 15289, System and SW LC Process Information Products♣ ISO/IEC TR 19759, Guide to the Software Engineering Body of Knowledge
Proposed International Project:♣ BSI contributes their two standards and IEEE contributes their two standards.♣ SC 7, BSI, and IEEE-CS cooperate to develop standards for software testing that are
comprehensive and well integrated with the international standards collection.
These three groups of individually excellent standards are dis-integrated.
Adopted from Oct 2006 draft presentation “The Prospect for International Standards for Software Testing”by Jim Moore, IEEE CS Liaison to ISO/IEC JTC1 SC7
Purpose of Proposed Project
Cover the software testing process throughout the lifecycle of asoftware product or system.
Unify and integrate the relevant standards from three sources:BSI, IEEE, and ISO/IEC JTC 1/SC 7.
Develop a consistent, unified treatment adopted by all threeorganizations.
Provide backward compatibility or a migration path for current usersof the base documents.
Provide “connections” among other relevant test-related standards
Proposed Scope of SW Testing Standard
Title: Software Engineering—Software Testing
Scope: Produce a set of software testing standards applicable to alltypes of software products and systems. Four parts are planned:♣ Part 1: Testing concepts♣ Part 2: Testing process♣ Part 3: Test documentation♣ Part 4: Test case design
The standards will be consistent with the life cycle process and datastandards of ISO/IEC JTC1/SC7.
Current BSI and IEEE standards deal with unit or component testing.The new standard would deal with all forms of software testing,including:♣ integration testing♣ system testing♣ qualification testing♣ acceptance testing
How might OMG SwA standardscontribute to the integration of SWtesting standards?
The Way Forward --Integrating Software Testing Standards
BSI and IEEE Computer Society are socializing this proposalat interim meetings and by correspondence.
BSI and the UK National Body would prepare a New WorkItem proposal, circa January 2007, and submit it for letterballot.
A working group would be formed at the May 2007 plenary ofISO/IEC JTC1 SC7.
OMG Software Assurance (SwA)Special Interest Group (SIG)SwA SIG http://swa.omg.org:
works with Platform and Domain Task Forces and othersoftware industry entities and groups external to the OMG,
coordinates the establishment of a common framework foranalysis and exchange of information related to softwaretrustworthiness by facilitating the development of aspecification for a Software Assurance Framework that will:♣ Establish a common framework of software properties that can be used to
represent any/all classes of software so software suppliers and acquirers canrepresent their claims and arguments(respectively), along with the correspondingevidence, employing automated tools (to address scale)
♣ Verify that products have sufficiently satisfied these characteristics in advance ofproduct acquisition, so that system engineers/integrators can use these productsto build (compose) larger assured systems with them
♣ Enable industry to improve visibility into the current status of software assuranceduring development of its software
♣ Enable industry to develop automated tools that support the common framework.
112
DHS Software Assurance: TechnologyIdentify enabling capabilities; enhance software securitymeasurement, advocate SwA R&D, and assess SwAtesting and diagnostic tools♣ Collaborate with NIST to inventory SwA tools; measure effectiveness, identify
gaps and conflicts, and develop a plan to eliminate gaps and conflicts– NIST SAMATE workshops to assess, measure, and validate tool effectiveness– DHS NCSD sponsored work provides common taxonomy to compare capabilities– DHS NCSD task provides common attack pattern enumeration and classification
♣ Work with other agencies, allied organizations and standards organizations– Explore organizing mechanisms for SwA ecosystem infrastructure & federated labs– Enhance “software security measurement” to support SwA requirements and support
decision-making for measuring risk exposure
♣ Identify SwA R&D requirements for DHS S&T and multi-agency TSWG;coordinating requirements and priorities with other federal agencies– Advocate SwA R&D priorities through DHS S&T Directorate and multi-agency
Technical Support Working Group– Update R&D needs & priorities specific for SwA (list available)– Contribute to multi-agency Cyber Security and IA R&D provided to stakeholders.
119
http://cwe.mitre.org/
Standards, Tools and Labs
Realizing Software Assurance is about enabling industry andgovernment to leverage and connect existing standards, policies,practices, processes and tools, in an affordable and efficient manner.
The key enabler is the software assurance ecosystem infrastructure(or more commonly know as the tool plug-in board), which is a toolsand tooling standards integration and inter-operation environmentthat dramatically reduces the cost of software assurance activities.
Stakeholders within the OMG forum have collaborated anddeveloped the tooling standards.
Member companies within OMG have taken it to the next level byproposing a software assurance laboratory environment based onthose standards.
143
Software Assurance R&D
Identify SwA R&D; coordinating requirements and prioritieswith other federal agencies♣ Advocate funding of SwA R&D through the DHS S&T Directorate
– examine tools and techniques for analyzing software to detect securityvulnerabilities and techniques that require access to source code & binary-only techniques;
♣ Advocate SwA priorities through multi-agency Technical Support Working Group– Identify SwA R&D for combating terrorism (www.tswg.gov)– Support TSWG SwA R&D on secure software engineering
♣ Update R&D needs & priorities specific for SwA– list available via SwA Technology WG on https://us-cert.esportals.net/
♣ Contribute to multi-agency Cyber Security and IA R&D provided to stakeholders.
