330 likes | 463 Views
Dr. Domenico Rotondi TXT e-solutions SpA Italy. SHIELDS: metrics, tools and Internet services to improve security in application developments. Summary. Software Development & Security Why SHIELDS SHIELDS Approach SHIELDS Expected Impacts & Outcomes SHIELDS Consortium
E N D
Dr. Domenico Rotondi TXT e-solutions SpA Italy SHIELDS: metrics, tools and Internet services to improve security in application developments
Summary Software Development & Security Why SHIELDS SHIELDS Approach SHIELDS Expected Impacts & Outcomes SHIELDS Consortium TXT interest in SHIELDS SHIELDS and OWASP SHIELDS Summary Data
Software Development & Security Software vulnerabilities becoming critical due to: Law/regulation (Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, Online Privacy Protection Act, Privacy Protection, …) Direct economic losses (data breach recovery $140/record-source : Ponemon Institute survey) Business reputation damage Customers productivity losses (downtime, recovery, …) Certification Programmes (e.g. Microsoft Dynamics Industry Solutions Initiative) …
Software Development & Security Continuous growth in software vulnerabilities: Jan-Jun 2007 vulnerabilities > 3400 Jan-Dec 2001 vulnerabilities ≈ 1528 source : Microsoft Security Intelligence Report
Software Development & Security Security industry is becoming more efficient: Security-enhanced SW Development Life Cycle (Microsoft SDL-SD3 Framework, OWASP CLASP, …) Improved code scanning tools Fuzz testing techniques & tools …
Software Development & Security SW development industry objectives: Improved SW quality Overall (development+maintenance) costs reduction Toolscoverage trend Currenttoolscoverage
Software Development & Security First results: Security-enhanced SW Development Life Cycle Guidelines (OWASP: Guide to Building Secure Web Applications, Testing Guide, Code Review Guide, …) Checklists (e.g.: Microsoft ASP.NET 2.0 Security Checklist, OWASP Top Ten Project, …) Security training/awareness Specific/improved tools More secure code libraries (e.g.: OWASP Enterprise Security API, Microsoft security-enhanced versions of CRT functions, …)
Software Development & Security First quantitative results: Microsoft: 50% vulnerabilities reduction with SDL Microsoft Windows Server 2003 vs Windows 2000 Server
Software Development & Security First quantitative results: Microsoft Windows Vista vs Windows XP
Why SHIELDS? Security information is unsuitable for developers • Very general overview targeted at users and system administrators • Nothing concerning how it is manifested in the software or what causes it Risk assessment info for users and system administrators No information on solutions or tools that help developers discover or eliminate vulnerability
Why SHIELDS? Islands of security tools and methods
Why SHIELDS? Other factors: Lack of security expertise Costs of security expertise Reuse of security vulnerabilities knowledge: Across development phases Across tools Among designers/developers/testers/… …
SHIELDS Approach Sharing security knowledge
SHIELDS Approach A new approach: Security models: vulnerabilities countermeasures Misuse and abuse Methods that use security models Tools that use security models Same model used in many ways
SHIELDS Approach A model based approach (ex of a Vulnerability Cause Graph): Derived inspection rule Verify that there is a range check associated with every data copy Derived static analysis rule 'memcpy($d,_,$l)' verify(len(d) <= l) Derived testing rule memcpy(d,s,_) inject(len(s) > len(d))
SHIELDS Approach SHIELDS and Software development phases:
SHIELDS Tools to support the Developmet phases Graphical User Interface to access and Search SVRS SHIELDS repository Under Construction! Please see http://www.shields-project.eu/ For updates
SHIELDS Approach SHIELDS advantages: Reduced/no duplication of effort: Every update can potentially affect all tools SHIELDS reported vulnerabilities can impact all phases Higher assurance: Tools can quickly acquire knowledge to face new vulnerabilities Improved software quality: Developers get more and better security information Developers improve their security expertise …
SHIELDS Expected Impacts Increasing security to enhance trust Better security tools For Provides Better security information Provides For Developers Helping them create More secure software Justifying Leading to More trust Which is Trusted computing infrastructures ensuring interoperability and end-to-end security of data and services; increased security and dependability in the engineering of software systems to ensure the design and development of trustworthy applications and services Lower risk Supporting More robust Supporting Supporting
SHIELDS Expected Outcomes SHIELDS Repository Service: A network accessible service providing: guidelines Models (vulnerabilities, countermeasures, Misuse and abuse) Tools Security tools: Partners provided (Search-Lab, Montimage, Fraunhofer) …
SHIELDS Expected Outcomes Certification programmes:
TXT interest in SHIELDS TXT e-solutions Spa: TXT (www.txtgroup.com) is specialized in modular software products and solutions for: Demand & Supply Chain Management Content Management TXT presence:
TXT interest in SHIELDS Demand & SC Mgm: TXTPERFORM Suite
TXT interest in SHIELDS MM-Multichannel Content Mgm: TXTPolymedia
TXT interest in SHIELDS TXT Software Development activities: Internal: TXTPerform: whole Software Development Lifecycle TXTPolymedia: whole Software Development Lifecycle External: SW Quality Assurance (not security related): mainly for M&T customers Ad-hoc development ISO 9001/2000 certified processes!
TXT interest in SHIELDS Languages & platforms: TXTPerform: C++, C# and Microsoft .Net Framework 3.0 Microsoft SQL Server, Oracle TXTPolymedia: Java Open Source platforms (Apache, JBOSS, …) Microsoft SQL Server, Oracle, … TXT Typical SW company with all dvp problems
TXT interest in SHIELDS Development lifecycles revised since 2005: to address security issues: Based on Microsoft Trustworthy Computing Security Development Lifecycle Adopted for all products’ major releases to certify TXT products: Microsoft Industry Builder Initiative (IBI): TXTDemand certified since 2006 Microsoft Dynamics Industry Solutions program (MDIS): TXTPerform 2008 certified in January 2009 …
SHIELDS - OWASP SHIELDS contributions: SHIELDS is in line with OWASP goals SHIELDS can contribute to the OWASP projects OWASP contributions to SHIELDS: SHIELDS needs input from the OWASP specialized community SHIELDS needs feedbacks from the OWASP community SHIELDS needs support to improve its work SHIELDS needs support to validate its work
SHIELDS Project Relevant Data Project data: EU FP7 Theme: ICT-2007.1.4: Secure dependable and trusted infrastructures Type: Collaborative Project (STREP) Duration: 30 months Start: January 1, 2008 SHIELDS contacts: Coordinator: ProfessorNahid Shahmehri (Linköpings universitet, nahsh@ida.liu.se) Dissemination Manager: Alessandra Bagnato (TXT e-solutions Spa, alessandra.bagnato@txt.it) Project Web site: http://www.shields-project.eu