How To Approach InfoSec Like a Fed(eral Auditor)

Presented at AppSec USA 2017, Sept. 22, 2017, 2:30 p.m. (45 minutes)

For more than a decade, independent arms of the federal government have published application and hardware security standards that only a minor subset of the InfoSec community has a true grasp on. The Federal Information Processing Standard (FIPS) 140-2 contains 11 comprehensive security requirement areas, and the National Information Assurance Directive (NIAP) has created Common Criteria Protection Profiles for Network Devices and Applications that address many of the security threats and design issues that are still persistent today. These standards take a detailed and secure-by-design approach to security that could be hugely beneficial to engineers and system architects beginning to design new systems. Yet, because of the dense and academic style of these standards, many are only vaguely aware of them, seeing them only as a headache forced onto them by sales managers as development is wrapping up.   For three years I worked to formally validate products against these standards, and recently I've made the switch to application security assessment where I see many product teams entirely unaware of these practices and standards. This talk aims to cherry-pick the crucial security requirements and principles in these standards and present them in an easily understandable format for development teams, product architects, and security engineers. My goal is to improve your security throughout development and reduce risk for both your customers and company.   I will start by briefly discussing the standards themselves and the context in which they were created and still apply. Next, I will dive into detail on 5 major security principles that are seen throughout these standards. As I discuss these I will include examples and my observations on how they are currently implemented in the industry. 1. Define the security boundary 2. Create a functional specification 3. Prove that the boundary and services protect Critical Security Parameters 4. Protect all network traffic using SSH, TLS, or IPsec 5. Prove the strength of your entire cryptographic stac

Presenters:

  • Scott Cutler - Application Security Engineer - Aspect Security
    I became interested in InfoSec when I attended DefCon in 2004. I got a degree in Information and Computer Science from UC Irvine in 2009. After paying my bills by doing QA testing and DevOps, I got my first job in information security performing FIPS and Common Criteria evaluations with InfoGard Laboratories (now UL). I later obtained my OSCP certification and most recently became an Application Security Engineer with Aspect Security in 2015. I now work on web application security assessments and creating e-learning material for secure development processes.

Links:

Similar Presentations: