検索対象: Software security. building security in
44 C わ 4 2 A R な た Ma 〃 ag ビ 川 厩 孖 4 川 e 曜 0 黻 Business risk identification helps tO define and steer use Of particular technical methods for extracting, measurmg, and mitigating software risk glven var1011S software artifacts. identification Of business riSkS a necessary foundation that allows software risk (especially impact) t0 be quantified and described in business terms. ThiS makes impact statements tangible and spurs actl()n on risk mitigation. The key to making risk management work for any business lies in tying technical risks tO the business context in a meaningful way. The ability tO thoroughly identify and understand risks is thus essential. Uncovering and recognizing technical risks is a high-expertise undertaking that usually reqtllres years Of expenence. But their Of the technical risks are Often not actionable. central to this stage of the RMF is the ability t0 discover and describe technical risks and map them (through business risks) t0 business goals. A technical risk is a situation that runs counter tO the planned design or imple- mentatlon Of the system under consideration. For example, a technical risk may tO the system behaving ln an unexpected way' violating its own design strictures, or failing t0 perform as required. If the builders d0 not make proper use 0f touchpoints, these kinds 0f risks may slip bY unnoticed. Technical risks can also be related to the process of building software. The process an organization f0110 、 may Offer t00 many opportunities for mlS- takes in design or implementation. Technical risks involve impacts such as unexpected system crashes, avoidance Of controls (audit or otherwise)' unauthorized data modification or disclosure, and needless rework Of arti- facts during development. Technical risk identification is supported by the software security touch- points described throughout this b00k. stage 3 : Synthesize and Rank the Risks Large numbers 0f risks will be apparent in almost any given system. ldenti- fying these risks is important, but it is the prioritization Of them that leads directly tO creation Of value. Through the activities Of synthesizing and pri- oritizing risks, the critical 。 。 / hO cares ' question can (and must) be answered. synthesis and prioritization should be driven tO answer questions such as: "What shall we dO first given the current risk situation?" and "\Vhat is the best allocatlon Of resources, especially in terms Of risk mitiga- tlon activities ' clearly, the prioritlzatlon process must take int() account which business goals are the most lmportant tO the organization' which goals are immediately threatened, and how likely technical risks are t0
66 C わ 4 2 A R な た Ma 〃 age 川 e 厩 お 川 ビ ル 0 黻 down, starting with business goals. ln either tO visualize the problem' analysts create the goal-to-risk relationship table' which displays the rela- tionships between: ・ Business goals ・ Business riSkS ・ Technical risks ()y identification number) NOte that no attempt is made at this point tO set priorities in the goal-to-risk relationship table because this action is performed during the following syn- thesis activity. As an example, in Table 2 ー 13 the analyst concludes based on research' professional experience, and expertise' that KillerAppC0's unplanned down- time and system failure business risks directly correspond with the availabil- ity goal. The analyst also notes how inadequate fault tolerance testing and DoS susceptibility feed the business risk 0f unplanned downtime. A similar linkage is created between poor password requirements inadequate RNG implementation, and limited enforcement Of access rules and their collective contribution tO the business risk Of system failure. Similar relationships are drawn by the analyst for the project's time-to-market and accuracy business goals ・ There may be a one-to-many relationship among an identified technical risk and the multiple business risks t0 which it is related. N0t% for exampl% that the inadequate fault tolerance testing risk (TR3 ) contributes t0 both the unplanned downtlme 4 れ d inaccurate operational functions business risks. After developing the goal-to-risk relationship table, the analyst is ready tO create a table showing the technical risk severity by business goals. This table depicts how severely an identified technical risk impacts each 0f the business goals. TO determine the severity the analyst assesses the likeli- hood that the technical risk will materialize and builds an estimate of the realized risk's business impacts in terms Of each identified business goal• As an example, in Table 2 ー 14 the analyst deduces that inadequate fault tolerance testing (TRI ) and DOS susceptibility (TR2) will negatively impact the project's most important business goal¯time tO market¯since the likeli- hOOd Of the risks are high and continued acceptance crlteria failures (the business risk tO which the technical risks are tied) will inevitably prevent the project team from releasing the product on time. NO impact (N/A) is dis- cerned between TRI and TR2 and the other business goals. N0te that a single technical risk, such as poor RNG implementation (TR5 ) , may impact 川 〃 〃 ゆ ル business goals—availability and accuracy. A single technical risk may alSO impact multiple business goals at different severity levels.