144
http://www.nitrd.gov
145
1. Functional Cyber Security2. Securing the Infrastructure3. Domain-Specific Security4. Cyber Security
Characterization andAssessment
5. Foundations for CyberSecurity
6. Enabling Technologies forCyber Security & IA
7. Advanced & Next GenerationSystems & Architecture forCyber Security
8. Social Dimensions of CyberSecurity
http://www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf
146http://www.nitrd.gov/pubs/csia/FederalPlan_CSIA_RnD.pdf
1. Functional Cyber Security2. Securing the Infrastructure3. Domain-Specific Security4. Cyber Security
Characterization andAssessment
5. Foundations for CyberSecurity
6. Enabling Technologies forCyber Security & IA
7. Advanced & Next GenerationSystems & Architecture forCyber Security
8. Social Dimensions of CyberSecurity
Attack protection, prevention, &preemptionAutomated attack detection, warning &responseSecure process control systemsWireless securitySoftware quality assessment & faultcharacterizationSoftware testing & assessment toolsSecure software engineeringAnalytical techniques for security acrossthe IT systems engineering life cycleCyber Security & IA R&D testbedsTrusted computing base architecturesInherently secure, high-assurance, andprovably secure systems & architectures
Top PrioritiesTechnical / Funding
147
Software Assurance: AcquisitionCollaborate with stakeholders to enhance software supply chainmanagement through improved risk mitigation and contracting for securesoftware♣ Collaborate with NIST, ISO and IEEE Computer Society S2ESC WG to update
standards relevant to “Software Acquisition”♣ Collaborate with government and industry working groups to:
– Identify needs for reducing risks associated with software supply chain– Provide acquisition training and education; evolve applicable curriculum
♣ Collaborate with stakeholder organizations to support acquisition community todevelop and disseminate:– Acquisition Managers handbook on software assurance for
acquisition/procurement of software-intensive systems and services– Due-diligence questionnaire for RFI/RFP & source selection decision-making– Templates and sample statement of work / procurement language for
acquisition and evaluation based on successful models♣ Collaborate with agencies implementing changes responsive to changes in the
FAR that incorporated IT security provisions of FISMA when buying goods andservices
148
AcquisitionProgram
Supplier
“Supply chain introduces risks to American societythat relies on Federal Government for essentialinformation and services.”
30 Sep 2005 changes to Federal AcquisitionRegulation (FAR) focus on IT Security
Focuses on the role of contractors in security asFederal agencies outsource various IT functions.
“Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com SecureSoftware Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsisof May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks”
*
152
SwA Acquisition Management Guide,Version 0.7, Aug 28, 2006 ◊ Version 0.8, Dec 6, 2006
Initiation andPlanning
Contracting
Implementationand Acceptance
NeedInitial Software Risk AssessmentSolution Alternatives (incl contracting)SwA ResponsibilitiesInitial SwA RequirementsContract TypeAcquisition Strategy and/or Plan
Request for Proposal Work Statement Terms and Conditions Instructions to Suppliers CertificationsPreparation of Response—supplierSource SelectionContract Negotiation and Finalization
Project/Contract ManagementSwA PlanSoftware Risk ManagementAssurance Case ManagementSwA Acceptance Criteria
Risk-BasedSoftware Acquisition Process
COTSCustomSystems IntegrationServices & Outsourcing
COTSCustomSystems IntegrationServices & Outsourcing
COTSCustomSystems IntegrationServices & Outsourcing
Sustainment
COTSCustomSystems IntegrationServices & Outsourcing
Change ControlSwA Risk ManagementAssurance Case Management
BODY APPENDICES
A Sample Language
B Source Code Review
C Software Assurance Due Diligence Questionnaire (Generic)
D SwA Due Diligence Questionnaire (Specific)
E Bibliography
F Acronyms List
155
DHS Software Assurance Outreach ServicesCo-sponsor semi-annual Software Assurance Forumfor government, academia, and industry to facilitatethe ongoing collaboration -- next October 2006
Sponsor SwA issues of CROSSTALK (Oct 05 & Sep06), and provide SwA articles in other journals to“spread the word” to relevant stakeholders♣ March 2007 issue on “Software Security” – articles to be
submitted to CrossTalk by Oct 16, 2006 being reviewed
Provide free SwA resources via “BuildSecurityIn”portal to promote relevant methodologies
Provide DHS Speakers Bureau speakers
Support efforts of consortiums and professional societies in promoting SwA
158
Software Assurance ObservationsBusiness/operational needs are shifting to now include “resiliency”♣ Investments in process/product improvement and evaluation must include security♣ Incentives for trustworthy software need to be considered with other business
objectives -- measurement needed to better support IT security decision-making
Pivotal momentum gathering in recognition of (and commitment to)process improvement in acquisition, management and engineering♣ Security requirements need to be addressed along with other functions♣ Software assurance education and training is a key enabler
From a national/homeland security perspective, acquisition anddevelopment “best practices” must contribute to safety and security♣ More focus on “supply chain” management is needed to reduce risks
– National & international standards need to evolve to “raise the floor” in defining the “minimallevel of responsible practice” for software assurance
– Qualification of software products and suppliers’ capabilities are some of the important riskmitigation activities of acquiring and using organizations
♣ In collaboration with industry and academia, Federal agencies need to focus onsoftware assurance as a means of better enabling operational resiliency
159
DHS Software Assurance Program Program goals promote security for software throughout thelifecycle:♣Secure and reliable software supporting mission operational
resiliency *♣Better trained and educated software developers using
development processes and tools to produce secure software♣ Informed customers demanding secure software, with requisite
levels of integrity, through improved acquisition strategies. *
* Guiding principles in the National Strategy to Secure Cyberspace provide focuson “producing more resilient and reliable information infrastructure,” and includes“cyber security considerations in oversight activities.”
