Here is the second and final part of a quick summary of the DHS Software Assurance Forum.

I think the highlight of the second day (and perhaps the entire event!) was the Industry Panel. I say that not just because we were on it, but also because of the audience participation and discussions following the panel. As mentioned previously, the panelists were:

• Wes Higaki from Symantec (also served as the panel moderator)
• Shawn Hernan from Microsoft
• Mary Ann Davidson from Oracle
• Robin Roberts from Apex Assurance Group (Robin recently joined Apex Assurance from Cisco systems)

The purpose of the panel was to discuss issues in software assurance and new/alternative tools to address the need for software quality and assurance. The main message of the panel was that software assurance is a good thing, but there are problems. Vendors spend a large amount of money on third-party assurance programs (I can attest to this from my Cisco days), yet more programs seem to be surfacing. For example, code vulnerability scanning is a good thing, but a standard solution (let alone a standard third-party evaluation program) is difficult for the following reasons:

1. Scalability
   Not many tools can consistently perform in enterprise level environments (such as Symantec, Microsoft, Oracle, Cisco, etc.). Add code complexity, build frequency, and customized versioning, and well, there will be problems with scalability.
2. Uniqueness of Environments
   While many SDLC processes may be the same, vendors rarely have the same development environments. Thus, having a “one size fits all” solution for source code analysis may not be feasible
3. Value Maintenance
   Of what value is an evaluation program that only checks for “low hanging fruit” vulnerabilities and is not nimble enough to address new vulnerabilities?

Shawn Hernan gave an interesting history of bugs associated with Binary Search. The first implementation was published in 1946, while the first correct implementation was realized in 1962. Since then, more bugs have been found and corrected, only to result in more bugs to be found. And this is only 17 lines of code! More details are in the Jon Bentley’s Programming Pearls (my copy is on the way).

I shouldn’t have to detail the obvious relevance of this on-going saga. Think about it: 60 years of analysis on 17 lines of code, and we still can’t get it right!

The panel discussion on Open Source Software could have been interesting but lacked energy. Perhaps it was just late in the day. One of my complaints is that the panel was anything but diverse: three guys from Red Hat and a Red Hat vendor/partner. It was good publicity for them, I suppose, but there weren’t many valuable takeaways.

In closing, the new buzzword seems to be “assurance” … but the term is rarely used accurately. New programs and initiatives are being launched in the interest of “assurance” but it’s yet to be determined how effective these programs will be in terms of applying principles of security assurance. Granted, assurance is not an easy problem to solve, and I feel as if we’re not asking the right questions. But we seem to have the answer (or rather, some folks seem to have the answer).

Unfortunately I don’t have a lot of time to provide a full debrief of the forum, but here is Part 1 of a quick summary series:

Vulnerability and source code analysis tools. Much of the discussion centered around this topic. There was even discussion of a pilot program to certify code against a suite of known vulnerabilities! The idea is to analyze a product vendor’s source code with a variety of vulnerability and analysis tools, and if all specified vulnerabilities are met, the vendor will be awarded a certificate. Some issues with this:

1. Why would a vendor pay for this?
   Barring a requirement from a customer, vendors already spend enough on FIPS 140 and Common Criteria, and this certificate would yield marginal benefit.
2. How would this program scale?
   Just as there is no “one size fits all” for vulnerability analysis tools, there is no way this could scale for development environments for different product vendors. Of course, they could just pass that concern to the product vendors as their problem to solve, but that solution won’t go far.
3. How would the program address new vulnerabilities?
   Obviously the vulnerabilities would have to relate to generic coding practices, unless they plan to keep a branch of certification requirements for every possible environment! Combine this with point number 2, and you’ve got quite a mess on your hands!

More parts to be posted as time permits.

This week we were at the DHS Software Assurance Forum. Robin Roberts (now a Director at Apex Assurance) joined an industry panel with Wes Higaki of Symantec, Shawn Hernan of Microsoft, and Mary Ann Davidson of Oracle. The purpose of the panel was to discuss issues in software assurance and new/alternative tools to address the need for software quality and assurance.

A formal write up of the event will be posted shortly.

Last week I was with IANS in Boston delivering my Security Management sessions and two focus topics: Managing Insider Threats and Security Assurance Management. I love these sessions because I can work with end users and senior managers to talk about real information security issues (and their possible solutions).

My Insider Threat presentation was a lot of fun. The room was packed, and when time was up, we reached one important conclusion: this is a very hard, very overlooked problem.

The Security Management sessions are always interesting and informative. Corporate security programs face several challenges:

1. They are a cost center, which often makes attaining budget and resources difficult
2. They face uphill battles, especially for organizations that lack in security awareness.
3. They are under considerable pressure to address all elements of risk (a problem compounded by the previous two points).

In the future I’ll be blogging more on security from a management perspective. It’s an important, necessary, sometimes unappreciated and always changing field.

Happy Labor Day, everyone. And that’s exactly what it is… a day of labor. Apparently I’m not the only one though!

So many people have asked me about ICCC the last few weeks. Unfortunately, I will not be there. But I will be doing my share of travel that week; I have a customer meeting early in the week and a talk at the end of the week, both of which have been scheduled for quite a while (hence the reason I did not submit a talk). It’s kind of a shame, because parts of the program look quite good.

I’m suffering from one of the worst headcolds I’ve ever had, so I’ll have to keep this short n’ sweet.