A 々 々 g 舫 ビ RMF: K 卍 A 々 々 Co ' 朝 Ⅳ 4 尾 7.0 server 63 NO ま ・ : When determining the likelihood that a technicalrisk will materialize and ascertaining its business impact. analysts should conside 「 ( ont 「 0 (). g. , management, operational, and technical) and characteristics (). g. , type of attack, capability of the attacker, intent of the attacker, and 「 esources Of the attacke 「 ) associated with the 「 isk. Sometimes functionality gets into a p 「 oduct that none of the product managers 0 「 higher-level executives know about 0 「 think about st 「 ategically. You may find these kinds of things by looking intO the code and asking questions (which usually get answered like this: "0h, yeah. Without that, the system doesn't work fo 「 ou 「 clients who use 0 「 acle. " ). At this point it is worth a pause to think. Perhaps you found a business goalthat the stakeholders don't focus enough attention on. Business 90 omissions are p 「 oblematic because these omissions lead to requirements 0 ー issions , and in turn tO design decisions that ripple back and forth along the interface with implementation and support Of the 「 e 謝 production environments. FO 「 an example, see NIST Special publication 800-53 , "Recommended secu 「 ity cont 「 0 fo 「 FederalInformation Systems" [NIST 800-53 ]. analyst also determines the likelihood that the DoS susceptibility risk will occur is high (H). Each remaining technical risk's indicator and likelihood are also defined. After determining the likelihood that an identified technical risk will occur, the analyst estimates the business lmpact of each technical risk should it materialize. ThiS link back to business lmpact is ss 〃 〃 4 /. ln the example, the analyst documents that poor RNG implementation may lead tO system failures, unexplained behavior, and inaccurate transac- tions (see Table 2 ー 12 ). Because of this technical vulnerability, unauthorized users can access tO the system, cause system crashes or unexplained behavior, influence transactlons, or create illegitimate transactions. Business impacts are defined by the analyst for each remaining technical risk. If dif- ferent subsystems are analyzed separately, a cumulative analysis Of risks associated with different subsystems is performed. At this time, inter- subsystem risks should also be identified. Only after the RMF project team is fully satisfied with the initial set of collected business and technical risk data can the analyst proceed to the risk synthesis and prioritization stage. peer 、 is an excellent idea. Synthesizing and Ranking the Risks TO better understand and manage risk, analysts establish relationships between the business goals, business risks, and technical risks and subse- quently prioritize them in meaningful business terms. The initial objective may be achieved from the bottom up by first determining the technical risks that lead tO each business risk(s) and then determining the business risks associated with each business goal. Analysts can also work from the top
A 々 々 g ル ビ RMF: K / 々 々 Co ' 朝 Wa 尾 1.0 立 ル 67 runs counter tO the planned design or implementation of the system under consideratlon. ス n / z 加 9 50 Ⅳ 0 「 ti 危 ( な The analyst begins to evaluate software artifacts by performing selected ana- lytical best practices (including the software security touchpoints), some of which require the execution of t001S , to help identify technical risks. Table 2 ー 10 presents technical risks resulting from the application of software security touchpoints. ln our example, the analyst discovers techni- cal risks that may threaten KillerAppCo's time-to-market, availability, and accuracy business goals. Note that a technical risk may yield multiple busi- ness impacts (see TR3 and TR5 in Table 2 ー 10 ). NOW it's time t0 determine the indicator(s) associated with each identi- fied technical risk and specify the probability that each risk will materialize. ln Table 2 ー 11 , the analyst specifies two indicators for the TR4 denial-of- service (DOS) susceptibility risk: a post-deployment increase in unauthorized logins and a post-deployment decrease ln mean server availability. Based on independent research, professional experience, and expert collaboration, the TabIe 2 ー 10 KillerAppCo's Technical Risks TRI TR2 TR3 TR4 TR5 TR6 TR7 TR8 TechnicaI Risk Developers dO not have access to quality assurance (QA) t00 区 fo 「 unit testing. QA tests dO not fully evaluate requirements. A. Testing does not cover fault tolerance. System failures are likely. B. Testing does not cover fault tolerance. Hardware failures can create incorrect transactions. System is susceptible tO denial-of-service attacks. A. P00 「 random number generation (RNG) makes crypto weak. Unauthorized access may cause system crashes or unexplained behavior. B. Poor RNG makes crypto weak. Attackers can influence transactions 0 「 create illegitimate transactions. P00 「 enforcement Of access ( ont 「 0 ー rules allows misuse by insiders and outsiders. Poor password ChOices make system attacks easier. Unauthorized access can create invalid transactions. System does not require 900d passwords. Attackers can get in more easily and cause unpredictable behavior.