Program objectives are to:♣Shift security paradigm from Patch Management to SW Assurance.♣Encourage the software developers (public and private industry) to
raise the bar on software quality and security.♣Partner with the private sector, academia, and other government
agencies in order to improve software development and acquisitionprocesses.
♣Facilitate discussion, develop practical guidance, development oftools, and promote R&D investment.
Achieving Software Assurance – in the future
Consumers will have expectations for product assurance:♣ Information about evaluated products will be available along with
responsive provisions for discovering exploitable vulnerabilitiesthroughout the lifecycle, including risks from reuse of legacy software;
♣ Information on suppliers’ process capabilities (business practices) will beused to determine security risks posed by the suppliers’ products andservices to acquisition projects and to operations enabled by the software;
♣ Secure configurations of software will be more readily available for use.
Suppliers will be able to distinguish their companies bydelivering quality products with requisite integrity and be ableto make assurance claims about the IT/software safety,security and dependability:♣ Relevant standards will be used from which to base business practices
and to make assurance claims;♣ IT/software workforce will have requisite knowledge/skills for developing
secure, quality products, and♣ Qualified tools will be used in software lifecycle to enable developers and
testers to mitigate risks.
Joe Jarzombek, PMPDirector for Software AssuranceNational Cyber Security DivisionDepartment of Homeland [email protected](703) 235-5126
www.us-cert.gov
Semi-Annual Software Assurance Forum --Next in 8-9 Mar 2007 in northern Virginia
http://buildsecurityin.us-cert.gov
Questions?
- - - - - - - -
Back-up Slides
SwA Ecosystem InfrastructureConsiderations
CASLabs
Industry
DoDServicesand labs
DHS OtherGovt.
NSA
NIAP
FFRDCsUARCs
CAEIAEs,Other
Academia
Federation ofSoftware Assurance
Labs
Centerfor
AssuredSoftware
(CAS)
Notional Considerations
OtherGovt.DHS
Industry
DoDServicesand labs
NSA
NIAP
FFRDCsUARCs
CAEIAEs,Other
Academia
Federation ofSoftware Assurance
Labs
Centerfor
AssuredSoftware
(CAS)
Problem Space for Software AssuranceExample continued
Center for Assured Software (CAS)
Tools andtechniques
Software
Evaluations
New toolsand
Techniques
TrustworthyBase
Development
Resource Development
MaliciousCode and
OtherRepositories
DHS OtherGovt.
CommunityFacilitation
Standards
Policy
Support Initiatives
Educationand Training
Notional Considerations
OtherGovt.DHS
Industry
DoDServicesand labs
NSA
NIAP
FFRDCsUARCs
CAEIAEs,Other
Academia
Federation ofSoftware Assurance
Labs
Centerfor
AssuredSoftware
(CAS)
Center for Assured Software (CAS)
New toolsand
Techniques
TrustworthyBase
Development
Resource Development
MaliciousCode and
OtherRepositories
DHS OtherGovt.
CommunityFacilitation
Standards
Policy
Support Initiatives
Educationand Training
Tools andtechniques
Software
Evaluations
Problem Space for Software AssuranceExample continued
Notional Considerations
Standards based Evaluationsexample continued
Center for Assured Software (CAS)
Software tools for ecosystem infrastructure: - ecosystem infrastructure, evaluation, certification
Software products for evaluation:- infrastructure, evaluation, certification
Tools andtechniques
Software
EvaluationsStandards based SwA Ecosystem Infrastructure
SwA Evaluation LaboratorySwA Evaluation Organization
Ecosystem Infrastructure Organization
Source: NSA CAS – DoD SwA Tiger Team