Scribd Logo
Upload

Welcome to Scribd!

  • Build It Right Build It Secure - Cert Presentation (1999)

    Uploaded by

    Dhruv Jain
    25 views26 pages
    The document discusses implementing security at various stages of the software development lifecycle. It recommends implementing security earliest in the concept exploration phase, followed by requirements, design, development, and operations. Implementing security during maintenance is least effective as it occurs after deployment when problems are discovered. The document provides examples of tools and resources for implementing security at each phase of development. It emphasizes that process is important and considering security from the beginning leads to the lowest implementation costs.

    Original Description:

    Uploaded by Hack Archives - http://undergroundlegacy.co.cc -

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses implementing security at various stages of the software development lifecycle. It recommends implementing security earliest in the concept exploration phase, followed by requirements, design, development, and operations. Implementing security during maintenance is least effective as it occurs after deployment when problems are discovered. The document provides examples of tools and resources for implementing security at each phase of development. It emphasizes that process is important and considering security from the beginning leads to the lowest implementation costs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    25 views26 pages

    Build It Right Build It Secure - Cert Presentation (1999)

    Uploaded by

    Dhruv Jain
    The document discusses implementing security at various stages of the software development lifecycle. It recommends implementing security earliest in the concept exploration phase, followed by requirements, design, development, and operations. Implementing security during maintenance is least effective as it occurs after deployment when problems are discovered. The document provides examples of tools and resources for implementing security at each phase of development. It emphasizes that process is important and considering security from the beginning leads to the lowest implementation costs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 26

    Build It Right; Build It Secure

    Tom Neff
    USAF
    Software Engineer &
    Process Improvement Specialist
    •CERT Conference ‘99
    The Perfect Solution...

    CERT Conference ‘99 2


    ...How Secure Is It?...

    CERT Conference ‘99 3


    ...Absolutely Impenetrable!!!...

    CERT Conference ‘99 4


    ...The Problem...

    We need to
    communicate with
    the world to do our
    CERT Conference ‘99
    jobs. 5
    ...The Solution...

    CERT Conference ‘99 6


    …The BIGGER Problem...

    CERT Conference ‘99 7


    ...The REAL Solution.

    CERT Conference ‘99 8


    Let’s Cover...
    • A quick review of a typical product development
    lifecycle
    • Where are folks CURRENTLY implementing
    security procedures?
    • Where SHOULD you implement security?
    • What can you do to decrease your cost for IT
    security?
    • How can you make your IT security program more
    effective?
    CERT Conference ‘99 9
    Typical Product Development

    • Explore a concept
    • Determine what the requirements are
    • Turn the requirements into a valid design
    • Convert the design into a viable product
    • Put the product to daily use
    • Perform maintenance as needed

    CERT Conference ‘99 10


    Where does security get implemented?

    • Concept Exploration?
    • Requirements?
    • Design?
    • Development?
    • Operations?
    • Maintenance?

    CERT Conference ‘99 11


    Maintenance

    Where currently MOST security is executed.

    • Closing the door after the cows left.


    • Many COTS products
    • Cost 100x

    CERT Conference ‘99 12


    Operations (1/2)

    Where currently most security problems are


    identified.
    Found by...
    • trial and error
    • intrusion
    • corrupt data
    • problems
    CERT Conference ‘99 13
    Operations (2/2)

    Where currently most security problems are


    identified.
    • Attacks occur here
    • Problems trigger search for resolution
    • Some attempt to be proactive
    • Help from CERT/CC
    • Cost 90x
    CERT Conference ‘99 14
    Development

    A good start

    • Product inspections: invite security folks


    • Consider Ada; advantages…
    • Cost 50x

    CERT Conference ‘99 15


    Design

    A better start

    • Design security INTO the product


    • Have security folks assist with design
    • Keep it flexible
    • Cost 10x

    CERT Conference ‘99 16


    Requirements

    An even BETTER start

    • Include security features in the requirements


    • Defer any feature that may cause security problems
    • Cost 2x

    CERT Conference ‘99 17


    Concept Exploration

    Best Place to Start Looking at Security!!!

    • Think security from the very beginning


    • Involve security in the whole process
    • Cheapest cost to implement security: 1x

    CERT Conference ‘99 18


    *PC Computing’s Helpful Hints

    Operations: Hack your own site

    • Use a port scanner to see what doors are open


    • Download Rhino9’s Ogre 0.9b at
    www.hackers.com/files/portscanners/ogre.zip

    *PC Computing magazine Sep 99 issue.


    CERT Conference ‘99 19
    *PC Computing’s Helpful Hints

    Development: Encrypt everything that leaves


    your control.
    • If using Windows, will need 3rd party product.
    • PC Computing recommends Network Associates’ McAfee
    PGP Personal Privacy 6.5.1. Others include WinMagic’s
    SecureDoc and RSA Data Security’s SecurPC.

    Courtesy PC Computing magazine Sep 99 issue.


    (www.pccomputing.com)
    CERT Conference ‘99 20
    *PC Computing’s Helpful Hints

    Design: “You need to get up to speed on...


    security issues now.”

    • Useful sites: – www.ntsecurity.net


    – www.microsoft.com/ – www.cert.org
    security – www.hackers.com
    – www.ntbugtraq.com – www.icsa.net

    CERT Conference ‘99 21


    +Software Development’s Helpful Hints

    Requirements: Be aware of all vulnerabilities


    of your hardware, software, and comm.
    Useful tools: • Dynamic passwords:
    • www.smartcardforum.org www.cryptocard.com
    • E-commerce: • Black box: www.bardon.com
    www.visualcommerce.com • Net scanner: www.iss.net
    • Linux: www.unify.com • SW Dongle :
    • Mobile code: www.softlocx.com
    www.security7.com +Software Development Magazine,
    CERT Conference ‘99
    Aug 99 issue 22
    Tom Neff’s Helpful Hints

    Concept Exploration: Attend CERT Conf ‘00

    • www.omaha.com/cert
    • www.omaha.org/spin
    • cert@omaha.com

    • www.sdmagazine.com
    • www.pccomputing.com/getnow

    CERT Conference ‘99 23


    Tom Neff’s Helpful Hints

    Process is EVERYTHING!

    • Climb the process improvement ladder


    • Form a CERT & Red Team
    • Register with CERT/CC
    • Info Cons
    • Remember superchicken

    CERT Conference ‘99 24


    Tom Neff’s Helpful Hints

    You can’t control what you can’t control

    • Outsourcing is a double-edged sword


    – Gives you flexibility and possible savings
    – Gives others intimate access to your system
    (Gardner Group: Y2K)

    CERT Conference ‘99 25


    Final thoughts:
    • READ (you can get a free subscription to
    almost any magazine.
    • Use the web
    • Think like a hacker, act like a CEO

    tomneff@cyberdude.com
    CERT Conference ‘99 24

    You might also like