Not logged in | Login

My Security Planet » Justice League » November 2011

Feeds

13615 items (0 unread) in 75 feeds

WebSecurity

Security

SEO

SEO

Tools

Tools

Opensourcetesting.org News

Justice League

Third-Party Software, Vendor Control, and the BSIMM Community

Posted: November 30th, 2011, 3:36pm CST by gem

Tags: BSIMM [edit]
Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes. Firms participating in the BSIMM include:
- Adobe
- Aon
- Bank of America
- Capital One
- The Depository Trust &
  Clearing Corporation (DTCC)
- EMC
- Fannie Mae
- Fidelity
- Google
- Intel
- Intuit
- Mashery
- McKesson
- Microsoft
- Nokia
- QUALCOMM
- Sallie Mae
- SAP
- Scripps Networks Interactive
- Sony Ericsson
- Standard Life
- SWIFT
- Symantec
- Telecom Italia
- Thomson Reuters
- Visa
- VMware
- Wells Fargo
- Zynga
The BSIMM project describes and measures the work of 786 SSG members, who together with a satellite of 1750 people, have direct impact on the work of 185,316 developers. (Download a copy today and get your firm involved in the BSIMM Project.)

The BSIMM is mostly about SSDL activities and governance. However, third-party software plays a major role in all of the BSIMM firms and is an important risk factor that must be managed. In addition to talks from member firms, the BSIMM Community Conference also featured a workshop on third-party software and security.

Sammy, Brian, and I wrote up the results in an informIT article that was posted today.

The interesting aspect of our workshop was that it was made up approximately of 50% software vendors and 50% financial services firms. This made for a very interesting conversation around vendor control.
Open Source and Software Maturity Models

Posted: November 15th, 2011, 6:45pm CST by jOHN

Tags: Admin [edit]
I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be perfect but at least you can choke someone if vulnerability exists. If you believe in the value of SSF activities for built and purchased software, you understand that assurance activities (source code review or penetration testing) may apply to open source, but applying others (such as training, or SDL gating/exceptions, and so forth) might be as impossible shooting ghosts. So, we have a control problem:

We can’t tackle the “process improvement” problem with our open source provides like we can with those who build our software in-house, or those vendors from whom we acquire code.

Understanding, based on this, we lack as many ‘knobs and dials’ for improving the cleanliness of the pipes through which open source software flows… we may have a flow rate problem as well. Though I lack hard evidence, I’d bet this represents a proverbial iceberg’s tip:

An organization may deploy as much or more open source code as their own in-house developed code.

It’s interesting to think about the money organizations spend to secure the code they build vs. the amount of open source they consume in this light… (participants indicated they didn’t track this spend separate from their development efforts).

Harumph. Our breakout group generated great ideas worth sharing. First, we unearthed a lot of things attending organizations already do. Next, we brainstormed valuable next steps. Here’s categories of activities we came up with:
- Inventory & Inventory Control
- Vulnerability Identification (Assessment)
- Vulnerability Management
- Ownership of Open Source
- Policy (use)
- Policy (Contribution)
What did each entail?

Inventory & Inventory Control
- Identification – All Participating organizations had a manual discovery process for open source usage. Many wanted better automated schemes, despite some existing tool usage.
- Identification of masked open source – Many participating organizations realize that not only do they adopt open source software directly but that the 3rd party code (and open source) they absorb also contain open source software. Discovering this ‘masked open source’ software represents as big a problem as identifying the open source software used directly.
- Centralized open source distribution – Some organizations allow development & deployment of open source software from the web directly whereas others only allow access to and use of open source from a centrally managed repository. Centralizing deployment usage may provide only improved integrity, or may be used to implement an ‘approved package list’.
Vulnerability Identification (Assessment)
- Using assessment tools – About three-quarters of workshop respondents used the same tools they use to assess their application security posture on their open source assets. This, to me, seems worth its own blog entry. I had to wonder aloud, “as organizations move from detective assessment schemes (SCR, PT) to so-called preventative (threat modeling, architecture analysis, misuse/abuse cases) how do they consider open source?” I’m finding that organizations blazing trails into security architecture work commonly omit discussion of their open source frameworks.
Ownership
- Maintain a white list of open source – Seemingly related to the “centralized distribution” item (but surprisingly uncorrelated in our survey), this meant that someone, from security, owned assessing the risk and proffering a “thumbs-up” or “thumbs-down” that can inhibit white list membership.
- Revisit white list – Organizations expressed that they found value in pruning the approved list of open source software based on non-use, newly identified risk, and similar factors. About one-quarter of our group engaged in this activity.
- Ownership of identified risk – Some participants avidly encouraged use of open source within their applications. In these organizations, when a developer chooses to include open source (as opposed to writing a widget themselves), they own any newly identified risk when in that open source. This reminded me eerily of Wall St. traders. Equity investment creates risk. Margin calls create leveraged risk. In this metaphor, choosing to adopt open source seems like a margin call. It’s very possible that a developer can absorb more risk into the organization than they themselves could effectively own up to in black-swan scenarios. It’s unclear how to measure this exposure when adopting open source.
- Collaboration – Certainly an organization-specific and an unsolved problem, participants indicated there may be a “third stakeholder” in the process of identifying and managing open source vulnerability. Two examples given were 1) clearing houses from which organizations purchase open source software and 2) support organizations (a la RedHat).
Vulnerability Management
- Root Cause Analysis – When a vulnerability is found (regardless of means or source: internal/external), organizations sometimes can point to a person or group who understands the vulnerable component (notable exceptions exist for purchased software or that software maintained by a development team that’s vanished). In open source, the organization must expend resources in order to “get smart” on vulnerability’s root cause and make trade-offs about mitigation strategies and their impacts. This represents extra cost on which I’d enjoy having greater visibility.
- Vulnerability Impact Analysis – Almost every participant had some regime by which they discovered (through assessment, feeds, or other means) new vulnerabilities within their adopted open source code base. Everybody possessed some ability to figure out which lines-of-business or development teams might be affected by newly discovered vulnerabilities.
- Patch Management – Only about one half of participants had, in their minds, a good strategy–having assessed the impacted teams–for distributing a patch that remediated open source vulnerability in an organization-wide manner. More strategically, several schemes seemed available to organizations beyond the straightforward “penetrate-and-patch” loop here. Alternatives included:
  2. Wrapping open source
  3. Hardening open source (and centrally distributing)
  4. Sandboxing/compartmentalizing open source
Policy (Use)
- Security Policy/Standards – About half participants had some kind of security policy or standards addressing how to securely use open source software within the organization.
- Training – About one quarter of participants trained their developers to use some portion of their open source securely. Interestingly enough, the one quarter of our respondents that trained developers did not line up well with the one half that had security standards. Wild.
Policy (Contribution)
- Legal permission to contribute to open source – Some organizations see open source contribution as a key activity. Others did but have suffered clamp-down from their legal departments because legal fears liability. Others never liked the idea.
- Community Notification on Vulnerability – When an organization contributes to open source and later finds (or is notified of) vulnerability in its contributions, it may need a way to notify the broader community. Organizations also complained about very high latency in the community notifying them of vulnerability in their code. This proved a surprising problem in our brainstorming session. Why? Contributors complained that this was because, often, their contributions were either 1) forked or 2) baked into other products that masked use of the contributions. In either case, it wasn’t evident to those disclosing the vulnerability that the (contributing) organization was responsibly for vulnerable code.
I will absolutely not let it go without saying that though this entry contains many of my own thoughts it heavily relies on the work of many in our breakout session, well-lead by HP’s Brian Chess. Thanks all for a great discussion.
-jOHN
Training by the Numbers

