Source Code Protection: Evaluating Source Code Security - Stephanie Woiciechowski, GSEC Principal Software Engineer Product Security Office EMC ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Source Code Protection:
Evaluating Source Code Security
Stephanie Woiciechowski, GSEC
Principal Software Engineer
Product Security Office
EMC Corporation
1
Goals
• Understand application of If
you
have
built
castles
in
the
basic security concepts air,
your
work
need
not
be
lost;
• Collaborative security that
is
where
they
should
be.
Now
put
the
founda;ons
under
• Iterative security
them.
improvements around
-‐-‐
Thoreau
source code
2
Why should we care?
Threats to source code
3
Source Code Threats
“Consider that no organization is
impenetrable. Assume that
your organization might
already be compromised and
go from there.”
Security for Business Innovation Council
(2011)
Security
takes
a
new
role
in
working
with
source
code.
4
Source Code Threats
• Theft of product-related
AMSC
Ex-‐NASA
Taking
Sinovel
contractor
intellectual property to undermine
Infringement
arrested
Suit
on
pto
lane
to
the security of our customers.
• Or to seek competitive advantage
China’s
Supreme
Court
China
-‐-‐
Bloomberg
-‐-‐Associated
Press
• Exposure of vulnerabilities
Claims
by
Anonymous
• Exposure of trade/government
about
Symantec
secrets
-‐-‐Symantec
Security
takes
a
new
role
in
working
with
source
code.
5
Source Code Threats
AMSC
Taking
Ex-‐NASA
• Theft of product-related
intellectual property to undermine
Sinovel
contractor
the security of our customers.
Infringement
arrested
on
• Or to seek competitive advantage
Suit
to
China’s
plane
to
China
Supreme
Court
-‐-‐Associated
• Exposure of vulnerabilities
-‐-‐
Bloomberg
Press
• Exposure of trade/government
secrets
Claims
by
Anonymous
about
Symantec
-‐-‐Symantec
Security
takes
a
new
role
in
working
with
source
code.
6
Source Code Threats
• Insertion of malicious code into
products during development
phpMyAdmin cycle that can undermine product
integrity and operations in
customer environments.
Security
takes
a
new
role
in
working
with
source
code.
7
What can we do?
Define objective
8
What can we do?
Improve
security
in
the
source
code
environment
to
defend
against
threats.
• Prerequisites & Assumptions • Approach: Collaboration
• IT is doing their part for corporate • Define security criteria
security • Understand current environment
• Security is not #1 for SCM, Build, • Review tools in use against criteria
Release, QE, and Dev • Include input from SCM and security
experts
• Security goals often support SCM
goals of traceability, • Manage change
reproducibility, and auditability • Provide recommendations for
preferred solutions
• Provide a framework to assess
implementations & evaluate new
solutions
9
Establish Goals & Team
•• ThreatWhat
Policy: model: How
needs to bemight your
done to
• Initial Goals: Call to
action RISK
protect
• R EDUCTION
source code.
environment be attacked?
Strong passwords to access source
• Business case
code IT
••• Transactions
Achievable
What couldwill be&
happen logged and
if your
• Who should be involved? Maintainable:
protected
source
Security
code is modified?
• Standards: How to implement policy.
•• Consistent
What couldsystems approach
happen if your to
• Policies & Standards Source codeTask
F orce
are integrated
implementation
source
with code is stolen?
organization’s identity
• How would you recover
management system and useand at
network
• password.
Measureable:
• Procedures & what cost?
• Evaluation
Transactions are loggedif a control is
to syslog and
• Actionable intelligence Development
Assessments exported every
indmin
place system. 20 minutes to
and how it is a log
Source
Code
Aaggregation
functioning
RISK
REDUCTION
Legal
10
Establish Goals & Team
• Initial Goals: Call to • Threat model: How might your
action environment be attacked?
• Business case
• What could happen if your
source code is modified?
• What could happen if your
source code is stolen?
• How would you recover and at
what cost?
• Actionable intelligence
RISK
REDUCTION
11
Establish Goals & Team
• Initial Goals: Call to
action IT
• Who should be involved? Security
Task
Force
Development
Source
Code
Admin
Legal
12
Establish Goals & Team
• Policy: What needs to be done to
• Initial Goals: Call to protect source code.
action • Strong passwords to access source
code
• Transactions will be logged and
• Who should be involved? protected
• Standards: How to implement policy.
• Source code systems are integrated
• Policies & Standards with organization’s identity
management system and use network
password.
• Transactions are logged to syslog and
exported every 20 minutes to a log
aggregation system.
