Upload
hoangmien
View
227
Download
2
Embed Size (px)
Citation preview
Agile Information Security Management inSoftware R&D
Rational and WebSphere User Group Finland Seminar 29.01.2008
Reijo SavolaNetwork and Information Security Research Coordinator
VTT Technical Research Centre of Finland
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
2Copyright VTT (Reijo Savola)
•Information Security from thePerspective of Agility
•Some Information SecurityChallenges and Trends
•Security Assurance andAgile Security Development
•Conclusions
Contents
IInformation Security from the
Perspective of Agility
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
4Copyright VTT (Reijo Savola)
Business Rationale for Agile Adoption
Source: prof. Pekka Abrahamsson / VTT
The betterquality oftenincreasessecurity too!
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
5Copyright VTT (Reijo Savola)
Change is the Only Certainty inSoftware Research & Development
The production of Technical Specifications for a 3rd GenerationMobile System based on the evolved GSM core networks.
Changemanagementis veryimportantfrom securitypoint-of-view
Source: prof. Pekka Abrahamsson / VTT
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
6Copyright VTT (Reijo Savola)
How Agile Can You Be?
Source: Boehm & Turner (2003)Fact corner:Agile is not an absoluteConcept.
Size(# of personnel)
Source: prof. Pekka Abrahamsson / VTT
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
7Copyright VTT (Reijo Savola)
Goal: Balanced Information Security
SECURITY
USABILITY AND PERFORMANCE
Desired /adequatelevel ofsecurity
COST EFFECTIVENESS
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
8Copyright VTT (Reijo Savola)
Proactive Security Solutions Have Most Impact!
Maturityoftechnology
Time
Designvulnerabilities
Implementationvulnerabilities
Research
R &D
Products andmaintenance
THE MOST IMPACT (development ofnew architectures, newtechnologies)
THE LEAST IMPACT(only
”emergency patches”)
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
9Copyright VTT (Reijo Savola)
•Telecom engineers: security is protocols, cryptography, keyexchange techniques
•Software engineers: security means secure SW architectures•Content providers: security is DRM•IT department: security means proxies, firewalls and auditsand if really needed, security policies•Lawyers: security means how you conform to privacy legislation•Process addicts: security is a business process•Managers: security is OK, but it cannot cost anything•Quality people: security is realized as one or more quality
attributes, the meaning of which can be described in an ontology•Written definition ”everywhere”: security is confidentiality,
integrity, availability, non-repudiation, authentication
The Horizontal Nature of Information Security
Introduction
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
10Copyright VTT (Reijo Savola)
Security vs. Agility?
•Agility: developers are more responsive tobusiness concerns
•Security: developers are more responsiveto business risk concernsØTradeoffs to be managed
Two steps that should be taken care of:•Increase security awareness among
developers and managers•Build security in the processes, practices
and tools
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
11Copyright VTT (Reijo Savola)
The 12 Agile Principles –Good for Security too!
12. Teamreflects regularlywhere and how
to improve
11. The bestresults emerge
from self-organizing teams
10. Simplicity isessential
9. Continuousattention to
technicalexcellence and
good design
8. Promotesustainable
developmentpace
7. Workingsoftware is the
primary measureof progress
6. Place emphasison face-to-facecommunication
5. Build projectsaround motivated
individuals
4. Businesspeople and
developers worktogether dailythroughout the
project
3. Deliverworking software
frequently
2. Welcomechanging
requirementseven late in the
project
1. Satisfycustomer through
early andfrequent delivery
”Securityrating”
Source: prof. Pekka Abrahamsson / VTT
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
12Copyright VTT (Reijo Savola)
IISome Information Security
Challenges and Trends
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
13Copyright VTT (Reijo Savola)
Security Threats are Increasing
COMPLEXITY AND CONVERGENCE…Products, value nets, services and telecommunication networks aregetting more and more complex§ Holistic understanding of security needed§ Challenge for agility too!
TIGHT TIME SCHEDULES…Market sets tight time schedules to product development andthequality and security of products is in danger.§ Security awareness should increased
REACTIVE RACE IS BECOMING TOUGHER…Security threat picture changes all the time. Security workhas been lately a race between the attackers and theprotection developers.§ Emphasis from reactive to proactive solutions§ Break the passive ”build-break-fix”cycle!§ Agility helps!
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
14Copyright VTT (Reijo Savola)
DIFFUSION OF ICT SOLUTIONSICT solutions are being used in other fields§ Security awareness and careful planning needed§ Agility cannot be applied much
DEPENDENCE OF CRITICAL INFRASTRUCTURESON ICTIn critical infrastructures, such as electricy distribution,ICT solutions are used more and more§ Understanding of interdependencies needed§ Agility cannot be applied much
Security awareness
Understanding interdependencies
Security Threats are Increasing
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
15Copyright VTT (Reijo Savola)
IIISecurity Assurance and Agile Security
Development
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
16Copyright VTT (Reijo Savola)
Security Assurance: Emerging NovelTechniques and Tools
Security assurance activities are needed in agile SW R&D too, andshould be integrated into the agile processes!
Examples of security assurance techniques:§ Security Analysis: threat and vulnerability analysis important,
its connection to requirement engineering should be improved,forms the basis for assurance!THERE ARE CHALLENGES IN CARRYING OUT SECURITYANALYSIS IN THE AGILE PROCESSES! (and even in traditionalR&D processes!)§ Security Testing: tools available for network level and some for
application level testing§ Security Auditing: perspectives: information security
management; security engineering§ Security Monitoring: beyond IDS/IPS systems, holistic
monitoring, mobile versions (mainly maintenance phase!)
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
17Copyright VTT (Reijo Savola)
Information Security Management vs.Security Engineering
•”Information security management (ISM)”is targeted at the securityprocesses and practices in the organisation.
•”Security engineering”is targeted at the R&D of security solutions inproducts / services / technical systems.
•Both of them should be addressed in Agile Software Development.
Business-level security practices
Trust inbusinesscollaboration
Business levelrisk analysis andmanagement
Information securitymanagement(ISM)
Cost-benefitanalysis onsecurity
Security engineering(products, services,technical systems)
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
18Copyright VTT (Reijo Savola)
VTT’s Agile Security Development (ASD)Framework
•FOR WHOM: the client –organization, which wants todevelop/verify the level of information security of thesubcontractors; an SME, which wants to develop information securityfrom it’s own baseline
•WHAT: an agile process model for developing an information securitymanagement system, fast and effective improvement of the currentinformation security state and level, ISO 17799 compatibility
•WHY: a clear and feasible model, efficient working model, a) improvingand b) maintaining the subcontractor’s or SME’s information security level
•HOW: the guidance and consultation of experts, high utilization of thecompany’s own resources, targeted to the right need, integrated with theorganization’s guidance system
•ASD = Agile Security Development
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
19Copyright VTT (Reijo Savola)
Risk Analysis(e-Risk)
InformationSecuritymapping(on-site)
InformationSecurity audit and
certification(on-site)
Best Practices-documents
”ASD tools”
Evaluation DB
ASD kick-off- goals
- timetables- resources
Maintenanceprocess
ASDmethod
LawsClient docsand other
guiding docs
AgileSecurityDevelopment (ASD)
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
20Copyright VTT (Reijo Savola)
Management meeting- Requirements in terms of overall organizational function- Management’s statement of commitment
Informationsecurity policy- Definition and execution- Compatibility with interest groups- Communications
Strategic security- Information security organization,clarification of liabilities- Asset classification and controls- Personnel safety- Physical safety
Instructions- Definition andexecution- Communications- Scope
Measurement- Definition of themeasures,- Testing andexecution
Education- Definition,materials- Execution
Continuity planning- Definition and execution- Creation of the scenarios
Operational safety- Access control- Systems usage, development, maintenance,acquisition- Actions in case of information security incidents
AgileSecurityDevelopment (ASD)
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
21Copyright VTT (Reijo Savola)
Background material of ASD
•ISO 17799, 2700x•Common Criteria•Cobit•ITIL•ISF•SSE-CMM•BSI•PK-RH•OCTAVE•CISSP•etc. Best Practices documents applied
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
22Copyright VTT (Reijo Savola)
Conclusions
•Agility and security have tradeoffs, thebiggest difference is the emphasis of risksin security.•Security should be built in to the agile process,practices and tools (e.g. security solution patterns,standard solutions, taking security into accountproactively).•Both information security management (ISM) andsecurity engineering practices are needed in theAgile Software R&D.•Security assurance should be an integral part ofSW R&D.
VTT TECHNICAL RESEARCH CENTRE OF FINLAND
23Copyright VTT (Reijo Savola)
REIJO SAVOLA
Network and Information SecurityResearch Coordinator
Tel. +358 20 722 2138
GSM +358 40 569 6380
Fax +358 20 722 2320
Email [email protected] TECHNICAL RESEARCH CENTRE OF FINLANDNetwork and Information Security ResearchKaitoväylä 1, Oulu, FINLANDPL 1100, 90571 Oulu, FINLAND www.vtt.fi
VTT CREATES BUSINESS FROM TECHNOLOGY