briefing for secure south west 2016-10-05 · •information security community address threat...
TRANSCRIPT
Trustworthy Software Foundation
Reducing the Underlying Risk –Trustworthy Software
© Copyright 2003-2016 [TS/2016/066 | v1.0]
TLP WHITE covering TLP GREEN
Ian BryantTSFdn Chief Operating & Technology Officer;
Principle Fellow, University of Warwick Cyber Security Centre
Briefing for
Secure
South West
2016-10-05
Traffic Light Protocol
• Most TSFdn material will be marked with Traffic Light Protocol (TLP) sharing and handling instructions [originated by former UK NISCC, formalised in ISO/IEC 27010:2012]
• TLP: WHITE information may be distributed without restriction, subject to copyright controls
• Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels
• Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information
• Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed
[TS/2016/066]
© Copyright 2003-2016
2
TLP: WHITE
The Cyber Ecosystem: “IOCT”
[TS/2016/066]
© Copyright 2003-2016
3
• Digital technology realms– IT: Information
Technologies
– OT: Operational Technologies
– CT: Consumer Technologies
• “IOCT”
• Generic functions are Processing, Storage and Forwarding• Can be either:
– Data-centric (mainly OT); and/or
– Information-centric (mainly IT/CT)
TLP: WHITE
Elements of the Cyber Ecosystem
[TS/2016/066]
© Copyright 2003-2016
4
TLP: WHITE
Source: Cyber
Security Centre,
University of
Warwick
L= Logic-
based
Hardware
PP=
Processes &
Physical
N=
Non-logic-based
Hardware
S=
Software
E= Environment(especially
Electromagnetic)
W=
Wetware
I=
Information(Plain or Encrypted)
Cyber
Ecosystem
SupplyChain
Software in the Cyber Ecosystem
[TS/2016/066]
© Copyright 2003-2016
5
TLP: WHITE
Software Culture
6
[TS/2016/066]
© Copyright 2003-2016
“Software development is improving.
It used to be absolutely abysmal.
Now it’s merely dismal.”
Alan Cox, Linux Guru
London, January 2006
“Alan Cox is still right ”
Ian Bryant, TSFdn COTO
Launch of TSFdn
London, April 2016
TLP: WHITE
UK’s Modern Engineering Principles
• UK’s Royal Academy of Engineering and Engineering
Council publish consolidated Statement of Ethical
Principles
• This includes:
– Acting in a reliable and trustworthy manner
– Giving due weight to all relevant facts and published
guidance, and the wider public interest
– Identifying, evaluating, and quantifying risks
– Being alert to ways in which work might affect others,
holding health and safety paramount
[TS/2016/066]
© Copyright 2003-2016
7
TLP: WHITE
Challenge – Stovepiped Adversity Views• Few practitioners treat Adversity holistically
• Information Security community address Threat– Deterministic model with problems handling Known,
Unknown and Unknowable (KuU) factors
– Often ignores Hazards
• System Reliability / Safety community address Hazards– Typically Stochastic model
– Approach usually ignores Threat
Trustworthiness approach intended to break down these stovepipes
[TS/2016/066]
© Copyright 2003-2016
8
TLP: WHITE
Holistic Adversity Treatment
[TS/2016/066]
© Copyright 2003-2016
9
Adversities Risk Trustworthiness Protection
Hazards Safety Dependability
Threats Security Defence
Faults
Holistic
Stovepiped
Focus Approach Goal Treatment
∑ ƒ [Safety; Reliability; Availability; Resilience; Security]
TLP: WHITE
Types of Adversity
[TS/2016/066]
© Copyright 2003-2016
10
TLP: WHITE
Source: TSI (UK)/
SwA (US)
Trustworthiness and Security Mapping
[TS/2016/066]
© Copyright 2003-2016
11
Security
Confidentiality
Safety
ResilienceReliability Availability
Integrity
TLP: WHITE
Facets of Technical Trustworthiness
[TS/2016/066]
© Copyright 2003-2016
12
Trustworthiness
Safety
The ability of the
system to
operate without
harmful states
Reliability