40 C わ 4 2 A R な た Ma 〃 age 川 ビ 厩 お ra 川 ビ 曜 0 黻 interested in specific best practices for software securitY' you should skip ahead to part Ⅱ . If you d0 skip ahead, make sure you cycle back around later in order t0 understand how the framework described here SUPP0rtS all Of the best practices. Putting Risk Management intO Practice The software security touchpoints exist tO drive out technical risk. Critical t0 proper application 0f the touchpoints is the notion 0f keeping track 0f security risks as they are uncovered and making sure they are properly dealt with. The RMF is about identifying, tracking, and mitigating software risk over t11 れ e. central tO the notion Of risk management is the idea Of describing impact. Recall from Chapter 1 that risk is defined as probability x impact. Without a clear and compelling tle tO either business or conse- quences, technical risks, SOft 、 defectS' and the like are not often com- pelling enough on their own t0 spur action. Though the risks I focus on in this book are all tied directly to software and all have clear security ramifi- catlons, unless they are described in terms that business people and decision makers understand, they will not likely be addressed. There is nothing more frustrating tO a technical person than identifying a serious problem that never gets fixed. we can avoid that frustration bY properly describing lmpact. Put more succinctly, a major hurdle t0 the proper handling 0f technical risk has been the inability t0 tie risk clearly t0 business impact. This leads t0 the techno-gibberish problem. software is a fairly geeky domain. lt's about arcane technology that business people don't understand. The question needs tO be: HOW dO you get business people tO care whether their software works or not? The answer has tO be that software risk must be understood, and related in terms Of business impact. As a technical person' you need t0 say something lik% "lf the flimflobble in sector four has a floos- blozzle failure, that means we will miss the first quarter number bY $ 2 mil- lion" ()s opposed t0 just saying the first part). Business people can relate t0 the last part Of the statement. The RMF described here is a condensed version 0f the Cigital RMF, which has been applied in the field for almost ten years. An RMF is designed tO manage software-induced business risks. For PUrPOSes Of the RMF is described here in the context Of a particular project; howeveg many
A 々 々 g the 尺 M ん K 〃 ル 頑 々 々 Co ' 朝 Ⅳ 4 1.0 立 ル “ TabIe 2 ー 13 KillerAppCo's Goal-to-Risk ReIationship Table 67 Bus ー れ ・ 5 $ ( 0 引 TIME TO MARKET iWare 1 .0 Server must be released on January 1 ′ 2008. AVAILABILITY iWare 1 .0 Server must provide 99.999 % uptime. ACCURACY Transactions must be recorded with 100 % accuracy, with no invalid ′ duplicate, 0 「 mlSSIng transactions. Business Risk The software fails tO meet the acceptance criteria required fO 「 release. System failures cause unplanned downtime. Security weaknesses cause system failures. The software fails tO perform critical operational functions ( 0 「 「 e ( tly. TRI TR2 TR3 TR4 TR8 TR5 TR6 TR7 T R5 TR3 TechnicaI Risk create incorrect transactions. tolerance. Hardware failures can B. Testing does not cover fault mate transactions. transactions 0 「 create illegiti- weak. Attackers can influence B. P00 「 RNG makes crypto invalid transactions. Unauthorized access can create system attacks easier. P00 「 password choices make insiders and outsiders. cont 「 olrules allows misuse by P00 「 enforcement 0f access plained behavior. cause system crashes 0 「 unex- weak. Unauthorized access may A. P00 「 RNG makes crypto dictable behavio 「 . more easily and cause unpre- passwords. Attackers can get in System does not require good of-service attacks. System is susceptible to denial- ⅱ kely. t0厄 「 ance. System failures are A. Testing does not cove 「 fault requirements. QA tests do not fully evaluate tO QA t00 fo 「 unit testing. Developers dO not have access By completing the table linking technical risk severity with business goals, analysts indicate the most severe technical risks that the prOJect should address in order to meet prioritized business goals. ln the end, the chart presents the critical risk management informatlon necessary tO make informed decisions, such as those involving release management, produc- tion, and process lmprovement. ThiS marnage 0f business and technical
