Information Security & Quality Assurance - Matunda · Information Security & Quality Assurance...
Transcript of Information Security & Quality Assurance - Matunda · Information Security & Quality Assurance...
Security, Identity & Privacy Services
© Copyright IBM Corporation 2005
IBM Global Services
Information Security & Quality Assurance
Realities & ChallengesMatunda Nyanchama, CISSP, PhD
Delivery Leader, SI&P ServicesIBM Global Services, CanadaKeynote Speech made at the 2005 Annual Quality Assurance Conference of the Kitchener-Waterloo Software Quality Association, April 20, 2005
Software Insecurity & Quality Assurance – Realities & Challenges 2
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Matunda Nyanchama – Short Bio
Delivery Leader: Security, Identity & Privacy Delivery, IBM Global Services (CAN)Experience: - 10+ years in Information Security: consulting, financial services and security
product development- 7+ years in telecommunication engineering
Formerly of: Moneris Solutions, Bank of Montreal Financial Group, Intellitactics Inc., Ernst & Young LLP & Kenya Posts & Telecommunications Corporation (Kenya)Certified Information Security Professional (CISSP)MSc. & PhD, Computer Science (UWO)Bsc Electrical Engineering, University of Nairobi, Kenya e-mail: [email protected]
Software Insecurity & Quality Assurance – Realities & Challenges 3
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Agenda
BackgroundRealities – Food for ThoughtSoftware Insecurity & Quality AssuranceSoftware Security – the challenges- The Profession- The “Great Divide”- The Economics of Information Security- The Regulations
Software Insecurity & Quality Assurance – Realities & Challenges 4
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
BackgroundBackground
Software Insecurity & Quality Assurance – Realities & Challenges 5
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Information Security – Some Definitions
Confidentiality – to prevent improper disclosure, accidental or otherwise, of sensitive information
Integrity – to protect against deliberate or accidental modification of information
Availability – to protect against unavailability of information to authorized users where & when they need it
Other related terms:
Privacy – ensuring the protection of personal information and its used based on owner’s consent
Software Insecurity & Quality Assurance – Realities & Challenges 6
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Realities Food for ThoughtRealities Food for Thought
Software Insecurity & Quality Assurance – Realities & Challenges 7
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Information Security Risks & Potential ImpactsRisks
Unauthorized disclosure of informationViolation of PrivacyUnauthorized Modification of InformationDenial of Service
http://www.it.isy.liu.se/studentinfo/TSIT84/Risk_analysis.pdf
Direct Business Impact LossesLoss of Productivity- The time spent by technical personnel to
contain & repair incident damage, and restore service
- Downtime for personnel dependent of the impacted systems’ availability to conduct business
Indirect Business Impact LossesLoss of reputationCompliance penaltiesPotential liabilities
Software Insecurity & Quality Assurance – Realities & Challenges 8
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Sample HeadlinesHave hackers recruited your PC? - BBC April 2005Have hackers recruited your PC? - BBC April 2005
Hackers target SA universities08/08/2003 10:08 - (SA)
Hackers target SA universities08/08/2003 10:08 - (SA)
Security Drives Spending On Data And Hosting ServicesJuly 15th 2003
Security Drives Spending On Data And Hosting ServicesJuly 15th 2003
Hacker causes havoc for websites – BBC 2003
Hacker causes havoc for websites – BBC 2003
Hackers threaten news sites' IntegrityBy Craig Saila, September 21, 2001
Hackers threaten news sites' IntegrityBy Craig Saila, September 21, 2001
Oracle, Microsoft Warn of Database Flaws By Lisa VaasJuly 24, 2003
Oracle, Microsoft Warn of Database Flaws By Lisa VaasJuly 24, 2003
Security Alert: DB2 Flaws Surface By Larry SeltzerOctober 5, 2004
Security Alert: DB2 Flaws Surface By Larry SeltzerOctober 5, 2004
MySQL Criticized in Wake of MySpoolerWorm By Lisa VaasFebruary 4, 2005
MySQL Criticized in Wake of MySpoolerWorm By Lisa VaasFebruary 4, 2005
Exploits Circulating for MySQL Flaws By Ryan NaraineMarch 11, 2005
Exploits Circulating for MySQL Flaws By Ryan NaraineMarch 11, 2005
Trojan Masquerades as Microsoft Security Update By Ryan Naraine, April 11, 2005
Trojan Masquerades as Microsoft Security Update By Ryan Naraine, April 11, 2005
Software Insecurity & Quality Assurance – Realities & Challenges 9
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Threat of Terrorism
“It is very important to concentrate on hitting the US economy through all possible means. …look for the key pillars of the US economy. The key pillars of the enemy should be struck…” Osama Bin Ladin, Leader of al-Qaida, 12/27/01; Source:“Security in the Information Age: New Challenges, New Strategies Joint Economic Committee United States Congress”
Terrorists will look for weaknesses they can exploit
Software Insecurity & Quality Assurance – Realities & Challenges 10
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Interconnected Societies: the critical Infrastructure
TELECOM SERVICES LAYER
TRANSPORT SERVICES LAYER
TERRAIN LAYER
FEATURE LAYER
PHYSICAL BACKBONE LAYER
GEOGRAPHICAL MAP LAYER
OPERATIONSLAYER
TECHNICALAPLICATION
LAYER
CONTROLLAYER
(Geo-political boundaries)
(Elevation)
(Land Use, Cities, Buildings, Towers)
(Cables, Fiber Routes, Satellites)
(SONET Rings, ATM, PSTN)
(Internet, Data, Voice, Fax)
Sector
Dependent
Layers
Common
Layers
TELECOM UTILITIES
Billing &ResourcePlanning
LoadBalancingReliability
SS7 SCADA
Billing &ResourcePlanning
FINANCIAL
Billing &PaymentInternetBanking
FinancialServicesUtilities
Stock / FinancialExchanges
POS TerminalsATMs
GOVHEALTH
CARE
BillingAdministration
DiagnosticsElectronicRecords
HospitalsLabs & Clinics
Pharmacies
HL7
LAYERS
LegislationTaxation
Law - Order
Secure channels
Prov, and Fed
Services
Grid / Pipeline
Monitoring &Control
Source: Between Chaos and Order. Emerging Risks in Organizations by Robert Garigue, BMOFG
Software Insecurity & Quality Assurance – Realities & Challenges 11
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
A Porous/Leaky Infrastructure
WAN
LANRouters & Circuits
TelephonyFirewalls & Switches Servers
USER
Head Seat Desktop Laptop Phone PDA LMR
Source: An Industry Partnership - Survival Guide. A TSA Case Study - FCW 1st Annual Program Manager Summit - 2003
Software Insecurity & Quality Assurance – Realities & Challenges 12
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Cost of Insecurity – Expenditure per Employee
Source: 2004 CSI/FBI Computer Crime and Security Survey
Substantial sums of money are spent addressing insecurity
Software Insecurity & Quality Assurance – Realities & Challenges 13
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
$ Losses by Type
Source: 2004 CSI/FBI Computer Crime and Security Survey
Highest degree of losses associated with virus attacks
Software Insecurity & Quality Assurance – Realities & Challenges 14
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Malware-related Costs
Source – Trend Micro/NetScreen. “Virus Protection Across the Enterprise. Nov 2003
Software Insecurity & Quality Assurance – Realities & Challenges 15
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Increasing Costs of Security
Source: "Weathering the Sea-State Change in Cybersecurity" By Richard Clarke
Some estimates suggest up to a 12-fold yearly increase in security costs to businesses
Software Insecurity & Quality Assurance – Realities & Challenges 16
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Identity Theft – Industry Numbers
According to Statistics Canada there were close to 9000 identity theft complaints estimates to have caused more than $14 billion compared with 8000 with estimated losses of $9 billion in 2003.
