Johan Peeters on Dreams and Nightmares

Johan Peeters' Thinking Aloud blogs on the unforseen challenges of security in the SDL, specifically focusing on the challenges of dealing with security in an Agile approach:

The question is not whether and when to let economics guide planning as opposed to technical considerations. In the end, economics always win. The problem, in my view, is that we tend to see the value of a new feature, but not its cost. By cost, I do not mean the effort we need to invest into implementing the feature, but rather the cost of the nightmare scenario's that may execute as the system offers some new functionality.

This is am issue that stymied many a security mechanism. One way to look at this issue is to develop Misuse Cases that show the system from an attacker point of view in parallel with user story development, which show features and functionality. The advantage of a little extra effort spent in desgn becomes clear during future iterations and operations

Like functional requirements, non-functional requirements deserve to be revisited at each iteration. It may be comforting to think that, if you get it wrong, you get a second crack at the whip. On the other hand, you are never really done since new non-functional requirements may emerge throughout the duration of the project and old requirements that were initially deemed of secondary importance may take on an increased significance.

How many times have you seen authentication and authorization mechanisms that are weak, broken, or don't reflect a current threat model (hi MQ Series!)? But by the time the system is in production or just close to go live, it is too hard/too late to rip out all the authN and authZ because these require a full system test cycle, and so on. The examples from Johan Peeters and Paul Dyson's workshop are focused on Agile, but these issues apply across all software development methodologies.

**************************************************

Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
--- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).

New article - Defining Misuse within the Development Process

The latest IEEE Security & Privacy Journal has an article that I co-wrote with John Steven on Misuse Cases. The goal of the series and this article is to get beyond the hand wavy "security needs to get involved in the development lifecycle", and instead provide the where, what, and how that security needs to get involved with specific ways to doing this. Gary McGraw's latest book has excellent methods for doing this, as does Mike Howard's. One idea that Mike Howard talks about is particularly important which is that everything that security attempts to impose on developers is a like a tax on the developers time. As such, security's requests must be targeted at the areas of strategic importance, and in my view part of what this means is that security should be involved early enough in the lifecycle so that security can work in parallel with developers on building more secure code. It is hard to get involved to much early than use case modeling, which is what this article is about -- Defining Misuse in the Development Lifecycle.

In the article we explore how misuse cases are related to use cases, what to model, how misuse cases relate to architecture, and related considerations. We will continue on this theme over the next several issues of S&P.

Pragmatic Speculation

Arctec's own Patrick Christiansen just released a paper on Pragmatic Speculation (...or, what the @#%# is a Technical Use Case?), which looks at ways to model cross cutting concerns across a number of use cases.

Ident-ebonics

Identity projects, like any other integration project, yield confusion because of disparate stakeholder needs and understanding of definition. This is a new discipline for security projects which are typically nowhere near as customer-facing as software development projects, but with identity management security team are exposed directly to lots of stakeholders. On top of that identity projects are laden with lots of legacy terminology baggage like roles. If you ask 5 IT people about roles you will get (at least) 6 different answers, managers talk about functional roles, BAs talk about domain roles, developers talk about user principal roles, and directory architects...of course know what roles really are...er..talk about LDAP roles. This makes this word harmful to building up understanding, it is this way with many concepts in identity and access management. Vendors make the problem even worse. Start with an identity architecture that defines the entities and their relationships. Publish prescriptive, positive definitions and examples help to reduce confusion. Fight ident-ebonics misunderstanding with use cases to generate shared understanding of the space, structure, and behavior. You cannot integrate what you cannot agree on.

Service Oriented Security Architecture

My paper on Service Oriented Security Architecture from the Nov. issue of ISB is now online. The paper describes an approach to dealing security design and architecture issues in developing Web Services and SOA software.

The primary goals are to illustrate a set of key analytical areas, and a way to synthesize these relationships. As Kruchten and others observed separation of concerns is an useful technique in software architecture. In security architecture, it is useful as well, and in addition separation of assets yields a more robust risk management model. In the case of this paper, the assets are separated as Identity, Message, Service, Deployment Environment, and Transaction. This way the risks and countermeasures can be understood and the elements and constraints dealt with in their own domain to the extent possible.

Phasing Security into the SDLC - A Comparison of Approaches

:Lots of companies talk about adding security into their SDLC; Microsoft recently found a security bug and working to address it in the future in their SDLC. Feeding security issues forward is a great idea, but there are problems to be solved and decisions to be made about actually deploying security into the SDLC. The major SDLCs, like XP and RUP, do not have a concrete notion of security, security is treated as just one more non-functional requirement. So it can be hard to get traction on adding security into your SDLC. One of the benefits of being a consultant is that pragmatism is beaten into you. As great as it would be for organizations to unilaterally adopt security throughout their entire SDLC, many companies require a phased approach. There are several contributing factors to this: organizations typically can only absorb so much change at once, the domain is not broadly understood, and the developer-to-security personnel ratio is skewed heavily in favor of the former.