Posted: November 7th, 2011, 2:18pm CST by sammy

Tags: Software Security [edit]
- 1992: Cigital (then Reliable Software Technologies) gets started and also delivers some training on software quality
- “a few hundred”: ILT days delivered from 1992 through 2006
- 5,000: ILT students trained from 1992 through 2006
- 575: ILT and tutorial days delivered from 2007 through today
- 9,000: ILT students trained from 2007 through today
- 100,000: current students with access to our eLearning
Here are those numbers again in the context of a few things we’ve learned:

Cigital has always included instructor-led training (ILT) as part of its knowledge transfer to clients. From our founding in 1992 through 2006, we trained an estimated 5000 students on various aspects of software quality and software security. This was done in only “a few hundred” sessions. In addition, from the launch of our formal training offerings in January 2007 through September 2011, we delivered approximately 525 ILT days to over 7700 students. Throw in “about 50” conference tutorial sessions and other non-client-specific training sessions (but not normal conference talks or similar things) and the student number grows to about 9000, for a total of about 14,000.

There has been some shift in demand over that time. For the first 10 years or so, everything was custom. We typically spent weeks and even months building training that was very specific to platforms, frameworks, coding standards, policies, and even specific problems-of-the-day. This training was usually for relatively small numbers of people all working on something very similar. For the firm, that becomes a very expensive proposition when you get to hundreds or even thousands of developers working in multiple technologies, stacks, languages, tools, and related items. There simply isn’t enough time or dollars to make custom training for everyone.

Starting in 2006, we saw a real market demand for more standardized software security training (as differentiated from the plethora of network security, tool-specific, and generic “security” training in the marketplace, or the deep-dive, single-topic courses for things like reversing malware or DLL hooking). This demand was and continues to be much more centered on foundational training for all SDLC stakeholders (business analysts, architects, developers, quality testers, pen testers, audit, risk/compliance, and so on) and advanced training for small groups (e.g., lead architects and developers).

From early 2007 through October 2011, Cigital also deployed eLearning to firms that represent over 100,000 students who are developers, architects, testers, managers, business analysts, security operations folks, and others. The majority of clients are using our eLearning in their internal learning management systems for access by employees as well as contractors integrated into the client’s ecosystem. For external contractors without access to internal client systems, clients are using our training portal.

There has been shift in the eLearning landscape as well.
- We see almost all large firms having their own learning management system and wanting to take our material in-house. Meanwhile, smaller firms are looking to out-source everything and simply purchase access to our LMS for a given number of seats.
- There is a growing demand for tightly-focused topical modules that can be consumed in an hour or less.
- There was an initial demand for custom eLearning and then off-the-shelf became all the rage as the economy changed.
- There’s a trend to moving training closer to the activity. For example, inserting some defensive programming training directly into the developer’s IDE. We’ve actually developed plug-in technology for this one.
- As everyone sees the possibilities represented by more advanced instructional design, there is an increasing demand for what can only be described as virtual reality and flying monkeys with every image and word indexed and a holographic interface that instantly takes the student to the exact second in the module that answers with cut-and-paste content whatever question the student is pondering. Oh, and it needs to run on any device from laptops to smart phones to microwaves and in-dash satellite radios. Of course, we’re all over this, too.
As an off-shoot of our continuing BSIMM activities, Gary and I also recently wrote an article on software security training. Here are some additional thoughts.

← October 2011 (1 item) December 2011 (4 items) →