Next Generation Strategies for Software

Security in Critical Systems & Securing the

Supply Chain

BSides

Daniel Thanos (daniel.thanos@telus.com) Director Advanced Cybersecurity & Strategic Programs

September, 2014

First a word from our sponsor….

A Confession My presentation title is a sales job!

Most of the strategies out there are not next generation

they are more like going back to the future but being more

practical and incremental in your execution

There really isn’t “critical systems” anymore as everything

is becoming critical as they are built from the same

components and are becoming exponentially connected

Why Software and Supply Chain Security?

No I didn’t want to boil the ocean!

They have become intertwined and are inseparable

All modern software (and firmware/hardware)

development (open source and commercial) is based

on global and complex supply chains

The world is becoming software defined therefore so

are all supply chains!

Some Ground Truth Technology innovation and business disruption is good and needs to be better embraced and leveraged in security strategy or security will simply not be built-in and we will have to secure the impossible after the fact

Security through prohibition is no longer a tenable strategy for most businesses/organizations that want to remain competitive on multiple fronts

The world of discrete hardware devices and networks which sit behind well defined security perimeters is being displaced by massively complex systems based on mobility, software defined systems, web APIs, virtualization, clouds, and an exponential rise of IoT devices that increasingly have no physical or cyber boundaries.

Nextgen security models will increasingly need to be distributed, cloud-based, make use of more intelligent monitoring and analytics but fundamentally rely on a much stronger basis in software and supply chain security

The Problem: Poor Technology Evolution and its Path to Security

Design and standards specification phase:

Security? Everything is trusted and too “advanced” to hack or hand waving design addresses this.

Product development and deployment phase:

Security? Yes there are “issues” but solutions exist, just plug in your magic security box or give your holy water blessing.

Secure this phase:

Security!!? Please secure this new paradigm changing technology with no budget and/or disruptions to schedule or operations.

Security needs to be here Security typically found here

Innovators ENG/DEV/OPS

Professional Paranoid Hypochondriacs

(Security Team)

Innovation & disruption are a strength when security is on the correct side of it

Software and Supply Chain Insecurity:

Root Cause of Most Breaches Many of the large scale data breaches that have occurred

last year and this year have software and supply chain

security issues at their core

Many simple attacks directly leverage vulnerabilities in

software (e.g. many classes of web attacks based on SQL

Injection, XSS, etc. )

Most complex attacks/APTs involve multistage

penetrations that exploit software vulnerabilities (e.g.

known or unknown 0days) in combination with social

engineering

Exploiting the supply chain through leveraging trusted

access and weaknesses in vendor products and services

that support targeted organizations is evolving into a potent

weapon for advanced adversaries (e.g. use of HVAC system

access in the Target data breaches)

State of Software Security Relatively mature when it comes to established practices and toolsets for

various types of software development- e.g. (web, enterprise, embedded, etc.)

Practices are not consistently applied across many products and the supply

chains that support them

Many systems and critical infrastructure industries (e.g. SCADA/ICS,

Energy, Healthcare, Embedded/IoT, etc.) lag in best practices for many reasons

Recent key trends: Heartbleed bug (large scale and eye opening for the industry), many back doors being discovered in products, especially poor

security being exposed in many critical systems and embedded devices

The homogenization/commoditization of the supply chain (e.g. convergence

towards generic platform OSs like Linux and Windows will continue) which increasingly relies on more common code bases with systems/networks having

heavy reliance on both commercial and open source products

All of the above trends are driving increased risks across many industries-

particularly critical ones: Energy, Manufacturing, Telecom, Financial Services, Healthcare, etc.

In many cases very simple (and often known) vulnerabilities are being

exploited by system attackers- making some minor and incremental

improvements here can provide substantial dividends in terms of preventing many system penetrations, both simple and advanced.

Increasing Cross-

Industry Risk

Increasing Vulnerabilities

and Exploitation

Inconsistent Application of

Mature Practices

Homogenization &

Commoditization

Lagging Critical Systems

There is a gap between

established security practices and

applying them and it can’t be

addressed through technical

strategies or simple education

campaigns alone, it requires a

market driven solution

State of Supply Chain Security The issue is well understood in high security organizations in

the government and private sector

Comprehensive programs exist particularly in the defense

sectors but they are cost prohibitive for general commercial industry

High assurance certifications (e.g. Common Criteria, FIPS, etc.)

are common and well understood particularly in government

environments but they can’t scale to general commercial systems

Even high security environments face considerable budget

challenges and need to leverage COTS, this further necessitates a

middle ground alternative to high assurance certifications

In general commercial industry is early in the process of

understanding and establishing comprehensive supply chain security

programs particularly for software products. For organizations that

are starting programs it is largely driven by dealing with higher

security government entities for the first time

Trustworthy model for supply chain and software security: In between the spectrum of no security to high assurance there is room for a middle

ground that can be equally effective and scalable across the market . In

reality when based on continuous verification it can better than HA certs alone

High Assurance

Certification

Trustworthy

No Security

Area of

greatest

promise

and

value

Why Trustworthy Systems?

