Three themes You need to think about Product Security — and some tips for How to Do It
I have been working with software security laboratories and IT security firms for years. I have talked with clients, read and watched dozens of articles/videos and talked with several experts about product security themes, future, technologies.
The three themes are:
Is the blockchain the new technology of trust?
Blockchain has the potential to transform industries. However, some security experts raised questions: If blockchain is broadly used in technology solutions will security standards be adopted? How to protect the cryptographic keys that allow access to the blockchain applications? Although it is true that the potential is huge such as securing IoT nodes, edge devices with authentication, improved confidentiality and data integrity, disrupting current PKI systems, reducing DDoS attacks etc.
AI (Machine Learning, Deep Learning, Reinforcement Learning algorithm) potential in Product Security
Machine learning can help in creating products that analyse threats and respond to attacks and security incidents. There are several repositories on GitHub or open-source codes by IBM available for developers. Deep learning networks are rapidly growing due to cheap cloud GPU services and after Reinforcement learning algorithm’s last success nobody knows the upper limit.
Product Security by International security standards and practices
The present, future, and developmental orientations of independent third party certificates Industry. How can the international standards answer the rapid growth of new technologies and maintain secure applications in IoT, Blockchain or AI-driven industries?
Are IT products reliable, secure and will they stay that way?
I would like to explain Product Security in a simple way. My goal is the introduction of product security for Tech startups, fast-growing Tech firms. Furthermore, I would like to emphasize the benefits of product security certification.
Product security by Blockchain, AI and Security Certs
1.
2. 2
Product Security by Blockchain, by Tibor Zahorecz
AI and Security Certification landing page
for Startups (series B, C), SME and Technology Fast 500 send me feedback here
3. AGENDA
PROBLEM BLOCKCHAIN,
AI
PRODUCT
SECURITY
SOLUTION BEHIND
Are IT products
reliable and secure?
Blockchain, AI is the
new Technology of
Trust?
Product Security by
International security
standards and
practices
Why International
security certs are
good for the world,
markets and the
vendors
Behind this deck
3
5. Over 8600 Vulnerabilities found in pacemakers (Medical sector)
media: https://thehackernews.com/2017/06/pacemaker-vulnerability.html
In a recent study, researchers from security firm
White Scope analysed seven pacemaker products
from four different vendors and discovered that
they use more than 300 third-party libraries, 174
of which are known to have over 8,600
vulnerabilities that hackers could exploit in
pacemaker programmers.
5
6. Deep flaw in your car (Mobility sector)
media: https://www.wired.com/story/car-hack-shut-down-safety-features/
Highlighting a little-noticed automotive hacking
technique it presented at the DIVMA security
conference in Bonn, Germany. Along with
researchers at LinkLayer Labs and the
Polytechnic University of Milan. Their work points
to a fundamental security issue in the CAN
protocol that car components use to
communicate and send commands to one
another within the car's network, one that would
allow a hacker who accesses the car's internals
to shut off key automated components, including
safety mechanisms
6
7. Hacking industrial robots (Industry 4.0)
Group of researchers from Polytechnic University
of Milan and Trend Micro has discovered that
some robots are directly connected to the
Internet (for example, for receiving updates from
the manufacturer or sending telemetry to
company headquarters), or to an insufficiently
isolated factory Wi-Fi network. This enables
malefactors to discover robots with the help of a
dedicated scanner.
The robots are easy prey. With no encryption
used when updating firmware, no digitally signed
firmware at all, and default user names and
passwords used, anyone who finds a robot’s IP
address can modify its configuration files and
change its operation logic. 7
media: https://www.kaspersky.com/blog/hacking-industrial-robots/17879/
8. Hacking IoT Devices: How to Create a Botnet of Refrigerators (IoT)
source: https://www.thesslstore.com/blog/hacking-iot-devices-create-botnet-refrigerators/
DDoS attacks that use botnets made of IoT
devices are not just possible—they’re happening.
Mirai primarily targeted IoT devices.
It did this by using devices it had already infected
to scan the internet for IoT devices. Once it
identified its targets, it used a table of over 60
common factory default usernames and
passwords to hack into the devices.
Deep dive into IoT Hacks
8
10. Blockchain is secure
Blockchain has the potential to change the way we buy
and sell, interact with government and verify the
authenticity of everything
See the interactive intro
11. What is Blockchain?
Deep Dive
Blockchain at Berkeley
The Blockchain Fundamentals DeCal is a
comprehensive survey of relevant topics in
cryptocurrency and the wider blockchain space…
See in the Lecture notes for more information
11
12. What is AI?
Deep Dive
Google deck about ML, AI, DL
The system implemented today are a form of
narrow AI - a system that can do just one defined
things better than humans.
See in the Lecture notes for more information
12
13. What is a Decentralized AI?
Blockchains and deep learning
Content:
Why decentralized and AI are relevant to each other
Overview of deep learning
Problems with centralized machine learning
What decentralization is and isn't
Problems with the web today
First generation peer-to-peer networks
Applications of cryptography
Decentralizing the web; storage, transport, &
computation
Smart contracts and automation
Decentralized autonomous organizations
See in the Lecture notes for more information
13
14. Decentralized Artificial Intelligence in Practice
OpenMined
OpenMined is a community focused on building
open-source technology for the decentralized
ownership of data and intelligence.
