Secure Development Lifecycle

Similar documents
Continuous protection to reduce risk and maintain production availability

Building Trustworthy Systems with SDL

MIS Week 9 Host Hardening

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

Information Security Controls Policy

SECURITY TRAINING SECURITY TRAINING

Twilio cloud communications SECURITY

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Vulnerability Assessments and Penetration Testing

A company built on security

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

How AlienVault ICS SIEM Supports Compliance with CFATS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

The Common Controls Framework BY ADOBE

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

CYBER RESILIENCE & INCIDENT RESPONSE

Space Cyber: An Aerospace Perspective

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Innovation policy for Industry 4.0

Introducing Cyber Observer

Google Cloud & the General Data Protection Regulation (GDPR)

Security: The Key to Affordable Unmanned Aircraft Systems

Product Security Briefing

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

TRAINING CURRICULUM 2017 Q2

SOC 3 for Security and Availability

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

INFORMATION ASSURANCE DIRECTORATE

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Chapter 5: Vulnerability Analysis

INTELLIGENCE DRIVEN GRC FOR SECURITY

McAfee Product Security Practices

GDPR Update and ENISA guidelines

Security Architecture

NEXT GENERATION SECURITY OPERATIONS CENTER

Secure Access & SWIFT Customer Security Controls Framework

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Digital Health Cyber Security Centre

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

CS 356 Operating System Security. Fall 2013

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Cybersecurity in Acquisition

SIEM Solutions from McAfee

The University of Queensland

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Accelerate Your Enterprise Private Cloud Initiative

Windows 10 IoT Core Azure Connectivity and Security

Watson Developer Cloud Security Overview

Layer Security White Paper

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Symantec Security Monitoring Services

TRUE SECURITY-AS-A-SERVICE

align security instill confidence

The Honest Advantage

INFORMATION ASSURANCE DIRECTORATE

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Industrial Defender ASM. for Automation Systems Management

MIS5206-Section Protecting Information Assets-Exam 1

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

External Supplier Control Obligations. Cyber Security

Information sharing in the EU policy on NIS & CIIP. Andrea Servida European Commission DG INFSO-A3

STRATEGIC PLAN. USF Emergency Management

Why you should adopt the NIST Cybersecurity Framework

Cyber Security Technologies

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cisco Connected Factory Accelerator Bundles

ISAO SO Product Outline

Carbon Black PCI Compliance Mapping Checklist

Advanced Security Tester Course Outline

TEL2813/IS2820 Security Management

INFORMATION ASSURANCE DIRECTORATE

Cyber Defense Operations Center

Information Technology Branch Organization of Cyber Security Technical Standard

Security Management Models And Practices Feb 5, 2008

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Securing the Grid and Your Critical Utility Functions. April 24, 2017

Cisco Secure Boot and Trust Anchor Module Differentiation

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

You knew the job was dangerous when you took it! Defending against CS malware

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Transcription:

Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness. The combination of tools, processes, and awareness training introduced during the development lifecycle promotes defense-in-depth, provides a holistic approach to product resiliency, and establishes a culture of security awareness. Cisco SDL applies industry-leading practices and technology to build trustworthy solutions that have fewer field-discovered product security incidents. Cisco SDL is better described by examining its compositional elements: Product Requirements PLAN DEVELOP Threat Modeling & Requirements Secure Modules & Static Analysis 3rd Party Secure Design Secure Coding Secure Analysis Vulnerability Testing MONITOR Continuous Monitoring & Updates Cisco SDL VALIDATE Vulnerability Testing PHASE OVERVIEW OPERATE LAUNCH & Operational Management Process Release Criteria

Product Requirements Product Requirements define the internal and market based standards for Cisco products. These requirements have been assembled from internal and external sources, based on known risk, customer expectations and industry best practices. Products should address two types of product security requirements: Cisco Internal Requirements: Defined by the Cisco Product Baseline (PSB) Market-based Requirements: Outlined by the industry or space to which a product is deployed CISCO INTERNAL REQUIREMENTS The Cisco PSB is a living body of requirements that defines the security-related functionality, development process, and Development Process Functionality documentation expectations for the Cisco product portfolio. The PSB focuses on important security components such as credential and key management, cryptography standards, anti-spoofing capabilities, integrity and tamper protection, and session/data/stream management. Guidance for resil- Product Baseline ience and robustness, sensitive data disposal, and logging is also outlined in the PSB. This critical body of requirements is continually enhanced to incorporate new technologies and standards with the goal of building in inherent protections Documentation Expectations against evolving threats. MARKET-BASED REQUIREMENTS Markets and industries like finance, government, and medical, often place additional security requirements on Cisco customers. While these requirements may exceed those outlined by the PSB, Cisco strives to meet or surpass the industry demands. Requested product certifications may include: Common Criteria Certification Cryptographic validation for products containing encryption functionality IPv6 certification Department of Defense (DoD) Unified Capabilities Approved Products List North American Electric Reliability Corporation - Critical Infrastructure Protection (NERC-CIP)

