1 / 33

SHIELDS: metrics, tools and Internet services to improve security in application developments

Dr. Domenico Rotondi TXT e-solutions SpA Italy. SHIELDS: metrics, tools and Internet services to improve security in application developments. Summary. Software Development & Security Why SHIELDS SHIELDS Approach SHIELDS Expected Impacts & Outcomes SHIELDS Consortium

preston-nunez
Download Presentation

SHIELDS: metrics, tools and Internet services to improve security in application developments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Domenico Rotondi TXT e-solutions SpA Italy SHIELDS: metrics, tools and Internet services to improve security in application developments

  2. Summary Software Development & Security Why SHIELDS SHIELDS Approach SHIELDS Expected Impacts & Outcomes SHIELDS Consortium TXT interest in SHIELDS SHIELDS and OWASP SHIELDS Summary Data

  3. Software Development & Security Software vulnerabilities becoming critical due to: Law/regulation (Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, Online Privacy Protection Act, Privacy Protection, …) Direct economic losses (data breach recovery $140/record-source : Ponemon Institute survey) Business reputation damage Customers productivity losses (downtime, recovery, …) Certification Programmes (e.g. Microsoft Dynamics Industry Solutions Initiative) …

  4. Software Development & Security Continuous growth in software vulnerabilities: Jan-Jun 2007 vulnerabilities > 3400 Jan-Dec 2001 vulnerabilities ≈ 1528 source : Microsoft Security Intelligence Report

  5. Software Development & Security Security industry is becoming more efficient: Security-enhanced SW Development Life Cycle (Microsoft SDL-SD3 Framework, OWASP CLASP, …) Improved code scanning tools Fuzz testing techniques & tools …

  6. Software Development & Security SW development industry objectives: Improved SW quality Overall (development+maintenance) costs reduction Toolscoverage trend Currenttoolscoverage

  7. Software Development & Security First results: Security-enhanced SW Development Life Cycle Guidelines (OWASP: Guide to Building Secure Web Applications, Testing Guide, Code Review Guide, …) Checklists (e.g.: Microsoft ASP.NET 2.0 Security Checklist, OWASP Top Ten Project, …) Security training/awareness Specific/improved tools More secure code libraries (e.g.: OWASP Enterprise Security API, Microsoft security-enhanced versions of CRT functions, …)

  8. Software Development & Security First quantitative results: Microsoft: 50% vulnerabilities reduction with SDL Microsoft Windows Server 2003 vs Windows 2000 Server

  9. Software Development & Security First quantitative results: Microsoft Windows Vista vs Windows XP

  10. Why SHIELDS?

  11. Why SHIELDS? Security information is unsuitable for developers • Very general overview targeted at users and system administrators • Nothing concerning how it is manifested in the software or what causes it Risk assessment info for users and system administrators No information on solutions or tools that help developers discover or eliminate vulnerability

  12. Why SHIELDS? Islands of security tools and methods

  13. Why SHIELDS? Other factors: Lack of security expertise Costs of security expertise Reuse of security vulnerabilities knowledge: Across development phases Across tools Among designers/developers/testers/… …

  14. SHIELDS Approach Sharing security knowledge

  15. SHIELDS Approach A new approach: Security models: vulnerabilities countermeasures Misuse and abuse Methods that use security models Tools that use security models Same model used in many ways

  16. SHIELDS Approach A model based approach (ex of a Vulnerability Cause Graph): Derived inspection rule Verify that there is a range check associated with every data copy Derived static analysis rule 'memcpy($d,_,$l)'  verify(len(d) <= l) Derived testing rule memcpy(d,s,_)  inject(len(s) > len(d))

  17. SHIELDS Approach SHIELDS and Software development phases:

  18. Security Activities Related To Development Phases

  19. SHIELDS Tools to support the Developmet phases Graphical User Interface to access and Search SVRS SHIELDS repository Under Construction! Please see http://www.shields-project.eu/ For updates

  20. SHIELDS Approach SHIELDS advantages: Reduced/no duplication of effort: Every update can potentially affect all tools SHIELDS reported vulnerabilities can impact all phases Higher assurance: Tools can quickly acquire knowledge to face new vulnerabilities Improved software quality: Developers get more and better security information Developers improve their security expertise …

  21. SHIELDS Expected Impacts Increasing security to enhance trust Better security tools For Provides Better security information Provides For Developers Helping them create More secure software Justifying Leading to More trust Which is Trusted computing infrastructures ensuring interoperability and end-to-end security of data and services; increased security and dependability in the engineering of software systems to ensure the design and development of trustworthy applications and services Lower risk Supporting More robust Supporting Supporting

  22. SHIELDS Expected Outcomes SHIELDS Repository Service: A network accessible service providing: guidelines Models (vulnerabilities, countermeasures, Misuse and abuse) Tools Security tools: Partners provided (Search-Lab, Montimage, Fraunhofer) …

  23. SHIELDS Expected Outcomes Certification programmes:

  24. SHIELDS Consortium

  25. TXT interest in SHIELDS TXT e-solutions Spa: TXT (www.txtgroup.com) is specialized in modular software products and solutions for: Demand & Supply Chain Management Content Management TXT presence:

  26. TXT interest in SHIELDS Demand & SC Mgm: TXTPERFORM Suite

  27. TXT interest in SHIELDS MM-Multichannel Content Mgm: TXTPolymedia

  28. TXT interest in SHIELDS TXT Software Development activities: Internal: TXTPerform: whole Software Development Lifecycle TXTPolymedia: whole Software Development Lifecycle External: SW Quality Assurance (not security related): mainly for M&T customers Ad-hoc development ISO 9001/2000 certified processes!

  29. TXT interest in SHIELDS Languages & platforms: TXTPerform: C++, C# and Microsoft .Net Framework 3.0 Microsoft SQL Server, Oracle TXTPolymedia: Java Open Source platforms (Apache, JBOSS, …) Microsoft SQL Server, Oracle, … TXT  Typical SW company with all dvp problems

  30. TXT interest in SHIELDS Development lifecycles revised since 2005: to address security issues: Based on Microsoft Trustworthy Computing Security Development Lifecycle Adopted for all products’ major releases to certify TXT products: Microsoft Industry Builder Initiative (IBI): TXTDemand certified since 2006 Microsoft Dynamics Industry Solutions program (MDIS): TXTPerform 2008 certified in January 2009 …

  31. SHIELDS - OWASP SHIELDS contributions: SHIELDS is in line with OWASP goals SHIELDS can contribute to the OWASP projects OWASP contributions to SHIELDS: SHIELDS needs input from the OWASP specialized community SHIELDS needs feedbacks from the OWASP community SHIELDS needs support to improve its work SHIELDS needs support to validate its work

  32. SHIELDS Project Relevant Data Project data: EU FP7 Theme: ICT-2007.1.4: Secure dependable and trusted infrastructures Type: Collaborative Project (STREP) Duration: 30 months Start: January 1, 2008 SHIELDS contacts: Coordinator: ProfessorNahid Shahmehri (Linköpings universitet, nahsh@ida.liu.se) Dissemination Manager: Alessandra Bagnato (TXT e-solutions Spa, alessandra.bagnato@txt.it) Project Web site: http://www.shields-project.eu

  33. Thanks for your attention!

More Related