The OpenMined ecosystem incorporates a number
of technologies including federated machine
learning, blockchain, multi-party computation, and
homomorphic encryption.
See in the Lecture notes for more information
14
15. AI and DL current topics for Product Security
Hands-On Workshop: Creating Intelligent Physical Security
Products Using AI and Deep Learning by NVIDIA: link
Machine Learning in Cyber Security Domain: blog
How machine learning can be used to write more secure
computer programs (link)
IoT Security Techniques Based on Machine Learning (study)
MLconf 2017 Seattle presentations
Study of Deep Learning Techniques for Side-Channel
Analysis and Introduction to ASCAD Database (paper link)
GitHub Repo (https://github.com/ANSSI-FR/ASCAD)
● Copyright (C) 2018, ANSSI and CEA
15
16. Blockchain Protocol Analysis and Security Engineering 2017
/Stanford/
deep dive
How Formal Analysis and Verification
Add Security to Blockchain
Layers for security consideration:
Key Management, Audit, Backup: ISO/IEC 27000
Program Code, Secure Hardware: ISO/IEC 15408
(Common Criteria)
Privacy protection, Secure transaction: ISO/IEC
29128
The 2018 agenda link in the lecture note
16
17. How Formal Analysis and Verification Add Security to Blockchain-
based Systems by Shin’ichiro Matsuo (MIT Media Lab) Pindar Wong (VeriFi Ltd.) source
17
18. Blockchain Protocol Analysis and Security Engineering 2018
/Stanford/
deep dive
The conference materials are online
Some topics
Charles Guillemet; State-of-the-art Attacks on
Secure Hardware Wallets
Florian Tramèr et al.; Enter the Hydra: Towards
Principled Bug Bounties and Exploit-Resistant
Smart Contracts
Michael Egorov; NuCypher KMS: Decentralized
key management system
Agenda, and materials
18
21. Common Criteria is an International security scheme
Common Criteria Certification provides independent, objective validation of the
reliability, quality, and trustworthiness of IT products.
XEROX
‘It is a standard that customers can rely
on to help them make informed
decisions about their IT purchases’
https://www.xerox.com/information-
security/common-criteria/enus.html
Dell EMC
‘Certification for Common Criteria for
Information Technology Security
Evaluation (Common Criteria) is part of
our comprehensive Product Security
Program that ensures delivery of
secure products to enable information
infrastructure security for
organizations.’
https://australia.emc.com/products/se
curity/external-security-validation.htm
NATO
‘By establishing a common base, the
results of an IT security evaluation are
more meaningful to a wider audience.’
https://www.ia.nato.int/guidance-more
21
22. Some Certified IT Product categories (lists are in the lecture note)
COMMUNICATIONS AND
SURVEILLANCE:
Secure Communications, Devices and Management,
Tactical Radios, Tablets, Phones and Mobile etc.
CRYPTOGRAPHY &
CRYPTOGRAPHIC LIBRARIES
NETWORK SECURITY:
IT Management Systems for Infrastructure
Network Automation, Configuration and
Management
Virtual Networking Server Mgmt Solutions
VPN, Switches and Routers
Network & Network Related Devices and
Systems
Data Compression and Network Security
Solutions
Server Automation & Management
Secure Web Gateway
STORAGE
DATA MANAGEMENT:
Encryption Management Strategy
Data Compression and Network Security
Solutions, Virtual Machine Storage etc.
APPLICATION SOFTWARE:
Assertively implement one-to-one
platforms whereas cooperative schemas.
CLOUD SERVICES
SECURITY INFORMATION &
EVENT MANAGEMENT (SIEM),
LOG ANALYSIS
SMART CARD & READER
OPERATING SYSTEMS
INTRUSION & VULNERABILITY
PREVENTION
22
23. Database products - Product Security Practice - by MarkLogic
Deep Dive
Building Security Into MarkLogic
Given the increase in data breaches, securing the
perimeter is no longer enough.
The database itself must be secure. That is why
according to MarkLogic, an industry leader in
next-gen database technology, Common Criteria
Certification* and advanced security features like
element level security and advanced encryption
are critical elements a database must include in
today’s constantly evolving threat environment.
23
* Building Security Into MarkLogic white paper, MarkLogic
24. Cybersecurity - Product Security Practice - by McAfee
Deep Dive
McAfee Product Security Practices
McAfee’s takes product security very seriously. Our
practices include designing for both security and
privacy, in software and applications.
We have rigorous product security policies and
processes designed to proactively find and remove
software security defects, e.g. security vulnerabilities.