$8,829,378.45 8178$14,107,864.90 8817TOTALS
$1,100.001$3,0002NU
$02$01YT
$1,160,533.441644$2,428,490.312372QC
$02$01NT
$2,183.4216$2,150.0010PE
$24,855.2046$84,015.5661NF
$138,932.62185$84,569.68139NS
$130,455.19131$219,119.47119NB
$1,235.00144$13,842.6650UNKNOWN
$54,747.82106$289,478.41125SK
$165,953.92196$165,565.52133MB
$593,599.25635$806,745.84724AB
$912,680.401042$925,418.841206BC
$5,643,102.194028$9,085,468.613874ON
$ LOSSVICTIMS
$ LOSSVICTIMSPROVINCES
2002200220032003
Identity Theft Complaints & Losses
Source Statistics Canadahttp://www.phonebusters.com/Eng/Statistics/idtheft_canada_stats_2002.html
Software Insecurity & Quality Assurance – Realities & Challenges 17
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Indicators and warningsExternal environment : the rates of evolutions
HackersScript kiddies
Industrial espionageCyber-terrorists,
CompetitorsSuppliers
16 new malware products launched every day: viruses, worms, trojanhorses, spyware etc
7 new vulnerabilities discovered every day
20 minutes guaranty
Probes against Financial Institutions web sites launched every 6 seconds
Social engineering is on the rise: People are the weak link
Source: Between Chaos and Order. Emerging Risks in Organizations by Robert Garigue, BMOFG
Software Insecurity & Quality Assurance – Realities & Challenges 18
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Vulnerabilities Realities - I
Software vulnerabilities are a reality of life; cannot demonstrate that a piece of code is error-free; we test for known vulnerabilities
SE practices emphasize functionality over safetyand security
SE is labour intensive; hence prone to human error
The need to cut software development expenses impacts formal design, verification and testing
Software Insecurity & Quality Assurance – Realities & Challenges 19
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Vulnerabilities – A reality of Life - II
Time to market pressures impact negatively on comprehensive secure specification, design, implementation and testing
Up to 50% of security-related attacks relate to flaws in software development; - Examples: input and access validation errors (Wei Li)
Module reuse amplifies error impacts whenever a faulty module is reused
Software Insecurity & Quality Assurance – Realities & Challenges 20
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Insecurity – The Facts
Security exploits are due to software flawsFor each exploit, there is a root causeCauses can be preventedPrevention is always better than cureA substantial degree of prevention can be realized with quality assuranceBuild security into the SDLC and ensure it is a component of quality assurance
Software Insecurity & Quality Assurance – Realities & Challenges 21
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
• Credit card fraud• Source Code Reengineering• Bank Account fraud• Extortion• Identity Theft•Vandalism• Etc..
• Credit card fraud• Source Code Reengineering• Bank Account fraud• Extortion• Identity Theft•Vandalism• Etc..
Exploiting Vulnerabilities
•IP Spoofing•Trojan logons•Packet relaying•Social engineering•Packet modification•Stealing password files/cracking/Sniffing•Electronic Harassment of personnel•Probing for new vulnerabilities•Prediction of Sequences•Manipulation of data•Denial of services•Worms/virus/Trojans
•IP Spoofing•Trojan logons•Packet relaying•Social engineering•Packet modification•Stealing password files/cracking/Sniffing•Electronic Harassment of personnel•Probing for new vulnerabilities•Prediction of Sequences•Manipulation of data•Denial of services•Worms/virus/Trojans
Software Insecurity & Quality Assurance – Realities & Challenges 22
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Insecurity &Software Insecurity &Quality AssuranceQuality Assurance
Software Insecurity & Quality Assurance – Realities & Challenges 23
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Quality
Software quality affects, and is affected by, all aspects of the SDLC, including specification, design, development, support, revision, and maintenance.
Quality Assurance covers all activities from requirements specifications, design, development, testing, production, installation, maintenance and documentation.
Software quality attributes include usability, functionality, performance, reliability, efficiency, safety, security, maintainability, and portability.
A general rule of quality assurance: do it right first time
Software Insecurity & Quality Assurance – Realities & Challenges 24
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Some Misconceptions About Application Security
Building security as a common service, external to the application- This architecture does not work well. May address large portion
of the requirements, but every application is inevitably different- Content protection often not addressed- Seldom sufficiently comprehensive (e.g. what about the
database?)“Application Security is very expensive…”- Customers understand the cost/benefit of quality. Need a way to
quantify cost/benefit of security- What is the cost of a “stressful event” vs. the cost to prevent it?
Security is another type of quality attribute. Integration of security methods and activities within quality assurance means that in most cases, security will represent relatively small incremental costs.
Source: Sharon Hagi, Engineering e-Business Applications for Security, Whitepaper, IBM Canada Ltd
Software Insecurity & Quality Assurance – Realities & Challenges 25
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
SiSi
Designing for Security – Pervasive Scope.
Source: Sharon Hagi, Engineering e-Business Applications for Security, Whitepaper, IBM Canada Ltd
Software Insecurity & Quality Assurance – Realities & Challenges
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Corrective Action is paid for Once,
Whereas Failure to take corrective action maybe paid for over and over again.
