Mitigating Business Risks With Application Security
This talk was by Joe Jarzombek, Department of Homeland Security. Normally I wouldn’t go to a management-track session called something like this, when I looked at the program this was my third choice out of all three tracks. But James gave me a heads up that he had talked with Joe at dinner the previous night and he was engaging and knew his stuff, and since there were plenty of other NI’ers there to cover the other sessions, I took a chance, and I wasn’t disappointed!
From a pure “Web guy” standpoint it wasn’t super thrilling, but in my National Instruments hat, where we make hardware and software used to operate large hadron colliders and various other large scale important stuff where you would be very sad if things went awry with it, and by sad I mean “crushed to death,” it was very interesting.
Joe runs the DHS National Cyber Security Division’s new Software Assurance Program. It’s a government effort to get this damn software secure, because it’s pretty obvious that events on a 9/11 kind of scale are more and more achievable via computer compromise.
They’re attempting to leverage standards and, much like OWASP’s approach with the Web security “Top 10,” they are starting out by pushing on the Top 25 CWE (Common Weakness Enumeration) errors in software. What about the rest? Fix those first, then worry about the rest!
Movement towards cloud computing has opened up people’s eyes to trust issues. The same issues are relevant to every piece of COTS software you get as part of your supply chain! It requires a profound shift from physical to virtual security.
“We need a rating scheme!” Like food labels, for software. They’re thinking about it in conjunction with NIST and OWASP as a way to raise product assurance expectations.
He mentioned that other software areas like embedded and industrial control might have different views on the top 25 and they’re very interested in how to include those.
They’re publishing a bunch of pocket guides to try to make the process accessible. There’s a focus on supply risk chain management, including services.
Side note – don’t disable compiler warnings! Even the compiler guys are working with the sec guys. If you disable compiler warnings you’re on the “willful disregard” side of due diligence.
You need to provide security engineering and risk-based analysis throughout the lifecycle (plan, design, build, deploy) – that generates more resilient software products/systems.
- Plan – risk assessment
- Design – security design review
- Build – app security testing
- Deploy – SW support, scanning, remediation
They’re trying to incorporate software assurance programs into higher education.
Like Matt, he mentioned the Rugged Software Manifesto. Hearing this both from “OWASP guy” and “Homeland security guy” convinced me it was something that bore looking into. I like the focus on “rugged” – it’s more than just being secure, and “security” can seem like an ephemeral concept to untrained developers. “Rugged” nicely encompasses reliable, secure, resilient… I like it.
You can do software assurance self assessment they provide on their Web site to get started.
It was interesting, at times it seemed like Government Program Bureaucratese but then he’d pull out stuff like the CWE top 25 and the Rugged Software Manifesto – they really seem to be trying to leverage “real” efforts and help use the pull of Homeland Security’s Cyber Security Division to spread them more widely.