Certifications + Compliance = Reduced Risk

Certifications + Compliance ≠ High Assurance Security

Trustworthy Systems ≈ Defensible Systems

Higher Assurance Security

Software Security Strategy Start with risk discovery in your engineering process and that of your supplying vendors and begin to identify and asses technical

and process risks. Share results with business and technology stakeholders and be transparent

Distribute questionnaires (that non-experts can understand) that ask about how security is being applied in the development process and how it is

supported once the product is in the field

Run or ask for the results of dynamic (e.g. fuzzing) or static (e.g. source/binary code scans) security analysis tests of code (preferably source) or use

tools that can do some analysis on binaries

Start with some simple vulnerability scanning, move to penetration testing, and evolve towards more advanced red teaming activity against systems to

adequately test the security of a system end-to-end from a true adversary.

Insert your Secure Development Lifecycle (SDL) of choice here __________ but apply incrementally and take a risk driven

approach and start parallel threads. Think like a lean startup- e.g. do the bare minimum in the beginning to get started and then

rapidly iterate and improve. Remember to empower your engineers and system developers along the way with design and coding practices they can understand,

Focus on a Trustworthy model which is based on practical and evidentiary measures of security in each step of the SDL (e.g.

number of open critical/high vulnerabilities in code, number and type of dynamic and static security tests passed, number and

quality of security requirements met, etc.)

SDL Points of Improvement:

• Greater emphasis on the correct use of static and dynamic security testing tools

• Making hardening secure configuration guides part of the process

• Better integrating penetration testing and red team based activities early (e.g. alternative analysis and verification of design and security testing of sourced components) in the process

Market Driven Strategy Software security is really a demand side economic problem, there is adequate supply of tools and expertise

but they need to be prioritized and applied

The procurement process applied against the supply chain by just a few large industry players in a considered

and practical way can seed the demand but applied in isolation by various organizations lacks the ability to scale

and sustain an industry change

A Trustworthy model of continual security verification is needed based on practical and evidentiary artifacts

and tests that are low cost and relatively automated and tied to key aspects of the SDL.

The verification should provide a certificate/attestation that allows for a clear competitive advantage by a

vendor that passes it as well it should be consistent so that it can universally be applied as a procurement

standard. This saves both the vendor and the acquiring organization a great deal of time and money and delivers

something that can truly scale in a large commercial market.

The recently announced Codenomicon CodeVerified program offers an interesting model to consider for

some aspects of this needed Trustworthy concept of verification in regards to fuzz testing and basic binary

analysis. It would be good to see other SDL tool vendors come to the plate with similar programs- e.g. verification

certificates for static code analysis, vulnerability scanning, basic security design, etc.

Longer Term R&D Strategy

Nextgen software security analysis

•Intelligent forms of binary static and dynamic analysis that apply machine learning methods to better identify innate vulnerabilities and malicious behavior in machine code.

•Intelligent forms of fuzzing that take into account program and data state in order to optimally search through the infinite state-space problem and get to vulnerable points in code more often and in a more timely fashion

•Deeper analysis into defining upper and lower bounds of fuzzing in order to have a quantitative model for understanding how much fuzzing is enough given some measure of complexity for a protocol, program, or data that it processes

•More security intelligent forms of static/dynamic analysis of source code looking for deeper vulnerability patterns and flawed security design/implementation

Tamper & exploit resistant software

•More research into secure compilers and runtimes for building tamper controls into the control/data flow of programs.

•Applying trusted platform hardware security elements to continuous runtime protections and verifications for detecting/preventing software vulnerability exploitation

•Continued research into using entropy and diversification in novel ways to further frustrate and degrade an attackers ability to execute mass exploitation

Applying adversarial methods

•Polymorphism and diversity in code as a mechanism for creating diversity and hence defeating trivial/mass exploitation

•Anti-reverse engineering/debugging methods that delay and frustrate attackers when trying to research and find vulnerabilities

•Introduction of obfuscation methods as well as techniques of evasion so that security monitoring processes cannot be trivially identified and disabled

Summary Embrace innovation and disruption

•Allow businesses to succeed and be competitive through enabling risk taking- e.g. don’t try to eliminate risk through prohibitions or over engineering security but intelligently manage risk through proportionate measures that incrementally/continually improve over time

•Anticipate new technology and trends and be on the forefront of developing new and innovative security models to enable them

•Understand how adversarial/malicious technology actually works and how threat actors use it while simultaneously using it for novel security technologies/defenses

Pick all the rotting and low hanging fruit first

•Start as simple and cheap as possible in your software and supply chain security programs, use a lean start up mentality- e.g. start with the minimum and rapidly iterate and improve.

•Focus on practical and incremental software and supply chain security programs- e.g. perfection is not the goal but being more aware and secure than yesterday is

• Inject security practices into the procurement process as product/service requirements, nothing motivates improved practices like knowing a cheque is attached to them.

•Educate, educate, educate. Make management and developers/engineers aware and get them trained in secure engineering/development practices.

•SDLs are not built overnight but you can’t wait to roll out the perfect one either, start by using the static and dynamic security analysis/testing tools to know your risks and start to build enforcement as processes and training get formalized.

Develop market and incentive driven security strategies

•Security professionals now more than ever need to understand market forces and use them to their advantage, so it is really important to understand the business that you and your supply chain is in and what competitive forces mold it. Get a mentor on the business side of your org to help you get that understanding and knowledge.

•The vendor needs to have security attestations to market that provides competitive differentiation but also doesn’t create too much barrier to entry as that will limit competitiveness, scale, and innovation

•The security community needs to develop and encourage more lower cost and agile “trustworthy” based verifications vs. just hard high assurance certifications

Questions?