Transcription
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.A Cybersecurity EngineeringStrategy for DevSecOpsCarol Woody, Ph.D.Principal ResearcherSoftw are Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.1
Copyright 2021 Carnegie Mellon University.This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702 -15-D0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded researchand development center.The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as anofficial Government position, policy, or decision, unless designated by other documentation.NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL ISFURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OFFITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THEMATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TOFREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please seeCopyright notice for non-US Government use and distribution.This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic formwithout requesting formal permission. Permission is required for any other use. Requests for permission should be directedto the Software Engineering Institute at permission@sei.cmu.edu.DM21-0952A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.2
TopicsChallenges for Cybersecurity in DevSecOpsDevSecOps Pipeline Supports Critical Cybersecurity RequirementsManaging Supply Chain Risk for DevSecOpsCybersecurity Strategy is Key to SuccessFinal ThoughtsA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.3
A Cybersecurity Engineering Strategy for DevSecOpsChallenges for Cybersecurity inDevSecOpsA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.4
Major Shifts in Technology Will Add Cybersecurity RiskFrom To Hardware-based solutionSoftware-intensive systemWaterfall methodologyAgile at scale approachOrganization owned infrastructureShared infrastructure (e.g. Cloud)Compliance verification upon completionbefore fielding (e.g. ATO)Continuous integrated monitoring (e.g. cATO)Systems developed from requirements andarchitectural designsSystems assembled primarily from reused (often3rd party) components that map to requirementsDevelopment life cycle tailored to thesystem under developmentDevSecOps Development Factory using 3 rd partytools and automationA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.5
Software is EverywhereYou think you’re building (or buying, or using) a product such as:car or trucksatellitemobile phonedevelopment toolshome security systemaircraftpacemakersecurity toolshome appliancefinancial systembullets for a gunActually you’re getting a software platform: Software is a part of almost everything we use. Software defines and delivers component and system communication. Software is used to build, analyze and secure software.All software has defects: Best-in-class code has 600 defects per million lines of code (MLOC). Good code has around 1000 defects per MLOC. Average code has around 6000 defects per MLOC.(based on Capers Jones research http://www.namcook.com/Working-srm-Examples.html)A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.6
Software Development is Now Module erverReuse is rampant!XMLParserNote: hypotheticala pplication compositionsCLibrariesXMLParserCcompilerDelivered product maps to desired functionality, but: Each component is a decomposition of code collected from subcomponents, commercial products, open source, code libraries, etc.with unknown provenance, unknown quality, and unknown security Each collects, stores, and sends data in different file structures andformats No one person, team, or organization knows how all the pieces workA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon r[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.7
Assembly from 3rd Party Components Reduces ConstructionCost/Schedule and Increase FlexibilityExample:Vehicles are nowAssembled from EngineControl Units (ECUs)Supply Chain RiskIncreasesExponentially2014 Jeep Cherokee(32 ECUs)2010 Jeep Cherokee(12 ECUs)ECUs are prefabricated, software-driven components addressing selectfunctionality and tailorable to a specific domain.Modern high-end automotive vehicles have software and connectivity: Over 100 million lines of code Over 50 antennas Over 100 ECUsSources: Miller and Valasek, A Survey of Remote Automotive Attack Surfaces, f;https://www.cst.com/webinar14-10-23 ?utm source rfg&utm medium web&utm content mobile&utm campaign 2014serieshttps://en.wikipedia.org/wiki/Electronic control unitA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.8
Chasing Vulnerabilities is a Chronic Activity for 3rd Party CodeThe National Institute of Standards and Technology (NIST) National VulnerabilityDatabase (NVD) contains 172,822 known vulnerabilities – NVD received 16,190new vulnerabilities in 2021 (as of 10/23/21). Nearly Three-Quarters of Organizations Victimized by DNS Attacks in Past 12 Months Domainname system (DNS) attacks are impacting organizations at worrisome rates. According to a newsurvey from the Neustar International Security Council (NISC) conducted in September 2021North American Orgs Hit with an Average of 497 Cyberattacks Per on-average-currentlySurge in Ransomware Incidents Allianz Global Corporate & Specialty (AGCS) report analyzes thelatest risk developments around ransomware. there was a 62% increase in ransomwareincidents in the US in the same period that followed an increase of 20% for the full year ve-ransomware-trends/A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.9
Today, Operations Plays Whack-a-mole Chasing AttacksRapid delivery of features isprioritized over defensibility,reliability, and stability.Operational missions arejeopardized by weak designs thatallow attackers to leverage themany vulnerabilities.Once software’s in an operationalsystem, vulnerabilities can bedifficult (or impossible) to mitigate.A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.10
Cybersecurity Should be a Lifecycle EffortMissionExecutionMission thread(Business ssesImplementationWeaknessesTesting (incomplete at best) verifies requirements and tools (costly withlimited capabilities) look for weaknesses and vulnerabilitiesA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.11
Emerging Critical NeedsHow can we confirm the DevSecOps pipeline is meeting our cybersecurityneeds?How can we effectively manage the supply chain risks that 3rd party codeintroduces?Mission thread(Business process)A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.12
A Cybersecurity Engineering Strategy for DevSecOpsDevSecOps Pipeline SupportsCritical CybersecurityRequirementsA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.13
What is DevSecOps?A cultural and engineering practicethat breaks down barriers andopens collaboration betweendevelopment, security, andoperations organizations usingautomation to focus on rapid,frequent delivery of secureinfrastructure and software toproduction. It encompasses intaketo release of software and managesthose flows predictably,transparently, and with minimalhuman intervention/effort [1].[1] DevSecOps Guide: Standard DevSecOps Platform Framework. U.S. General Services Administration. https://tech.gsa.gov/guides/dev sec ops guide. Accessed 17 May 2021.A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.14
A DevSecOps Pipeline is a System that Must be EngineeredThe DevSecOps pipeline (DSO) is a sociotechnical system composed of both softwaretools and processes. As the capabilitymatures, it can seamlessly integrates threetraditional factions that sometimes haveopposing interests: development; which values features security, which values defensibility operations, which values stabilityA DevSecOps pipeline emerges whencontinuous integration of these three factionsis used to meet organizational, project, andteam objectives and commitments.A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.15
DevSecOps Maturity LevelsTermDocumentationMaturity Level 1Performed Basic Practices: This represents the minimum set of engineering, security, and operationalpractices that is required to begin supporting a product under development, even if only performed in an adhoc manner with minimal automation, documentation, or process maturity. This level is focused on minimaldevelopment, security, and operational hygiene.Maturity Level 2Documented/Automated Intermediate Practices: Practices are completed in addition to meeting the level 1practices. This level represents the transition from manual, ad-hoc practices to the automated andconsistent execution of defined processes. This set of practices represents the next evolution of the maturityof the product under development’s pipeline by providing the capability needed to automate the practicesthat are most often executed or produce the most unpredictable results. These practices include definingprocesses that enable individuals to perform activities in a repeatable manner.Maturity Level 3Managed Pipeline Execution: Practices are completed in addition to meeting the level 1 and 2 practices. Thislevel focuses on consistently meeting the information needs of all relevant stakeholders associated with theproduct under development so that they can make informed decisions as work items progress through adefined process.Maturity Level 4Proactive Reviewing and Optimizing DevSecOps: Practices are completed in addition to meeting the level 1-3practices. This level is focused on reviewing the effectiveness of the system so that corrective actions aretaken when necessary, as well as quantitively improving the system’s performance as it relates to theconsistent development and operation of the product under development.A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.16
Challenge 1 for DSO: connecting process, practice, & toolsCreation of the DevSecOps (DSO) pipelinefor building the product is not static. Tools for process automation must worktogether and connect to the plannedinfrastructure Everything is software and all piecesmust be maintained but responsibility willbe shared across multiple organizations(Cloud for infrastructure, 3rd parties fortools and servicesA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.17
Challenge 2 for DSO: cybersecurity of pipeline and productManaging and monitoring all of thevarious parts to ensure the product isbuilt with sufficient cybersecurity andthe pipeline is maintained to operatewith sufficient cybersecurity is complex.Cybersecurity demands effectivegovernance to address:A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University What trust relations will be acceptable, and howwill they be managed? What flow control and monitoring are in place toestablish that the pipeline is working properly?Are these sufficient for the level of cybersecurityrequired? What compliance mandates are required? Howare they addressed by the pipeline? Is thissufficient?[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.18
Reference Architecture/Platform Independent Model (PIM)A Reference Architecture is an authoritativesource of information about a specific subject areathat guides and constrains the instantiations ofmultiple architectures and solutions [2].A PIM is a general and reusable model of a solutionto a commonly occurring problem in softwareengineering within a given context, and isindependent of the specific technological platformused to implement it.NOTE: PSM Platform Specific Model[2] DoD Reference Architecture Description,https ://dodcio.defense.gov/Portals/0/Documents/DIEA/Ref Archi Description Final v1 18Jun10.pdfA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.19
PIM Content SystemRequirements Capabilities OperationalProcesses &Structures Roles Glossary Maturity Levels BibliographyA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.20
DevSecOps Requirements Map to MaturityA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.21
As a DevSecOps System Matures, so will its CapabilitiesA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.22
As a DevSecOps System Matures, so will its CapabilitiesA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.23
DevSecOps Pipeline Delivers Key Cybersecurity RequirementsDesigned forCybersecurityOperated forCybersecurityA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon UniversityMonitored forCybersecurity[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.24
Planning and Monitoring is CriticalIs the pipelineperforming asexpected? Are the right thingsmeasured? Does this matchthe results?How can performancebe improved?A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.25
A Cybersecurity Engineering Strategy for DevSecOpsManaging Supply Chain Riskfor DevSecOpsA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.26
Types of Supply Chains Impacting SystemsHardware Supply Chains Conceptualize, design, build, and deliver hardware and systems Includes manufacturing and integration supply chainsService Supply Chains Provide services to acquirers, including data processing and hosting,logistical services, and support for administrative functionsSoftware Supply Chains Produce the software that runs on vital systems Comprise the network of stakeholders that contribute to the content of asoftware product or that have the opportunity to modify its content Language libraries and open source used in developmentA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.27
Acquisition StrategiesFormal Acquisition and Contracting Request for Proposal (RFP) response Negotiated outcomes bounded by cost and scheduleCommercial Off the Shelf Purchase of existing 3rd party product May include continuing service agreement for updates and fixesInformal Selection Download from open source library Code extracted from prior versions or similar projectsMost organizations use all of these depending on thelevel of rigor needed to meet requirementsA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.28
Supply Chain Risk: Example Incidents Heartland Payment Systems (2009)Silverpop (2010)Epsilon (2011)New York State Electric and Gas (2012)California Department of Child Support Services (2012)Thrift Savings Plan (2012)Target (2013)Lowes (2014)AT&T(2014)HAVEX / Dragonfly attacks on energy industry (2014)DOD TRANSCOM contractor breaches (2014)Equifax (2017)Marriott (2018)SolarWinds (2020)A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.29
Complexity: Aligning and Managing Security ObjectivesAcross the Supply ChainMission View Focus: Assuring mission successInfrastructure View Focus: Protection andsustainment of the infrastructureAcquisition and Development View Focus: Build security into systemsCertification View Focus: Certify systems for deploymentEach organization/program unit addresses security from a different perspective (e.g.,mission, infrastructure, acquisition and development).Security objectives across organizations/program units need to be aligned and managed.A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.30
Complexity: Managing Security and Supply Chain RiskAcross OrganizationsManaged by multiple organizations/program unitsActivities, practices, and controls must alignto keep overall security risk within an acceptabletolerance. Acquisition and development risk Certification risk Mission risk Infrastructure riskVarious participants lack clear reporting linesA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.31
DevSecOps Supply Chain Problem Space -1A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.32
DevSecOps Supply Chain Problem Space -2Cybersecurity practices need to be integrated with engineering activities across thesystems lifecycle to Mitigate acquisition-related security risks Implement resilient architecturesCybersecurity risks must be managed continuously during operations to ensure thatevolving security and resilience requirements are met, effectively and efficiently. Update software, hardware, and firmware toaddress security vulnerabilities Manage operational security processes toproduce consistent results over timeDevSecOps components must be integrated intothe systems lifecycle via collaborative processmanagement.A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.33
Supply Chain Risk Management and Security Must AlignAcross Six Key Lifecycle AreasAcquisition Security Framework (ASF)Program ManagementEngineering LifecycleSupplier ManagementCertificationSupportProcess Management and ImprovementA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.34
A Cybersecurity Engineering Strategy for DevSecOpsCybersecurity Strategy is Key toSuccessA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.35
Effective DevSecOps Cybersecurity Requires a Good StrategyHow will risk be identified, prioritized, and addressed in the DevSecOpspipeline? What cybersecurity requirements will be built into the pipeline? What tools will be integrated into the pipeline for vulnerability tracking andremoval? What measurements will be implemented in the pipeline to monitor theprocesses and the product? How will the monitoring feed pipeline and product maturity?How will the supply chain (3rd party code and components) be acquiredimplemented, and maintained How will trusted dependencies be implemented and monitored? How will coordination of supply chain participants be managedA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.36
Manage Defect Injection and Removal for Early DetectionRequirementsInjectsDefects%Phase Defect YieldEarly Defect RemovalAcross the Lifecycle605040Design InjectsDefectsPhase Defect Yield Effective quality focuses on defectremoval at every step and providescost-effective security results3020%Process yield: % defectsremoved before the firstcompile and unit test. Poor quality predicts poor security100Defect Removal Phase(Removal Defects*Yield)DevelopmentInjectsDefectsPhase Defect Yield%Defect Injection Phase(Injection Rate*Time)A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon UniversityHLD: High Level DesignDLD: Detailed Level Design[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.37
Continuous Focus on Cybersecurity Risk Across theLifecycle is Critical to Operational Mission SuccessMission thread(Businessprocess)ThreatAnalysisA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.38
A Cybersecurity Engineering Strategy for DevSecOpsFinal ThoughtsA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.39
Build and Implement a Cybersecurity StrategyEstablish a plan for sufficient system and software cybersecurity engineering to ensurethe operational mission(s) continue, even under cyber attack.Elements in the strategy include: Establish security requirements to ensure confidentiality, integrity, availability (CIA) Monitor the pipeline and product for CIA in operational systems and software Monitor to recognize, resist, and recover from attacks Implement appropriate lifecycle processes and practices to reduce operationalvulnerabilities Establish coordination and communication capabilities among the many participantsto ensure timely and effective responseA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.40
Opportunities to Learn MoreTextbookCybersecurity EngineeringProfessional CertificateCERT Cybersecurity Engineering and Software dentials/credential.cfm?customel datapageid 14047 33881Online training in five components Software Assurance Methods in Supportof Cybersecurity Engineering Security Quality Requirements (SQUARE) Security Risk Analysis (SERA) Supply Chain Risk Management Advanced Threat ModelingSEI Book SeriesA Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.41
Contact InformationCarol Woody, Ph.D.cwoody@cert.orgWeb ResourcesBuilding security into application s/allwork/display.cfm?customel datapageid 4050 48574CMU SEI Home Pagehttps://sei.cmu.edu/A Cybersecurity Engineering Strategy for DevSecOps 2021 Carnegie Mellon University[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.42
Continuous integrated monitoring (e.g. cATO) Systems developed from requirements and architectural designs Systems assembled primarily from reused (often 3rd party) components that map to requirements Development life cycle tailored to the system under development DevSecOps Development Factory using 3rd party tools and automation