The ability of the
system to deliver
services as
specified
Availability
The ability of the
system to deliver
services when
requested
Resilience
The ability of the
system to
transform,
renew, and
recover in timely
response to
events
Security
The ability of the
system to remain
protected against
accidental or
deliberate
attacks
• No de jure or de facto definition of Trustworthiness• Use extended de facto definition of Dependability by
addition of Resilience
TLP: WHITE
Software Incident Impact• Software problems are high cost to economy:
– US Government National Institute of Standards & Technology (NIST) ~$60 billion / year to US alone
– No definitive figure for UK / worldwide
• Software a major source of IT project failure:– University of Oxford Saïd Business School / McKinsey 2011;
Standish Chaos Reports 2004 onwards; et al
• Software bugs “source of 90% of ICT Incidents”– (GovCERT-UK, 2012-09)
• Mitre’s Common Weakness Enumeration (CWE) is a maintained list of generic software weakness types – 706 distinct CWEs (+ 3 Chains & 5 Composites) in Jun-2016
13
[TS/2016/066]
© Copyright 2003-2016TLP: WHITE
Treating Adversity
14
[TS/2016/066]
© Copyright 2003-2016TLP: WHITE
Classic “Bow Tie” Model
Proactive
ControlsReactive Controls
Resp
on
se
Pre
pa
red
ness Recovery
Investigate /
Disrupt
The only community that
can care exclusively about Threat rather than Adversity
Adversity, the Superset of:
• Hazard ... UNDIRECTED sources of risk (e.g.
Natural Disasters, Accident
• Threat .... DIRECTED sources of risk (e.g.
Foreign Powers, Organised Crime)
To
address
Trustworthiness and Facet Lifecycles
[TSI2016/066]
© Copyright 2003-2016
15
TrustworthySoftware
ManagementSystem
{TrustworthinessFacet}
ManagementSystem(s)
Specify Realise Use
Ve
rify
; D
ep
loy
Co
nfi
gure
; V
alid
ate
; M
ain
tain
• Safety
• Reliability
• Availability
• Resilience
• Security
• “Information
Security”
• “Cyber
Security”
• Quality
• …
Focus of TS Activity
Activity in aligned domains
TLP: WHITE
Emergent Challenges to Software
• Current global Technological / Societal challenges:
– Distributed application platforms and services (“Cloud”)
– Internet of Things (IoT) / Machine to Machine (M2M)
– Mobile Devices and Lightweight operating systems
– Consumerisation / Bring-Your-Own-Device (BYOD)
– Commoditisation in previously closed architectures
– Consolidation for energy efficiency (Low Carbon / Green)
• These are likely to present Disruptive Challenges, fundamentally deepening dependence on Software
[TS/2016/066]
© Copyright 2003-2016
16
TLP: WHITE
Impediment to Trustworthiness Adoption
[TS/2016/066]
© Copyright 2003-2016
17
• Long memories of massive Hype / Hysteria surrounding “Y2K”
• Despite many Academics and Practitioners suggesting nuanced approach, commercial interests and The Press grossly over-inflated potential risk
• Consequently software risks often treated as “Crying Wolf!”, as success from Y2K activity not visible (“a problem that didn’t happen”)
TLP: GREEN
Trustworthy Software Requirement• Requirements for Trustworthy Software can arise
from
• Explicit (Functional) Requirement for Trustworthiness
• Implicit (Non Functional) Requirement (NFR) for Trustworthiness
• Direct NFR for software under consideration
• As Collateral NFR from other software in environment
• Requirements cover whole IOCT domain (including ICS) and activities (Specification, Realisation and Use)
• Assurance requirements range from Due Diligence (all software) to Comprehensive
[TS/2016/066]
© Copyright 2003-2016
18
TLP: WHITE
Choosing Appropriate Granularity
[TS/2016/066]
© Copyright 2003-2016
19
TLP: WHITE
1 ∞
Optimale.g. agreed Archetypes
and Catalogues
Single Answer, but with
Exception Handling