BuildSecurityIn, my own work on security describe how to deploy security techniques into your SDLC from an end to end standpoint, this is the end game. In many cases, a phased approach is needed to advance. Let's take a sample SDLC that includes Analysis (Requirements, Use Cases), Design (Data Modeling and Flows, Modeling), Coding (Development and Unit Testing), and Deployment (QA, System Test, Production Promotion).

If deploying security across all of these phases is not feasible in the near term, or if an iterative phased approach, where "centers of excellence" are developed at discrete points in the process, is desired here are some approaches to phasing security into the SDLC:

1. Top down Approach
This approach adds security requirements to the functional and non-functional requirements and the Use Cases. These requirements can be derived from the Information Security policy, and meeting with security stakeholders. These policy statements are mapped to the requirements and Use Case documents. The requirements drive the design, development and testing of the system. Strengths of this approach are that requirements are clearly defined, and the implementation is up to the domain experts who can make the design and development decisions that work the best in their own technology space.

Key indicators for use: If the organization has a clear Information Security Policy that addresses issues like data classification and acceptable use in a way that can be translated into requirements then this approach can be a good starting point.

Risks in this approach: The Information Security group is outsourcing design and implementation decisions, and lacks an overall compliance view.

Mitigate this risk by writing Security-centric Use Cases that show behavioral flows, exceptional flows, and pre and post conditions that provide more specificity for designers, developers, and testers. Getting actionable security requirements into developer's hands from the early stages is a huge advantage towards seeing them realized in production. Additionally, exorcise the word "security" from as many requirements as possible and be more specific around the actual goal, e.g. authenticate a user dont' "secure a user"

2. Testing and Validation Approach
The top down approach gets Information Security involved at the begining of development. The testing and validation approach targets the end of the development lifecycle. Security systems testing, penetration testing, white and black box apporaches can be used to validate the sufficiency of the system to meet the security goals.

Benefits of this approach are that the Information Security group has a better handle on the qualities of the code that is to be deployed and can find implementation flaws. The drawback is that there may not be time to fix all of the issues that are found. One of the recursive issues at play here, is if the Information Security Policy is not clearly defined, then what is the testing criteria? Industry best practices such as CIS, SANS and OWASP usually fill this gap.

3. Start in the middle approach
This approach focuses on code review and testing during the development phase. Using peer review and automated source code analysis tools to identify security bugs in the code as it is being developed. The Source Code Analysis Tool landscape has gotten a lot more interesting in recent years, making this an interesting approach. The advantages include: being involved early enough to both find *and* fix security bugs, and providing informaiton about bugs to developers in a language that is understandable to them. The disadvantage is that some security errors may be at a design level and it may be too late to resolve these, also the lack of a clear policy and standards may have the smae gap as with the Testing and Validation approach.

A fourth way that may be combined with anoy of the above is training in the SDLC. Focus on a center of excellence in one area and train the subject matter experts on mapping secuirty to their space for the reamining areas. This approach decentralizes some control and empowers domain experts to make the correct design and implementation choices. Again, policy and/or standards are important so that there is clarity around the goals, the technique by itself is never enough.

Remember these are starting points, not the end game. The whole point of a phased approach is to *not* boil the ocean. Phased approaches are an example of an approach I advocate because it forces InfoSec to operate (and iterate) like a software development team

Free Use Case Modeling Tool

Jaczone has released a free UML tool Essential Modeler, which is a tool for creating Use Cases. I have been impressed with and had good experiences using Jaczone' flagship product: Waypointer in the field. Waypointer is an excellent overall software architecture tool, whereas Essential Modeler is focused on Use Cases only.

Use Cases are the most well adopted part of the UML, and will probably be the longest lasting contribution to the field by the language. Many people who have never written OO code are able to create Use Cases based on their understanding of the problem domain, and contribute to the project.

What is really neat to see is how Use Cases are being used in security today, not just software, for example synthesizing complex workflow in federated identity, clearly articulating behavioral concepts, externally visible properties, relationships among stakeholders, and building up an understanding of architecture: this is what Use Cases are intended to do!

As security practitioners know, we need all the help we can get communicating problems and solutions, Use Cases provide a very nice set of tools to do this. Security can import a lot of knowledge from the Use Case world. And security can also guide development teams to write Use Cases with security in mind.

While it would not totally "solve" the software security problem, we would all be better off (and have more secure software) if security personnel learned to model Use Cases to communicate their design requirements, and development teams learned to build security into the system. Now if Jaczone, would just release a version of their tools that run on other OSs 1