We understand that our products must not only fulfill
the stated function to help protect our customers, the
McAfee software itself must also aim to protect itself
from vulnerabilities and attackers. McAfee strives to
build software that demonstrates resilience against
attacks. (url)
Core Software Security book by Dr. James Ransome (
Senior Director of Product Security McAfee): link
Advice for software companies in lecture notes 24
25. Experiences from the certification of an open source product -
PrimeKey
Key messages:
Benefits of Common Criteria
● Improved software quality
● Improved security documentation
● Independent security audit
● Secure development processes
● Increased market potential
Applicability of Certification
Although it does provide security benefits as described,
the cost and work involved is usually too high for any
organization to perform a certification unless there are
clear business requirements or advantages. There are
huge differences depending on the product type and
area.
Lecture notes contains more information
25
* Tomas Gustavsson, M.Sc has been researching and implementing PKI systems
since 1994. CTO at PrimeKey, founder of open source PKI project EJBCA and
committed follower of open standards.
26. BSIMM - Bringing science to software security
Deep Dive
About the BSIMM
BSIMM, pronounced “bee simm” is a study of
existing software security initiatives.
By quantifying the practices of many different
organizations, we can describe the common
ground shared by many as well as the variations
that make each unique.
Why Join?
https://www.bsimm.com/about/membership.htm
l
26
28. Customers and Market benefits from product security certification
BY GENE KEELING, DIRECTOR, GLOBAL CERTIFICATION TEAM, CISCO (read more)
Improved availability of assessed,
security-enhanced IT products
Improved citizen confidence in products
Consumers are able to compare their
needs beside the Common Criteria’s
consistent standards to decide on the
level of security required.
Allowing vendors to focus resources on
standard requirements for the
improvement of security in products
Buyers can be more definitive when
determining if particular products meet
their specific requirements
28
29. Vendors benefits from product security certification
Regulated Industries market access
(unlocking): > $500 Billion
FED Total Addressable Market access:
$90 Billion
Governments market access (globally)
Transnational Organization market
access: NATO, EU, Banking etc.
Gain competitive edge in the marketplace
Elevate company’s brand as products are
independently evaluated against
transparent and auditable standards for
security.
Build secure products with less
vulnerabilities (branding)
29
31. Worldwide Recognition
Twenty-seven countries, including the United States and Canada, have signed the Common Criteria Recognition
Arrangement (CCRA), making it an unparalleled measure of security for the international commerce of IT
products.
Why Pursue Common Criteria Validation?
Access previously untapped markets, such as the Intelligence Community, Financial Services, Healthcare,
Critical Infrastructure, and US and Foreign governments
Demonstrate corporate commitment to product security
Elevate company’s brand to potential customers that products have been independently evaluated against
transparent and auditable standards for security
31
32. Minimize the uncertainty with Readiness Assessment
Avoid speculation over wide ranging estimates, conflicting timelines, and confusing
requirements with an internal audit of your company’s certification readiness
Problem:
These certifications are fraught with
uncertainties and challenges which
if not properly understood and
addressed can lead to missteps,
perils, and significant opportunity
costs for most companies.
Questions always on client side:
How much does this cost?
How long will this take?
How much impact will this have on
our engineering staff?
Solution: The Readiness Assessment
is a highly engaged and interactive session which goes beyond
assessing a product’s security gaps to addressing a company’s
overall preparedness when embarking on a certification effort.
Examines the critical success factors in every certification effort as
well as uncovers potential failure points in the process for your
specific projects. Finally, the teams work together to produce a
roadmap that best fits your organization and certification goals.
It will encompass all aspects of the certification effort; including
costs, potential human capital considerations, product readiness,
and timing.
Inputs and Discussion Topics:
• Libraries & Cryptographic Health Analysis
• User I&A/AAA Analysis
• Vulnerability Assessment & Patch/Update Strategy
• Product Architecture & Security Review
• Intellectual Property Protection
• Documentation, Testing, & Program Requirements 32
35. WHY CORSEC
DISCOVER REQUIRED PRODUCT CHANGES
EARLY IN THE PROCESS 75%
FIXED PRICE & FIXED TIMELINES 90%
PRODUCT SECURITY EXPERIENCE > 325 UNIQUE PRODUCTS 95%
> 1 million HOURS SECURITY VALIDATION 99%
For two decades Corsec has partnered with companies around the
world to accelerate go-to-market readiness, improve brand reputation,
and significantly increase financial returns for our clients. Our turnkey
approach gets companies through FIPS 140-2, Common Criteria, and
listing on the DoD APL while reducing the internal engineering burden
associated with product security compliance and security hardening
while mitigating the risks associated with security certifications.
References
DONE ONCE, DONE RIGHT
35
36. WHY CCLab
RESPONSIVENESS 90%
AGILE - SPEED - TIME TO MARKET 95%
AFFORDABLE 99%
CCLab is an accredited Common Criteria evaluation
laboratory based in Budapest operating under the
Italian governmental security scheme (OCSI). It has
experience in the evaluation of crypto libraries,
SmartCards, digital signature applications, digital
wallets, PKI and Blockchain-based applications.
References
We help to make products secure and internationally
accepted.
36
37. LabShare
Find and obtain software security, secure software development and
niche engineering services from audited Labs and firms.
Improve your product security level
37