The second day of the forum started out with a little improvisation. Our keynote speaker had a car accident and was not able to make it, so we decided to have a faculty panel to discuss various topics related to information security. Overall, I think the discussion went well, and I think it’s worth including this in future forum events (as long as, of course, the delegates think it’s a good idea). We discussed what Microsoft should be doing about security, what keeps us awake at night, what we anticipate/fear in five years, and what new technologies excite us.

Later in the day I led a discussion on assurance/compliance programs in the Federal government and their benefits/issues as they map to the private sector. The audience was comprised of end users/managers in the financial sector, and we had some fantastic conversations about the role of security compliance in organizations.

A financial analyst from Cowen and Company gave a great talk at lunch. He gave an excellent breakdown of the security marketspace and talked about the recent M&A activity. He talked about where he sees the security space going and also addressed fundamentals concepts to employ when selecting a product or solution. Very interesting and eye-opening stuff.

I’m in New York to lead the Security Operations track for the Institute for Applied Network Security’s New York Metro Information Security Forum. In today’s sessions, we discussed some of the most pressing issues that information security professionals face from an executive management perspective. Here were a few of the highlights of what we discussed:

• Where security falls in the organization
• How to address productivity and define success metrics for the infosec team
• How to motivate middle managers and individual contributors
• How to build security into business processes
• How to gain executive recognition and approval for budget, headcount, equipment, etc.
• And many other exciting (and very difficult!) topics

In the interest of the IANS team and the delegates who attend the forum, I won’t go into detail of the sessions. But the discussions were engaging, enlightening, and even entertaining. The attendees included senior managers and CSOs/CISOs from several market segments, including financial, telecommunications, pharmaceutical, education, and others. I enjoy talking to, listening to, and learning from such a diverse set of experienced folks and working with some of the best and most influential people in the information security space.

You’ll see a lot more from Apex Assurance on these subjects in the future…

Yesterday I presented at (ISC)²’s Security Leadership series. My talk was “Security Testing for the Risk Management Process” … The objective was to discuss an overview of the Risk Management process and the benefits of a risk management program. Then we discussed where/how/if security testing fits into the model.

The talk was similar to the one summarized in this post. I took a forum style approach to the discussion, and the reviews were quite good. Here’s a big thank you to all who attended and participated. It was flattering for me- there was standing room only, and the event director was bringing in chairs by the handful! I’m glad to see such interest in these topics, and thank you again to all the folks who attended the talk.

-Later that day-

Audrey Dale of NIAP gave an excellent presentation on the state of Common Criteria / NIAP / CCEVS and touched upon some potential future directions for the program. Some highlights from her presentation:

• CC v3.1 could be published as early as July of this year
• South Korea is joining the CCRA as a certificate producing nation
• The IDA Report on NIAP could be released any day now

I wrote an entry about the IDA Report in this post. Audrey mentioned that there are various levels of recommendations, ranging from “abolish the program” to “give it unlimited funding at let it solve all the world’s problems.” It’ll be interesting to see where that leads.

The audience at the event consisted mainly of end users, ISOs, and even a few CISOs. Hats off to Audrey and the NIAP team for being a part of this event. These types of engagements are certainly an ingredient for educating end users, providing status, and being involved with the community. And those are three crucial activities that NIAP CCEVS should continue to proliferate. Nicely done.

The 7th International Common Criteria Conference is at the Canary Islands in Spain this year. Here is the website.

Call for papers is open until May 31. I’ve got several ideas, but the problem is finding the time to craft the submission!

I led a presentation at the (ISC)² Security Leadership Series in Ottawa. Here is the abstract:

A sound security posture includes a detailed process to assess risk and counter threats via policy and technology. Systems owners in Federal agencies and in the commercial sector are under increased pressure to identify and mitigate risk, and the US government is at the forefront in establishing such processes and testing requirements. This presentation will explore risk assessments, including the benefits, methodologies, and policies/regulations as well as discuss product testing in a security/risk context, including ways to define requirements for security products deployed in a system. The presentation will conclude with an analysis of how security testing methodologies fit into the risk assessment/systems accreditation environment and with a group discussion of experiences, issues, and best practices for security testing and risk assessments.

This was a fun session. I wanted to keep it informal and diverge from traditional uni-cast speaking styles. The audience was quite involved, asking questions, providing real-time feedback, and posing challenges to the concepts. At the end I opened the floor to a forum-style discussion, where I encouraged the group to discuss what they’re doing with regard to risk management, how/if security testing plays a role, then discuss common issues. And the group did just that.

Some highlights:

• Everyone unanimously agreed that security is a business issue, not a technical issue. I posed that concept expecting a great deal of controversy. Ah well, it’s always a pleasure to talk with enlightened folks.
• Communicating results of threat/risk assessments in a way that can be understood and adopted by both senior/executive management and by technical folks is consistently a major issue.
• The group was well-aware of FIPS 140, Common Criteria, and other testing methodologies, and they agreed that these programs are not always used effectively.
• We discussed spending on security and how that affects an organization’s risk management program (via mitigation, acceptance, etc.). If dollars are spent correctly, then the graph for risk reduction versus dollars spent looks like this:
  

This presentation can be requested at the Presentations & Whitepapers page.

Also, Mark Fabro from Bearing Point gave an excellent presentation on SCADA. Not only did he know his process control stuff, but he was able to back that up with impressive technical expertise. SCADA is not an easy subject to present, and he did a fantastic job.