Third-Party A common industry practice is to incorporate both commercial and open source third-party software into product offerings. Consequently, products and customers may be affected when third-party vulnerabilities are discovered. To minimize the impact, Cisco uses integrated tools to gain visibility into its potential third-party software security threats, including: Central Repository of Intellectual Property: Cisco internally tracks products using third-party software through a centrally maintained repository. This single point of reference requires entry of any metadata associated with third-party code distributed outside the company, and allows for rapid identification of all affected Cisco products should a vulnerability be found. Tooling to Facilitate Accuracy and Quick Response to Third-Party Vulnerabilities: Notification of Third-Party Software Threats and Vulnerabilities: Cisco automatically alerts product teams from a continuously updated list of known third-party software threats and vulnerabilities, enabling quick investigation and mitigation. Scanning and Decomposition: Cisco employs tools to inspect source code and images to improve third-party repository accuracy and completeness. Secure Design Product Requirements define the internal and market based standards for Cisco products. These requirements have been assembled from internal and external sources, based on known risk, customer expectations and industry best practices. Products should address two types of product security requirements: Designing with in Mind Threat Modeling to Validate the Design s DESIGNING WITH SECURITY IN MIND Secure design requires an ongoing commitment to personal and Knowledge Training Leverage IndustryStandard Secure Design Principles Continuous and Evolving Threat Awareness Utilize Highly Secure Designs & Vetted Solutions professional improvement. Internal security training programs inspire all employees to become security aware, while encouraging development and test teams to dive deep into security learning. Through continuous and evolving threat awareness, and by leveraging industry-standard principles and highly secure vetted solutions, Cisco strives to create products that are more secure by design.

THREAT MODELING TO VALIDATE THE DESIGN S SECURITY Threat modeling is an organized and repeatable process designed to understand and prioritize a system s security risks. When modeling threats, Cisco engineers follow the flow of data through a system and identify trust boundaries and inflection points where the data might be compromised. Once potential vulnerabilities and threats are identified, mitigation strategies can be put in place to minimize the risk. Cisco s Threat Modeling tool facilitates the process by exposing applicable threats based on the developers diagram of the data flow and trust boundaries. External Entity1 Data Store1 Process1 Trust Boundary Process2 Secure Coding SECURE CODING STANDARDS Cisco s coding standards encourage programmers to follow a uniform set of rules and guidelines determined by the requirements of the project and organization. Veteran developers know that coding and implementation errors can result in potential security vulnerabilities. While this knowledge comes with experience and training, Cisco developers at all levels are tasked to follow best practices that help ensure threat-resistant code. training helps developers learn secure coding guidelines and best practices. COMMON SECURITY MODULES To complement secure coding best practices, Cisco leverages a growing number of vetted common security modules. These Cisco-maintained libraries are designed to reduce security issues while enhancing the engineers ability to confidently deploy security features. CiscoSafeC, CiscoSSL and other libraries focus on secure communications, coding, and information storage.

Static Analysis Cisco SDL identifies key security checkers for Static Analysis (SA) tools to detect source code vulnerabilities in both C and Java source code. Through internal analysis, field trials, and limited business unit deployments, a set of checkers has been identified to maximize detection of security issues. Potential buffer overflows, tainted inputs, and integer overflows are targeted while false positives are minimized. Cisco development teams run Static Analysis with security checks enabled, review any generated warnings, and fix high-priority issues. Vulnerability Testing Vulnerability testing helps ensure that Cisco products are tested for security defects. The analysis is customized for each product by first identifying: All protocols that are implemented in the product Ports and services that are enabled by default Protocols, ports, and services that will be used in a typical customer configuration Products are then evaluated to determine their ability to withstand probes and attacks with a minimum of three regiments of Cisco SDL Vulnerability Testing: Protocol robustness testing Common attacks and scans by common open source and commercial hacker tools Web application scanning Executing an effective security test plan requires the use of a variety of security tools from multiple sources. Cisco s Test Package combines them all into a single, easy-to-install collection of tools. This helps Cisco engineers test for security defects in a consistent and repeatable manner. Product teams also build custom tests to supplement the standard security test suite. Dedicated penetration testing and security risk assessment engineers are also available to further identify and resolve potential security weaknesses. Vulnerabilities found during testing are triaged by the product teams and reviewed by Cisco s Product Incident Response Team (PSIRT).

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback