Absorb what is useful, disregard what is not, add what is uniquely your own.

-Bruce Lee

Pre amble:

Did you know consumer software is two and half times more likely to be attacked? To help make the Internet more safe, how about some examples on how to make software more secure? This February 7th, we are sharing one of our presentations on building secure software.

Some years ago I had the pleasure of working with the great staff at the DisabilityAlliance organization in British Columbia. We put together a digital card for use in the Emergency Preparedness Program. This is the security development lifecycle presentation.

In general, it’s easier to protect an asset the closerprotection is provided. Unnecessary complexity is a threat to good security. Security solutions designed for one environment may not be transferable to work in another. Ergo it is important to understand the limitations of any security solution.

INSERT MIC FOR INTRO

SDL-> NGO Requirements

SDL Process: alignment between SDL practices and HIPAA Security Rules. HIPAA is heavily focused on the management of risk. There have been recent changes in the management of IT risk with the release of the Information Security Forum (ISF) Risk Assessment Methodology and the RiskIT Framework from NIST and ISACA.org, which provides a systematic way to identify, codify, and manage IT-related risk.

C-MIST: Functional Needs Framework

The Functional Needs Framework looks at the needs that people with disabilities will have in an emergency.

There are many people who do not identify as “a person with a disability,” but will have needs in one or more of the functional areas.

Having a completed C-MIST tile allows a fast identification and response to identified needs. First responders plan, respond and initiate recovery in comprehensive ways relative to people’s functional needs.

Why a Specific PII SDL for C-MIST?

1. The British Columbia Coalition of People with Disabilities is a Non-Governmental Organization. C-MIST is an excellent response for people with disabilities as part of Emergency Preparedness.

2. Completed C-MIST tiles contain Level III Sensitive Personally Indentifying Information.

3. Many available options for data protection on Windows Phone 7 platform: which works best for C-MIST Sensitive PII?

MANAGING AND REDUCING RISK OF SENSITIVE INFORMATION DISCLOSURE ON WINDOWS PHONE 7

C-MIST PII SDL

C-MIST contains Level III Sensitive PII.

Communication

Medical Independence

Supervision

Transportation

SDL PII Solution for C-MIST Software on Windows Phone 7 Platform.

Remember, numbers can be rescinded and new ones issued,

but once PII is disclosed: there is no putting that cat back in the bag.

The UI contains sensitive PII: but there is no further identifying information. An old trick is to separate the areas of concerns. Identifying information such as name, number and address is readily available on the device. However, the User makes the decision to self-disclose more information.

The date box shows the most recent interaction in the textbox of Communication Needs, and first responders can gauge the “freshness” of the information.

Risk is significantly reduced when the User keeps control of disclosure.

But more can be done…

Further reducing PII disclosure…

Implement and develop using managed code: take full advantage of .NET security features. Use Mature Ratings for access.Reduce the attack surface of the program. Only the user has access. Rather then one big loopy program, have a selection of tiles. Let the user decide and choose which tile/s are most appropriate for their functional needs. Use Isolated Storage for User data storage and critical parts of program. To prevent unauthorized access, slave to the Operating System: if re-installed either by remote swipe or servicing, the program and user information are deleted. Buffer Overflow/Underflow: appropriate checks. Tampering and Repudiation: provide time stamping when changes detected in CMIST textbox.

Provide a “help and how to” button. Provide notice and consent by means of appropriate asset and software licensing.

Provide a “help and about” button, traditionally how to use the software. What I think would be most useful is how to get out alive and extend the help to others.

Release and Response Plan

Maturity Model – holistic and multilevel approachRelease Archive Processes – integrated into the Business Operations FrameWork

To successfully respond to incidents, you need to:Minimize the number and severity of security incidents.Define an incident response plan -> built on the need for trust.Contain the damage and minimize risks -> need for trust and EULAHave a partner who has experience at this and can guide the response. Use approved tools for remote swipe.

Remember – we made it AND we can delete it.

Used in Guidance

Windows Secure Development Lifecycle Jericho Forum: delivering a de-perimeterized vision

National Institute of Standards and Technology Special Publication 800-124

Content provided through “Fair Use Protocols” and remain the property of there respective owners.

For the love of the DUCK!