A 々 々 / 〃 g the RMF: K 卍 邵 A 々 々 Co ' 5 / Ⅳ 4 1.0 立 ル 69 ・ Confirm the relationships bet 、 veen business goals, business risks, and technical risks ・ Create a preliminary outline of the risk analysis report, which includes strategic risk mitigation content The brainstorming activity typically produces notes as well as updated risk tables. lt may also reveal the need for the RMF project team to perform additional analytical activities. ( 0 d リ ( t 加 9 the B め 加 5 0 d ル 朝 ⅲ ( Peer Review After completing all research, risk identification, and synthesis actlvities, the analyst creates an lnterim report or presentation the risk find- ings and outlines a preliminary risk mitigation strategy. The com.pleted sum- mary is submitted tO the RMF prOJ ect team for business and technical peer revie 、 bv(. NOte that peer reV1e 、 can sometlmes be a tlme-consummg process•, make sure that time is allocated both for necessary peer revrews and for the incorporation 0f feedback. De れ れ 9 the Risk Mitigation Strategy During this stage, the analyst builds and finalizes a risk mitigation strategy. An outline of this strategy will have been created during the risk synthesis activity. TO develop a coherent strategy, the RMF proJect team meets tO brainstorm on possible risk mitigation methods, their effec- tiveness, and control over the project's software-induced business risks. ResultS Of this work are reported in a comprehensive s た 4 れ 4 s な e 々 0 document. Bra 加 5t0 「 m 加 9 0 れ Risk M i90 0 れ During the risk mitigation brainstorming sesslon, the RMF pr0Ject team should answer the question, "HOW can the software risks that have been identified be managed?" Using this question as a guidepost, the RMF prOJect team members list potential mitigation methods on a whiteboard. Next, they associate the proposed methods with identified technical risks. The group then estimates the effectiveness of the proposed mitigation meth- ods and the level of rigor at which each method must be performed. The resulting approach is a technical strategy motivated by business concerns. Meth0ds must make sense economically, and in the best of all cases they will have a clear ROI that can be demonstrated. All costs of mitigation must be weighed against each method's predicted effectiveness and compared against potential downside costs ()n case a risk
394 Appendix D G / os 覊 Risk—FIaws and bugs lead to risk. Risks are not failures. Risks capture the probability that a flaw or a bug will impact the purpose of the software (). e. , risk = probability >< impact). RiSk measures must also take into account the potential damage that can occur. A very high risk is not only likely to hap- pen but also likely t0 cause great harm. Risks can be managed by technical and non-technical means. See Chapter 1. Software security—The idea 0f engineerlng software so that it continues to functlon correctly under malicious attack. SDL—Secure Development Lifecycle. SDLC—Software development lifecycle. Threat—The actor or agent who is the source of danger. ・ Within information security, this is mvariably the danger posed by a malicious agent (). g. , fraud- ster, attacker, malicious hacker) for a variety Of motivations (). g. , financial gain, prestige). Threats carry out attacks on the security Of the system (). g. , SQL injection, TCP/IP SYN attacks, buffer overflows, denial of service). Unfortunately, Microsoft has been mlsusing the term 舫 ea as a substitute for な た . ThiS has led tO confusion in the commercial security space. See Chapter 5. Touchpoint—Process-agnostic software security best practlce applied on a software artifact. Vulnerability—A defect or weakness in system security procedures, design, implementation, or internal controls that can be exercised and result in a security breach or a violation Of security policy. A vulnerability may exist ln one or more Of the components making up a system. see Chapter 5.
The Cig / / Ⅳ 0 黻 わ 訪 S64 W 併 期 ⅵ 1 77 Op ・ 0 す ・ 曲 用 0 可 R に yS ・ れ ツ Ov 町 第 m ・ す 0 ー Risksby S ・ ツ 0 町 Tim ・ 礙 臧 ー ( h を 、 Def に は ・ 作 “ k ト Chart 、 ・ Op ・ れ 日 h Op ・ リ 第 d 朝 m 第 00 ・ れ 材 ・ は m Op ・ れ 望 5 w ′ 0 00 面 M 社 0 れ 物 y$e ・ & ー を ま を を 第 第 T 猷 ・ Ⅲ 01 ー TO レ い .- 、 0pen 応 , b 四 ・ R ・ 1 ⅵ 市 ・ ・ A•• 、 宿 ・ 獸 ・ & 0 ・ 、 0 ・ れ ・ m ・ れ を 00 ・ 1 ・ 羲 日 ・ 膕 ・ d 5 ) 0 勢 P20 ・ ・ 編 い 日 9 社 「 e 2 ー 3 The Cigital Workbench risk management dashboard displays information about software riSk and business impact over time. P ・ 0 可 ・ These components capture fundamental aspects 0f the RMF. Central to the idea of the Workbench is the notlon of tracking informa- tion about risks. TheWorkbench allows for the automatlc creatlon Of technical risk ぐ 今 business risk assoclations, impact analysis, and ranking. Basic risk information is available in a risk 10g (Figure 27 ). lnformation about the relationship between business goals and technical risks is dis- played in one of many available tables (Figure 2 ー 5 ).
A わ 0 ル ビ A 〃 舫 XXXVI he was a student of Doug H0fstadter' and a BA in Philosophy from the Uni- versity Of Virginia. Dr. McGraw is a member of the Technical Advisory Boards 0f Authen- tica, counterpane, and Fortify soft 、 vare. He serves as an Advisor tO the UC Davis Department Of computer science and the University Of Virgima Department Of Computer science' and he sits on the Dean's Advisory Coun- cil of the school of lnformatics at lndiana UniversitY. He is a member 0f the IEEE security and privacy Task Force and was recently elected t0 the IEEE Computer society Board 0f Governors.