The Cost of Quality - Corrective Action vs Failure
Source: L.Daniel Crowley Introduction to Cost of Quality. IDX Seattle
Software Insecurity & Quality Assurance – Realities & Challenges 27
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Cost of Fixing a Bug
Fixing a bug
Cos
t of F
ixin
g a
Bug
Stage in SDLC
Software Insecurity & Quality Assurance – Realities & Challenges 28
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Dealing with Security Flaws
Understand the value of software flaw reduction
Define strategy for reduction of software flaws, with a view to minimizing them;
Invest in proper quality assurance that includes security considerations throughout the SDLC
Continuously evaluate process effectiveness to gain further improvements
Software Insecurity & Quality Assurance – Realities & Challenges 29
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Enterprise Security program
Glo
bal S
ervi
ces
Met
hods
DesignHigh/Low
Development
IntegrationImplementation
Testing
Maintenance
App
licat
ion
Secu
re P
roce
ss D
evel
opm
ent
Application Security Architecture
App
licat
ion
Secu
rity
Proc
ess
Rev
iew
Application Security Solution Design
App
licat
ion
Secu
rity
Con
trol
s R
evie
w
App
licat
ion
Secu
rity
Ris
k R
evie
w
App
licat
ion
Secu
rity
Test
ing
(Hac
king
)
Syst
em D
evel
opm
ent L
ife C
ycle
Application Framework
Network, HW, StorageInfrastructure Hacking
Application Code Security Review
Lear
ning
Ser
vice
s
IntelligenceServiceOS, Java, Virtual Machine
Architecture
Arc
hite
ctur
e
Delivery Plan - Integrated Application Security Model
Source: Sharon Hagi, Engineering e-Business Applications for Security, Whitepaper, IBM Canada Ltd
Software Insecurity & Quality Assurance – Realities & Challenges 30
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The ChallengesThe Challenges
Software Insecurity & Quality Assurance – Realities & Challenges 31
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Application Insecurity - a Multi-headed “Monster”
Software Engineering Practitioners- Software Engineering Education- Software Engineering Profession
Software Engineering Process- Security as integral to quality assurance in the SDLC- Total Quality Assurance
Software Engineering Industry Culture- Vendor Accountability
Quality Assurance Tools- To support efficient/effective quality assurance practices/processes
The Law & Public Accountability- Compliance legislation, e.g.
Canadian Bill C-198 & the Sarbanes-Oxley (SOX)GLBA HIPAA State of California Privacy Legislation (SB 1386) California
Software Insecurity & Quality Assurance – Realities & Challenges 32
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Towards Secure Software – An Approach
Fix the ProfessionBridge the “Great Divide” security & IT processesEconomics of Information SecurityAppropriate Regulations
Software Insecurity & Quality Assurance – Realities & Challenges 33
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Fixing the Software Engineering ProfessionFixing the Software Engineering Profession
Software Insecurity & Quality Assurance – Realities & Challenges 34
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Engineering Education
- Education with emphasis on: - Not just effective technical solutions but also economic, social concerns &
legal concerns- Ethical conduct and social responsibility- Continuous learning culture
Example from IEE-CS/ACM Joint Task Force on Computing Curricula.…3. Reconcile conflicting project objectives, finding acceptable
compromises within limitations of cost, time, knowledge, existing systems, and organizations.
4. Design appropriate solutions in one or more application domains using software engineering approaches that integrate ethical, social, legal, and economic concerns.
Software Insecurity & Quality Assurance – Realities & Challenges 35
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Software Engineering Profession
Compare & Contrast: an engineer vs a software engineer- Engineers have to undergo a common body of
knowledge to qualify as engineers; - not so for software engineers
- Engineers have to be certified before being licensed to practice– not so for programmers
- A faulty building/bridge design would impact public safety; in SE a company could lose millions or people could be hurt;
- An engineer can be held liable for failure to observe standard engineering practices – not obvious for the software engineers
Software Insecurity & Quality Assurance – Realities & Challenges 36
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Software Engineering Code of Ethics
1. Public - Software engineers shall act consistently with the public interest.2. Client & Employer - Software engineers shall act in a manner that is in the best
interests of their client and employer consistent with the public interest.3. Product - Software engineers shall ensure that their products and related modifications
meet the highest professional standards possible.4. Judgment - Software engineers shall maintain integrity and independence in their
professional judgment.5. Management - Software engineering managers and leaders shall subscribe to and
promote an ethical approach to the management of software development and maintenance.
