A holistic approach to ensure product security
Christer Stenhäll Ericsson PSIRT
2018-06-18 | Page 1 Agenda
—Ericsson at a glance —Our perspective on Security —SRM, this is how we do it —PSIRT —Vulnerability Management —Conclusion– Next Steps
2018-06-18 | Page 2 Ericsson at a glance
Enabling the full value of connectivity Business areas: By the numbers: for service providers — Networks — 180+ countries — Digita l services — 201.3 b.sek in sa les — Technology and — 100,700 employees emerging business — 45,000 patents — Managed services
Image: Ericsson headquarters,Kista , Sweden
2018-06-18 | Page 3 Our perspective on Security in the networked society
• services should always beavailable • security should require minimum effort from users • communications should be protected • a ll accessto information and data should be authorized • manipulation of data in the networks should be possible to detect • the right to privacy should be protected
2018-06-18 | Page 4 BuildingTrust
Business decision to accept residual TRUSTED BUSINESS risks and manage unacceptable risks E N Appropriate procedures for TRUSTED Operations N E A secure operations E B D L Sound, manageable TRUSTED Network security architecture S E S Devices/nodes/products without TRUSTED Products exploitable vulnerabilities
Driving & contributing to improving standards
2018-06-18 | Page 5 Security Relia bility Model (SRM)
Functions Assurance Documentation Services
Product Development
2018-06-18 | Page 6 Baseline Requirements & Design Rules
Baseline Security & Privacy Requirements • both functional and non-functional requirements
Security and Privacy Design Rules • How to implement requirements
2018-06-18 | Page 7 Security Functionality areas
Security functions divided into6 areas based on the defence in depth.
Network Protection • Co n f & integ protection of O&M, Server side authentication Applica tion Security • Software Signing, Web application security Pla tform Security • Malware Prevention, Trusted state and secure boot Identity and Access Management • Enforce replacement of passwords, Support password aging Logging • Full Persona l Accounta bility, Ability to Log Loca lly Data Protection • Password protection, Confidentiality and Integrity of Personal Data
2018-06-18 | Page 8 Security Assurance Security Reliability Model (SRM)
Functions Assurance Documentation Services
Product Development
2018-06-18 | Page 9 Security Assurance levels
Products with Special Security Tailored requirements Assurance
Products with Need of a High Advanced level Security assurance
All mandatory assurance items and All of Ericsson Products the basic security functionality
2018-06-18 | Page 10 Security Assurance
Risk Privacy Impact Secure Coding Assessment Assessment
Vulnerability Vulnerability Hardening Assessment Management
2018-06-18 | Page 11 Security Assurance- RA
— RA for new products Risk • Determine the appropriate security level Assessment • What security functions are needed
Privacy Impact — RA in the end of development Assessment • Costly and difficult to make changes
— Risk Assessment in Development
Secure Coding — Risk Assessment report Identifica tion – Mitiga tion – Verifica tion • Risk Identifica tion • Risk Ra ting (severity) Vulnerability • Risk Trea tment Pla n Assessment
2018-06-18 | Page 12 Security Assurance- PIA
Risk Assessment — Privacy Data Classification • What types of data does the product handle
Privacy Impact — Priva cy Information flows Assessment — PIA for Xaas
— Privacy impact report Secure Coding • Description of the privacy impact (threats and related risks) • Existing priva cy design fea tures • Recommendations Vulnerability Assessment
2018-06-18 | Page 13 Security Assurance- SC
— Secure Coding Standard Risk Assessment — Education • Secure coding standard training for developers & testers • Up to date developer (programming) training • Continuous learning Privacy Impact Assessment — Static and Dynamic analysis
Sprint Sprint — Code review planning planning
Sprint Sprint Coding Coding — Secure Coding Report delivery delivery Secure Coding
Unit Unit review review testing testing
Vulnerability Assessment Tra ining System build Secure Coding -SCS, CWE, OWASP, tools,... - Code a na lysis report
2018-06-18 | Page 14 Security Assurance- VA
Risk — Vulnerability Assessment (VA) normally done to late! Assessment — VA in Continuous Integration/Continuous Delivery (CI/CD) — Developers are the Key — Function testing done during development Privacy Impact • Security testing Assessment • Verifying Hardening
Secure Coding
Vulnerability Assessment
2018-06-18 | Page 15 Documentation Security Reliability Model (SRM)
Functions Assurance Documentation Services
Product Development
2018-06-18 | Page 16 Documentation
Security User Guide Security Test report Hardening Guideline
Describes the security Test Report for external Instruction of ta ilored operation and communica tion hardening to be done ma intena nce a ctivities during delivery that can be performed for the product
RA / PIA Report VA Report Secure Coding Report
Report of identified Test Report for internal Describes the Security security and privacy risks communica tion Coding a ctivities done for interna l use. during the development
2018-06-18 | Page 17 Services Security Reliability Model (SRM)
Functions Assurance Documentation Services
Product Development
2018-06-18 | Page 18 Services
Secure Deployment Consultancy
Security Support Security aaS
2018-06-18 | Page 19 Ericsson PSIRT
Vulnera bility Incident Security VA Me t hods Management Response Support & Tools
Reporting issues/ vulnera bilities in Ericsson products https://www.ericsson.com/en/about-us/ enterprise-security/ psirt
2018-06-18 | Page 20 Vulnerability Management
Communication
Development Vulnerability Triage Alert Answer Vulnerability Database
Product Registration
2018-06-18 | Page 21 Conclusion- Next Steps
— SRM– Risk based approach
— Security awareness among developers are the key!
— Process transformation to be more lean & agile
— Improvement still needed onaaS ways of working
— Who to contact: [email protected]
2018-06-18 | Page 22 Characters for Embedded characters: !"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨© ª « ¬ ®¯°±²³´¶ ·¸¹ º » ¼ ½ À ÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐő Œ œ ŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ ẀẁẃẄẅỲỳ‘’‚“”„† ‡ • …‰‹›⁄ € ™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻ ĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊ ΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡ ΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορς ΣΤΥΦΧΨΩΪΫΌΎΏЁЂЃЄЅІЇЈЉ Њ ЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃ ЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐәǽẀẁẂẃẄẅỲỳ№—– -
!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_`abcdefghijklmnopqrstuvwxyz {|}~¡¢£¤¥¦ §¨©ª«¬®¯°±²³´¶·¸¹º»¼ ½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņ ŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ ‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢ ĪĪĮĮİĶĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβ γδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦ ЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢѢѲѲѴѴҐҐәǽẀẁẂẃẄẅỲỳ№—– -
!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦ §¨©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁ ÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐőŒœ ŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ ‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻĻĽĽŃŃ ŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβγδεζηθικλνξορςΣΤΥΦΧΨ ΩΪΫΌΎΏЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉ ЌЎЏѢѢѲѲѴѴҐҐәǽẀẁẂẃẄẅỲỳ№—–-
!"#$%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\ ]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦ §¨©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂà ÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀāĂăąĆćĊċČčĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅņŇňŌŐőŒœŔŕŖŗ ŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹźŻżŽžƒȘșˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ ‘’‚“”„†‡•…‰‹›⁄€™ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶĶĹĹĻĻĽĽŃŃŅŅŇŇ ŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮŰŰŲŲŴŴŶŶŹŹŻŻȘș−≤≥fiflΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏѢ ѴѴҐҐәǽẀẁẂẃẄẅỲỳ№ —–-