13
Establish Goals & Team
• Initial Goals: Call to
action RISK
REDUCTION
• Achievable &
• Who should be involved? Maintainable:
Consistent approach to
• Policies & Standards implementation
• Measureable:
• Procedures & Evaluation if a control is
Assessments in place and how it is
functioning
14
Defining Security Criteria
• Defense-in-depth •Reduce
Authentication
Value
Principle of and
vulnerable
of Least
Preven;ve
Backups
is riska way
Privilege
surface to to
prove
Code
your identityEnvironment
Changes
Forensics
such that no
• Data Classification the
one data
area
can
Network
ofinforms
later aPhysical
say server
it wasn’t you
IsolaMon
IsolaMon
•Restricted
access
• Identity/Authentication appropriate
• Chain
Services
o Log
protecMon
security
f
Detec;ve •
Servers
•Storage
monitors
Security
Patches
• Access Controls Custody
Identity
DLP
+ Secret =•Authentication •Log
aggregaMon
WorkstaMons
Hardware
• Isolation
solutions
Ports
• Code
reviews
Source
ConfiguraMon
•One
of
the
most
common
• Malware
Regular
reviews
ways
insiders
detect
••eGRC ComplianceCode
monitoring
breaches
• Data Protection Centralized
Reputable
authentication
• Rootkits
Correc;ve
mechanisms
sourcing
Virtual
AcMve
monitoring
Virtual
• Hardening
•• Integrity
Why local accounts
IsolaMon
Containment
cause
• Avoiding Malicious Code problems
• checks
The Apache Way
EncrypMon
…
Storage
• Logging
Layers of Protection
15
Define Security Criteria
• We have a team
• We have basic Defense-in-Depth security
solutions
• Now … draft Source Code Security Policies and
Standards to document expectations
16
What can we do?
Understand the current environment
17
Where are we?
Establish a baseline • Scope your
environment
• Environment diagrams
18
Where are we?
Establish a baseline • Scope your
environment
• Environment diagrams
• Engineering practices
19
Where are we?
Establish a baseline • Scope your
environment
• Environment diagrams
• Engineering practices
• Data classification:
where is the important
“stuff”?
• Threat Modeling
20
Where are we?
Establish a baseline • Scope your
• Are they working securely? environment
• Simple solutions? • Environment diagrams
• Turn on functionality
• Add-ons • Engineering practices
• Cost/benefit • Data classification:
• Change tools where is the important
• Reinforce environment
“stuff”?
Don’t throw the baby out with the • Threat Modeling
bathwater!
• Tools
21
Where are we?
• Scope your environment
• Environment diagrams
• Engineering practices
• Data classification: where
is the important “stuff”?
• Threat Modeling
• Tools
• Usability!!!
22
What did EMC find?
23
2011 EMC Summary of 5 Common Brands
11 High level policy criteria and 31 controls (not weighted)
Repository 1 Repository 2 Repository 3 Repository 4 Repository 5
Analysis of product features, not
existing implementations Out Out Out Out Out
Add Add Add Add Add
of of of of of
On On On On On
Box Box Box Box Box
Corporate
authenMcaMon
ü ü ü ü ü
Logs
of
transacMons
against
access
controls
can
be
exported
to
a
monitoring
tool.
ü PARTIAL ü PARTIAL ü ü PARTIAL ü
Granular
access
controls
PARTIAL x PARTIAL x PARTIAL ü x ü
Support
for
code
review
workflow
PARTIAL ü x ü x ü ü x ü
24
2011 EMC Summary of 5 Common Brands
11 High level policy criteria and 31 controls (not weighted)
Analysis of
product
Overall
Risk
Assessment
Percentages
features, not
existing
100%
implementations 90%
80%
70%
60%
Add-‐On
50%
40%
Out
of
Box
30%
20%
10%
0%
Repository
1
Repository
2
Repository
3
Repository
4
Repository
5
Out-‐of-‐ Out-‐of-‐ Out-‐of-‐ Out-‐of-‐ Out-‐of-‐
Box
Add-‐On
Box
Add-‐On
Box
Add-‐On
Box
Add-‐On
Box
Add-‐On
TOTAL
(out
of
220) 200 210 160 210 160 210 220 220 170 220
Percentage 91% 95% 73% 95% 73% 95% 100% 100% 77% 100%
Difference:
5%
23%
23%
0%
23%
25
EMC’s Observations
• Most major Source Code Repository systems can be made
acceptable
• All existing solutions can be made better
• Newer SCMs have more security built–in or added as features
• Source code is highly visible to many people regardless of
whether the SCM is distributed (like Git) or not
• A poorly configured underlying platform or poor practices can
undermine strength of any application controls that may exist
26
Managing change …
… to steady state
27
Action
Like most organizational projects …
• Team
• Policies & Standards
• Evaluate
• Plan
• Implement
… except this must be a continuous process.
28
Continuous Monitoring and Improvement
• Minimize new options
• Until you get a handle on your
environment
• Don’t chase a moving target
Observe
• Assessments
&
Orient
• Security awareness training
needs to emphasize secure
source code
29
Continuous Monitoring and Improvement
• Minimize new options
• Until you get a handle on your
environment
• Don’t chase a moving target
• Assessments
Decide
• Security awareness training
needs to emphasize secure
Observe
source code
&
Orient
• How will you evaluate new
solutions?
• Expand scope: other build-
related tools and infrastructure
30
Continuous Monitoring and Improvement
Assessment
Threat
Model
Decide
eGRC
Observe
&
Orient
Triage
31
Continuous Monitoring and Improvement
• Test
AcMon
• Deploy
• Implementation guidance
Decide
Observe
&
Orient
32
Summary
33
Summary
• Evolving threats change how we need to think about source code security
• Collaboration: Expanding security awareness involves more stakeholders
• Policies & Standards: define security goals based on common security
strategies
• Measure: Baseline environment
• Implement & manage change
• Expand frameworks
Improve
security
in
the
source
code
environment
to
defend
against
threats
34
Thank you
Stephanie Woiciechowski, GSEC
EMC Product Security Office
stephanie.woiciechowski@emc.com
35
You can also read