6. Profession - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.
7. Colleagues - Software engineers shall be fair to and supportive of their colleagues.8. Self - Software engineers shall participate in lifelong learning regarding the practice of
their profession and shall promote an ethical approach to the practice of the profession.Source: Software Engineering Code of Ethics and Professional Practice.
Software Insecurity & Quality Assurance – Realities & Challenges 37
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Great Divide!The Great Divide!
Software Insecurity & Quality Assurance – Realities & Challenges 38
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Security Challenge: Alignment
Project assessment
The Digital DivideTwo solitudes, in virtual isolation
Security services
Anti-Virus
Patches
VulnerabilityAssessments
Incident management
Intrusion detectionApplication
security
Access management
Keymanagement
Firewall rules
Availability
IT processes
Application development
Architecture
Problem management
Incident management
ChangemanagementService level
Configuration
Capacity
IT Service continuity
Source: Between Chaos and Order. Emerging Risks in Organizations by Robert Garigue, BMOFG
Software Insecurity & Quality Assurance – Realities & Challenges 39
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Great “Divide” – Gem of HopeAn Integrated Risk Management Approach
The objective is to lower the overall risk through capability maturity framework integration
Bus. Req. Design Development OperationsImplementation
ITILSEI CMMISO Project ISO 17799
Risk Management through Maturity Framework alignment
Organizational focus
Information and technical Architecture
Source: Between Chaos and Order. Emerging Risks in Organizations by Robert Garigue, BMOFG
Software Insecurity & Quality Assurance – Realities & Challenges 40
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Plan-DO-Check-Act Cycle
Monitor & Continuously Review Monitor & Continuously Review Program PerformanceProgram Performance
Maintain & Improve Maintain & Improve Vulnerability Vulnerability
Management ProgramManagement Program
Establish A Vulnerability Establish A Vulnerability Management ProgramManagement Program
Implement Vulnerability Implement Vulnerability Management ProgramManagement Program
ACT
CHECK
DO
PLAN
Development, Development, Maintenance Maintenance
& Improvement of a & Improvement of a Vulnerability Vulnerability
Management ProgramManagement Program
Lessons & Industry Leading Practices
Continuously learn and adopt Continuously learn and adopt industry leading practicesindustry leading practices
Source: M. Nyanchama. Enterprise Vulnerability Management. To Appear in Information Systems Security
Software Insecurity & Quality Assurance – Realities & Challenges 41
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
The Economics of Information SecurityThe Economics of Information Security
Software Insecurity & Quality Assurance – Realities & Challenges 42
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Security as an Externality – A reality of Life
Vulnerabilities are a negative externalityPolluters will go on producing pollution until the costs to the polluter outweigh the benefits. Those who abuse personal data will go on until the costs to the abuser outweigh the benefits.
Secure systems offer positive externalitiesLojack causes neighborhood auto theft to go down because it is not detectableHigh levels of trust increase Internet use and value
Source: Jean L. Camp. Economics of Information Security
Vulnerabilities are a negative externalityVendors will continue producing insecure applications until the costs to them outweigh the benefitsSoftware engineers will continue writing insecure code until the costs to the engineers outweigh the benefitsHackers will continue attacking insecure systems until the costs to the hackers become prohibitive
Secure systems offer positive externalitiesSecure systems would cause system attacks to fall to undetectable levels
Software Insecurity & Quality Assurance – Realities & Challenges 43
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Gems of Hope
Microsoft- The publication and launch of the Trustworthy Computing Initiative- Internal focus on secure coding awareness and training- Launch of security certification & risk assessment services
The Law!- State of California privacy legislation SB 1386
Legally obligated to inform clients of privacy breaches- SEC Sarbanes-Oxley (SOX)
Ensuring strength in internal controls to ensure accuracy of financial statements
- Others: HIPAA, GLBA, and the Basel II AccordACM/IEEE-CS Code of ethicsACM/IEEE-CS curriculumACM/IEEE-CS Certification
Software Insecurity & Quality Assurance – Realities & Challenges 44
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Summary
Software insecurity has real costs to - The individual, - Businesses and - Society – opportunity cost/critical infrastructure
Quality Assurance as a major role to play - Incorporate security in the SDLC as a component of QA
Other challenges- Appropriate education in preparation for software engineering careers- Fixing the profession of Software Engineering, including certification, licensing and
self-regulation- Removing the divide between security practitioners and IT processes- Proper legal process and vendor accountability- Getting the economics of insecurity right!
