Two stories caught my eye yesterday.
First, a company named Newegg shipped counterfeit Intel i7 chips to customers. Customers received a clay mold and piece of scrap metal rather than a real processor. Intel and others are investigating this situation.
In another story, the Energizer Duo Charger, a laptop battery charger kit made of up hardware and software, was found to contain a Trojan Horse program in its optional battery charge monitoring software (note: the Trojan impacts Windows, but not Macintosh computers). When activated, the Trojan, which opens port 7777, can install files, read directories, and communicate with remote hackers. Energizer is cooperating with US-CERT to try to figure out how the code got into its product.
How are these stories related? Both describe an issue that gets little attention: cyber supply chain assurance.
The cyber supply chain is made up of a network of suppliers, distributors, business partners, and customers that share cyber business processes, develop technology, and distribute products. Since the cyber supply chain composes a vast network of companies, one weak organization or bad apple can compromise products and create vulnerabilities for all downstream parties.
With the Intel case, it appears that someone corrupted the distribution chain. With Energizer, it seems like a rogue developer or software tester was introduced into the development cycle.
So here’s the problem: in general, we trust that the products we purchase are safe. Bad assumption, as the Intel and Energizer example points out. This also holds true for technology vendors themselves, who ultimately integrate a bunch of microprocessors, specialized chips, and software code together. Could any of these components be tainted? Absolutely.
Here’s a scary statistic: in a recent study, the U.S. Department of Defense found that only 2% of all the microprocessors and integrated circuits purchased are actually manufactured in the United States. This gives foreign adversaries ample opportunity to tamper with critical systems in a way that is extremely hard to detect.
Technology is developed by distributed groups of engineers and outsourced firms across the globe. Final assembly is often done offshore. Distributors install software on systems and then repackage them. Testing software security is often weak or ignored.
The Intel and Energizer stories prove that trusted products can be tampered with in the supply chain. We need to address this with the right knowledge, processes, and countermeasures. Continuing to ignore it will lead to more and more similar events.
Tags: Cyber Supply Chain Assurance Model, DHS, DOD, Energizer, Intel Posted in Uncategorized | No Comments »
Microsoft built upon its Secure Development Lifecycle (SDL) this week with an announcement at the Black Hat conference in Washington DC. With this announcement, Microsoft will provide a simplified implementation of SDL. The goal here is to spread the goodness of SDL to smaller or less sophisticated development organizations.
Microsoft also extended its support for Agile development with new templates and integration with development in testing tools. Finally, Microsoft announced a number of partners to its SDL Pro Network (i.e. third-parties providing tools and/or services based upon SDL). New recruits include Software Assurance leaders like Booz Allen Hamilton, Codenomicon, Fortify, and Veracode.
This particular Microsoft announcement won’t get much play compared to say the Windows 7 announcement, but as a security insider, I think it is important for several reasons:
I really applaud Microsoft for calling attention to SDL. Whether most people realize it or not, a lot of software developers never think about security as they are writing code. This is the root cause of a lot our current — and future — security woes.
One final note. Microsoft’s SDL is not a proprietary model for Windows. Any developer can use it. If you are an out-and-out Microsoft basher, I suggest you visit SAFECode.org, an organization focused on Software Assurance.
Tags: Cyber Supply Chain Assurance Model, Federal Government, Microsoft, SAFECode, SDL Posted in Uncategorized | No Comments »
When it comes to hyperbole, the technology industry is at least as persistent as any other. Take Cloud Computing, the buzz term Du Jour. Is the industry hype here appropriate? Yes and no. Yes, cloud computing will play an increasing role in the future of IT but in the short-term it is more vision than reality. Case in point, ESG Research indicates that only 12% of mid-sized companies and large enterprises say that “increased use of cloud computing services” rates as one of their top IT priorities for the next 12 to 18 months. This is far from a tectonic shift and suggests more of a 3-5 year migration like we have seen in the past.
Regardless of when organizations make this plunge, cloud security will be one of the major stumbling blocks. If internal controls or compliance mandates don’t align with cloud computing, all of the speeds-and-feeds innovation in the world won’t matter.
The fact is that cloud security is another complex area that is being oversimplified and hyped by the vendor community. No single (or suite) of security products will provide cloud security, rather cloud security will depend upon a combination of contractual protection, shared governance and technology safeguards, transparency, and cyber supply chain assurance amongst other things.
Readers who are truly interested in a process-oriented approach to cloud security would be well served by reading a comprehensive paper from the Cloud Security Alliance titled Security Guidance for Critical Areas of Focus in Cloud Computing (available at the CSA web site, www.cloudsecurityalliance.org). After a brief cloud definition and taxonomy, the report is divided into two major sections:
While the CSA has wide participation, many IT professionals and security technology vendors I’ve spoken with were not aware of this document and like me, felt it was well worth the time to read.
I am a firm believer in the cloud computing model but I despise the cloud computing rhetoric from the industry. Cloud computing will be a marathon rather than a sprint and we are just starting the race. Without pragmatic guidelines like those presented by the Cloud Security Alliance, cloud computing will continue to live in television commercials and vendor collateral rather than enterprise IT.
Tags: Cloud Computing, Cloud Security Alliance, CSA, Cyber Supply Chain Assurance Model, Cybersecurity Posted in Uncategorized | No Comments »
While all of the recent Microsoft buzz centers on Windows 7, the company made a small but important announcement this week. At TechEd Europe in Germany, Microsoft announced that it has adapted its SDL model to accommodate Agile software development.
This announcement needs a bit of clarification. First, Agile software development is an interative software development model based upon teamwork, cooperation, and communication around specific software functionality. The goal here is rapid application development of specific “chunks” of software functionality rather than the massive, multi-phased software development models of the past. These principles were adapted from successful manufacturing processes such as Six Sigma and the Toyota 5S methodology.
Since its inception in 2001, the Agile development model has gained popularity as it fits well with today’s web-based applications. It is worth noting, however, that there is no single Agile development model. This makes sense as Agile’s focus on teamwork and communication leaves plenty of room for improvisation.
While Agile development has demonstrated its ROI value, the emphasis was always on rapid application and not necessarily on security. Recognizing this deficiency, Microsoft jumped in by adapting its SDL model for Agile. Since the Agile model does not have distinct phases and features rapid release cycles, Microsoft broke its process-oriented SDL into “buckets” of activities. Some of these activities must be done for each Agile project (ex. threat modeling), some must be done once (ex. update compilers), and some must be done on a case-by-case basis (ex. Fuzz testing). Microsoft produced a number of tools and papers to help developers align their Agile development processes to each of these buckets. Ultimately, all of the goodness of SDL remains intact, but developers can customize it for their own needs.
This may seem deep in the technical weeds, but I believe this is an important announcement because:
It is also worth mentioning that SDL is not a profit center for Microsoft. The SDL model creation, development, support, and distribution costs Microsoft a lot of dough each year.
I hope this announcement gets the attention it deserves, especially with Computer Science programs, developer communities, security professionals, and public policy makers. Software security is everybody’s business.
Tags: Agile development, Cyber Supply Chain Assurance Model, Cybersecurity, Microsoft, SAFECode, SAIC, SDL, Security Development Lifecycle Posted in Uncategorized | No Comments »
Your email: