A Holistic Approach to Ensure Product Security

A holistic approach to ensure product security

Christer Stenhäll Ericsson PSIRT

2018-06-18 | Page 1 Agenda

—Ericsson at a glance —Our perspective on Security —SRM, this is how we do it —PSIRT —Vulnerability Management —Conclusion– Next Steps

2018-06-18 | Page 2 Ericsson at a glance

Enabling the full value of connectivity Business areas: By the numbers: for service providers — Networks — 180+ countries — Digita l services — 201.3 b.sek in sa les — Technology and — 100,700 employees emerging business — 45,000 patents — Managed services

Image: Ericsson headquarters,Kista , Sweden

2018-06-18 | Page 3 Our perspective on Security in the networked society

• services should always beavailable • security should require minimum effort from users • communications should be protected • a ll accessto information and data should be authorized • manipulation of data in the networks should be possible to detect • the right to privacy should be protected

2018-06-18 | Page 4 BuildingTrust

Business decision to accept residual TRUSTED BUSINESS risks and manage unacceptable risks E N Appropriate procedures for TRUSTED Operations N E A secure operations E B D L Sound, manageable TRUSTED Network security architecture S E S Devices/nodes/products without TRUSTED Products exploitable vulnerabilities

Driving & contributing to improving standards

2018-06-18 | Page 5 Security Relia bility Model (SRM)

Functions Assurance Documentation Services

Product Development

2018-06-18 | Page 6 Baseline Requirements & Design Rules

Baseline Security & Privacy Requirements • both functional and non-functional requirements

Security and Privacy Design Rules • How to implement requirements

2018-06-18 | Page 7 Security Functionality areas

Security functions divided into6 areas based on the defence in depth.

Network Protection • Co n f & integ protection of O&M, Server side authentication Applica tion Security • Software Signing, Web application security Pla tform Security • Malware Prevention, Trusted state and secure boot Identity and Access Management • Enforce replacement of passwords, Support password aging Logging • Full Persona l Accounta bility, Ability to Log Loca lly Data Protection • Password protection, Confidentiality and Integrity of Personal Data

2018-06-18 | Page 8 Security Assurance Security Reliability Model (SRM)

Functions Assurance Documentation Services

Product Development

2018-06-18 | Page 9 Security Assurance levels

Products with Special Security Tailored requirements Assurance

Products with Need of a High Advanced level Security assurance

All mandatory assurance items and All of Ericsson Products the basic security functionality

2018-06-18 | Page 10 Security Assurance

Risk Privacy Impact Secure Coding Assessment Assessment

Vulnerability Vulnerability Hardening Assessment Management

2018-06-18 | Page 11 Security Assurance- RA

— RA for new products Risk • Determine the appropriate security level Assessment • What security functions are needed

Privacy Impact — RA in the end of development Assessment • Costly and difficult to make changes

— Risk Assessment in Development

Secure Coding — Risk Assessment report Identifica tion – Mitiga tion – Verifica tion • Risk Identifica tion • Risk Ra ting (severity) Vulnerability • Risk Trea tment Pla n Assessment

2018-06-18 | Page 12 Security Assurance- PIA

Risk Assessment — Privacy Data Classification • What types of data does the product handle

Privacy Impact — Priva cy Information flows Assessment — PIA for Xaas

— Privacy impact report Secure Coding • Description of the privacy impact (threats and related risks) • Existing priva cy design fea tures • Recommendations Vulnerability Assessment

2018-06-18 | Page 13 Security Assurance- SC

— Secure Coding Standard Risk Assessment — Education • Secure coding standard training for developers & testers • Up to date developer (programming) training • Continuous learning Privacy Impact Assessment — Static and Dynamic analysis

Sprint Sprint — Code review planning planning

Sprint Sprint Coding Coding — Secure Coding Report delivery delivery Secure Coding

Unit Unit review review testing testing

Vulnerability Assessment Tra ining System build Secure Coding -SCS, CWE, OWASP, tools,... - Code a na lysis report

2018-06-18 | Page 14 Security Assurance- VA

Risk — Vulnerability Assessment (VA) normally done to late! Assessment — VA in Continuous Integration/Continuous Delivery (CI/CD) — Developers are the Key — Function testing done during development Privacy Impact • Security testing Assessment • Verifying Hardening

Secure Coding

Vulnerability Assessment

2018-06-18 | Page 15 Documentation Security Reliability Model (SRM)

Functions Assurance Documentation Services

Product Development

2018-06-18 | Page 16 Documentation

Security User Guide Security Test report Hardening Guideline

Describes the security Test Report for external Instruction of ta ilored operation and communica tion hardening to be done ma intena nce a ctivities during delivery that can be performed for the product

RA / PIA Report VA Report Secure Coding Report

Report of identified Test Report for internal Describes the Security security and privacy risks communica tion Coding a ctivities done for interna l use. during the development

2018-06-18 | Page 17 Services Security Reliability Model (SRM)

Functions Assurance Documentation Services

Product Development

2018-06-18 | Page 18 Services

Secure Deployment Consultancy

Security Support Security aaS

2018-06-18 | Page 19 Ericsson PSIRT

Vulnera bility Incident Security VA Me t hods Management Response Support & Tools

Reporting issues/ vulnera bilities in Ericsson products https://www.ericsson.com/en/about-us/ enterprise-security/ psirt

2018-06-18 | Page 20 Vulnerability Management

Communication

Development Vulnerability Triage Alert Answer Vulnerability Database

Product Registration

2018-06-18 | Page 21 Conclusion- Next Steps

— SRM– Risk based approach

— Security awareness among developers are the key!

— Process transformation to be more lean & agile

— Improvement still needed onaaS ways of working

— Who to contact: [email protected]

2018-06-18 | Page 22 Characters for Embedded characters: !"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_àbcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨© ª « ¬ ®¯°±²³´¶ ·¸¹ º » ¼ ½ À ÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐő Œ œ ŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ ẀẁẃẄẅỲỳ‘’‚“”„† ‡ • …‰‹›⁄ € ™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻ ĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊ ΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡ ΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορς ΣΤΥΦΧΨΩΪΫΌΎΏЁЂЃЄЅІЇЈЉ Њ ЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃ ЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐәǽẀẁẂẃẄẅỲỳ№—– -

!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_àbcdefghijklmnopqrstuvwxyz {|}~¡¢£¤¥¦ §¨©ª«¬®¯°±²³´¶·¸¹º»¼ ½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņ ŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ ‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢ ĪĪĮĮİĶĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβ γδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦ ЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐәǽẀẁẂẃẄẅỲỳ№—– -

!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_àbcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦ §¨©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁ ÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐőŒœ ŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ ‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻĻĽĽŃŃ ŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβγδεζηθικλνξορςΣΤΥΦΧΨ ΩΪΫΌΎΏЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉ ЌЎЏѢѢѲѲѴѴҐҐәǽẀẁẂẃẄẅỲỳ№—–-

!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_àbcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦ §¨©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃ ÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐőŒœŔŕŖŗ ŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ ‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻĻĽĽŃŃŅŅŇŇ ŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢ ѴѴҐҐәǽẀẁẂẃẄẅỲỳ№ —–-