Software Insecurity & Quality Assurance – Realities & Challenges 45
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Food for Thought
Running a company by profit alone is like driving a car by looking in the rearview mirror. It tells you where you’ve been, not where you are going! - Dr. E. Deming
“One resists the invasion of armies; one does not resist the invasion of ideas,” which is often paraphrased as:“There is one thing stronger than all the armies in the world, and that is an idea whose time has come." – Victor Hugo (Source: Histoire d'un Crime (History of a Crime) (written 1852, published 1877)
“You can take the cattle to the watering hole; you cannot make them drink” – one Gusii Wisdom
Software Insecurity & Quality Assurance – Realities & Challenges 46
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
Question?
Software Insecurity & Quality Assurance – Realities & Challenges 47
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
AbstractAbstractSecurity breaches make headlines on an ongoing basis while companies lose valuable time and incur losses in responding to security incidents following the exploitation of software flaws. According to the 2004 CSI/FBI Computer Crime and Security Survey, viruses caused industry-wide losses of more than $55 billion. In 2003 worldwide losses of $1.1 billion (see Computer Economics) were attributed to the SoBig malware. These are some of the reported losses. Risks associated with security flaws are much larger and will likely increase with growth of electronic commerce and software controlled systems. Be it in healthcare, transportation, energy, aviation and other critical infrastructures, production of secure software is key. This has focused attention on application security and the means of building security into the systems development life cycle. With respect to quality assurance, security comes as natural extension and building it early in the SDLC and making it an element of total quality assurance in development will assure reduced risks and save retrofitting costs. This talk will focus on the necessity for secure software development. The need for accountability and governance in software development and quality assurance will be discussed. We will talk about the role of professionals and the need for (a) more encompassing education, (b) ethical conduct and (c) accountability. We will share war stories and compare examples from professions such as engineering and medicine.
Software Insecurity & Quality Assurance – Realities & Challenges 48
Security, Identity & PrivacyIBM Global Services, Canada
© Copyright IBM Corporation 2005
ReferencesWei Li. Security Model for Open Source Software.http://www.cs.helsinki.fi/u/campa/teaching/oss/papers/wei.pdfFred Cohen. Risk Management: Concepts and Frameworks. The Burton Group, Directory and Security Strategies. July 18, 2003.Noorpus Davis et al. Processes for Producing Secure Software, a Summary of the US National Cybersecuirty Summit Subgroup Report. IEEE Security & Privacy, Volume 2, Number 3, May/June 2004.IEEE-CS/ACM Joint Task Force on Software Engineering Ethics and Professional Practices and Jointly approved by the ACM and the IEEE-CS. Software Engineering Code of Ethics and Professional Practice. See http://www.computer.org/certification/ethics.htmIEE-CS/ACM Joint Task Force on Computing Curricula. Software Engineering 2004. Curriculum Guidelines for Undergraduate Degree Programs in Software Engineering. A Volume of the Computing Curricula Series. August 23, 2004; http://sites.computer.org/ccse/SE2004Volume.pdfEngineering Principles for IT Security - A baseline for achieving security; Recommendations of the National Institute of Standards and Technology (NIST)”.The National Strategy to Secure Cyberspace; http://www.whitehouse.gov/pcipb/An Industry Partnership - Survival Guide. A TSA Case Study - FCW 1st Annual Program Manager Summit 2003Jean L. Camp. Economics of Information SecuritySharon Hagi, Engineering e-Business Applications for Security, Whitepaper, IBM Canada Ltd.L.Daniel Crowley. Introduction to Cost of Quality. IDX Seattle; www.sasqag.org/pastmeetings/CostOfQuality.pptJohn Earles. Software Engineering - Myth or Reality?; www.cbd-hq.com/articles/2000/000515je_softwareengineering.aspKenneth H. Newman. Application Security - Attackers Won’t Stop at the Firewall (Why should you).Matunda Nyanchama. Enterprise Vulnerability Management. To Appear in Information Systems Security