Software Assurance: an Overview of Current Industry Best Practices
Total Page:16
File Type:pdf, Size:1020Kb
Software Assurance: An Overview of Current Industry Best Practices February 2008 Executive Summary Software Assurance: An Overview of Current Industry Best Practices Software underpins the information infrastructure that govern- ments, critical infrastructure providers and businesses worldwide depend upon for daily operations and business processes. These organizations widely and increasingly use commercial off-the- shelf software (“COTS”) to automate processes with information technology. At the same time, cyber attacks are becoming more stealthy and sophisticated, creating a complex and dynamic risk environment for IT-based operations that users are working to better understand and manage. As such, users have become in- creasingly concerned about the integrity, security and reliability of commercial software. To address these concerns and meet customer requirements, vendors have undertaken significant efforts to reduce vulner- abilities, improve resistance to attack and protect the integrity of the products they sell. These efforts are often referred to as “software assurance.” Software assurance is especially impor- tant for organizations critical to public safety and economic and national security. These users require a high level of confidence that commercial software is as secure as possible, something only achieved when software is created using best practices for secure software development. This white paper provides an overview of how SAFECode mem- bers approach software assurance, and how the use of best practices for software development helps to provide stronger controls and integrity for commercial applications. Table of Contents The Challenge of Software Assurance and Security 4 Industry Best Practices for Software Assurance and Security 7 Framework for Software Development 9 Software Security Best Practices 12 Related Roles of Integrators and End Users 16 SAFECode’s Goals 18 Conclusion 18 Questions for Vendors about Product Assurance and Security 19 About SAFECode 20 The Challenge of Software Assurance and Security Software assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intend- ed while mitigating the risks of vulnerabilities, malicious code or defects that could bring harm to the end user. Software assurance is vital to ensuring the security of critical information tech- nology resources. Information and communications technology vendors have a responsibility to address as- surance through every stage of application development. This paper will focus on the software assur- ance responsibilities of software vendors. SAFECode Software However, integrators, operators and end Assurance Definition: users share some responsibility for en- Confidence that software, suring the security of critical information hardware and services are systems. Because of the rapidly changing free from intentional and nature of the threat environment, even an application with a high level of qual- unintentional vulnerabilities ity assurance will not be impervious from and that the software attack if improperly configured and main- functions as intended. tained. Managing the threats we face to- day in cyberspace requires a layered system of security, with vendors building more secure software, integrators ensuring that the software is installed correctly, operators maintaining the system properly, and end users using the products in a safe and secure manner. 4 5 New Risks and Countermeasures The dynamic threat environment creates The Changing Technological challenges for all software-related opera- Environment tions. Vectors for attacks that could interrupt or stop critical software functions must be Rapid change and innovation are two of considered in design and development. The the most enduring characteristics of the IT software assurance risks faced by users to- industry. But innovation is not unique to day can be categorized in three areas: vendors. Criminals can and do innovate. In the span of only a few years a complex and 1. Accidental design or imple- lucrative criminal economy capable of sup- mentation errors that lead to porting specialized skill sets for identifying exploitable code vulnerabilities and attacking software has developed. 2. The changing technological The development of this sophisticated crimi- environment, which exposes new nal economy contributes to increasingly tar- vulnerabilities and provides adversar- geted and complex attacks. Vendors commit ies with new tools to exploit them resources to understand emerging threats and use state-of-the-art technologies, tools 3. Malicious insiders who seek to and techniques to develop software, hard- do harm to users or vendors ware and services that can resist attack. The process is one of on-going improvement as Accidental Design or new vulnerabilities are exposed, new threats Implementation Errors are created and new countermeasures de- The prevalence of hackers, viruses, worms veloped and implemented. and other malicious software that attack systems and networks highlights the first risk area when programmers inadvertently create faulty software design or implemen- tations. Developers address this risk through developer training and the use of secure development practices and tools. These processes are discussed in depth in the next section of this paper. 4 5 Malicious Insiders There is a growing concern that global From a development perspective, these con- software development processes could be trols are focused more on “how it was made” exploited by a rogue programmer or an or- than “where they were sitting” during the ganized group of programmers that would coding process. compromise software, hardware or services during the development process. Vendors are extremely protec- CASE STUDY tive of their “soft assets” such EMC Corporation as their code base. The complex A centralized Product Secu- Architecture: Common development process and the rity Office coordinates inter- Security Platform A set series of controls used to pro- related programs for strong of software, standards, specifications and designs for tect the development process security assurance at EMC Corporation. common software security provide powerful management, elements such as authentica- policy and technical controls that Foundation: Product tion, authorization, audit and Security Policy Guides accountability, cryptography reduce these risks. There is no product development teams and key management using single way to manage or control and is a common reference state-of-the art RSA technol- for product organizations to a development process. Rather ogy. An open interface allows benchmark product security integration with customers’ there are proven best practices against market expectations security architectures. that companies use to manage and industry best practices. Metrics score company-wide Incident Response: Prod- their unique development infra- use of the policy. uct Security Response structure and business models. Center Defines and enforces Knowledge: Security EMC’s vulnerability response SAFECode members implement Training Role-based security policy to minimize risk of engineering curriculum trains exposure to customers. processes for vetting employees new and existing engineers and contractors regardless of on job-specific security best External Validation: Secu- practices and how to use rity Certification EMC has their country of residence. How- relevant resources. received extensive govern- ever, far more critical to soft- ment and industry certifica- ware assurance is establishing Process: Security Devel- tions in design, implementa- opment Lifecycle Over- tion and management of its and implementing processes and lays security on standard security processes and solu- controls for checking and verify- development processes for tions – including Common achieving a high degree of Criteria or FIPS 140-2. ing software assurance irrespec- compliance with the above tive of where it was produced. referenced Product Security Policy. ® ® 6 7 Managing Risk Through Software Assurance Best Practices These risks can all be managed through the and implementing practices to produce se- adoption of best practices in software assur- cure code that are better tuned to real-world ance. While a number of international stan- software development processes and result dards and certification regimes for software in higher levels of security. SAFECode’s mis- assurance have been issued, their effective- sion, in part, is to bring these practices to- ness in achieving real-world reduction in vul- gether to share across the community. nerabilities is debatable. Companies on their own have been taking the lead in developing Industry Best Practices for Software Assurance and Security Software vendors have both a responsibil- Software development processes vary by ity and business incentive to ensure product vendor according to their unique product assurance and security. Customers demand lines, organizational structures and customer that software be secure and reliable. Ven- requirements. Not surprisingly, there is no dors also must produce quality products to single method for driving security and integ- protect and enhance brand names and com- rity into and across the globally distributed pany reputations. These pressures motivate processes that yield technology products vendors to minimize mistakes in coding, and services. Yet regardless of the method reduce the occurrences of post-sale vulner- used, there is a core set