“Single Answer”
(Taylorism)
Highly Variant: Complex
Unfeasibly Variant:
Emergence
c.f. Aristoltean
Golden Mean
“Special Snowflake
Syndrome”Combinatorial
Explosion
Stifles Diversity /
Innovation
Generalised Optimal Effort
[TS/2016/066]
© Copyright 2003-2016
20
• “Pareto Principle”, or “80-20 Rule”• Vilfredo Pareto (1848-1923), Professor of Political Economy at Lausanne, Switzerland from 1893• Observed "Eighty percent of the wealth is held by twenty percent of the people" • Extended by Juran, Zipf, and others to apply to almost all other distribution scenarios as well
Time
and/or
Effort
“The Sweet Spot”
Benefit
Delivered
Typically 20%
Typically 80%
TLP: WHITE
The Art Of The Possible• For any large scale and/or complex System,
“perfection” (i.e. the complete absence of Defects) is typically an illusion, for a variety of reasons including:– “Combinatorial explosion”
– Chaotic behaviours
– Emergent properties
• Nonetheless Good Engineering Practice across all domains remains to minimise avoidable Defects, noting the Pareto Principle (“80:20”)
• Software should be treated like every other engineering activity
21[TS/2016/066]
© Copyright 2003-2016TLP: WHITE
Supply-side Audience Clusters
[TSI/2016/066]
© Copyright 2003-2016
22
Where Supply-side:
– Mainstream = “The Industry” (e.g. Microsoft, Oracle, ...)
– Niche = Specialist Industries (e.g. Aviation, “Security”) but with Stovepiped Adversity view
– Dispersed = Small scale developers (e.g. SmartPhone Apps)
– Collateral = Developers don’t consider themselves as such (e.g. Embedded components, website CMS users, spreadsheets, …)
– Gap = Suppliers who regard Adversity Holistically
Likely Process-tolerance
Likely Trustworthiness-as-Functionality
Mainstream
NicheCollateralD
ispersed
Gap
TLP: WHITE
UK Trustworthy Software History
[TS/2016/066]
© Copyright 2003-2016
23
TLP: WHITE
Professional Bodies
Industry
Government
Academia
Ad HocStudies
(2003-6)
PAS754:2014
CSTKN SSD WG(2007-8)
SSDP(2009-10)
SSDRI/TSI(2011-16)
TSFdn(2016-)
TS-BOK
ACTSTS
RoadmapMultinational
“Paris Workshop”
TS Roadmap – 2013 Edition
[TS/2016/066]
© Copyright 2003-2016
24
Adoption (ADO) ADO.1: Understand
audience needs and
attitudes
ADO.2: Develop
appropriate
approaches for
audience behaviour
modification, with
understanding of
business case(s)
ADO.3: Establish and
monitor appropriate
communications
channel(s)
ADO.4: Integrate
Trustworthy Software
and SCRM with public
sector, regulated
industries' and CNI
acquisition processes
ADO.5: Establish
legislative and
regulatory framework
Body of Knowledge
(BOK)
BOK.1: Develop
inventory of tools,
techniques and
components
BOK.2: Establish
Trustworthy Software
Framework (TSFr) and
Repository (CMDR)
BOK.3: Establish risk-
based
Trustworthiness
Levels (TL)
BOK.4: Develop
approach for dynamic
data sharing
BOK.5: Develop
Concepts, Research &
Innovation (CRI)
Framework
Coherence (COH) COH.1: Develop
national Trustworthy
Software guidance
COH.2: Develop
Trustworthy Software
international
guidance
COH.3: Integrate
Trustworthy Software
approaches with
Supply Chain Risk
Management (SCRM)
COH.4: Develop
national Trustworthy
Software and SCRM
standards
COH.5: Develop
Trustworthy Software
and SCRM
international
standards
Training, Education
and Awareness (TEA)
TEA.1: Design
curricula for
undergraduate
education
TEA.2: Investigate
and develop options
for other education
TEA.3: Develop
training packages for
current workforce
TEA.4: Develop
approaches to
practitioner
verification
TEA.5: Work with
professional bodies
on approaches for
continuing
development
Verification (VER) VER.1: Establish the
role of "independent
mentor"
VER.2: Develop
approaches, tools and
techniques for
verification
assessments
VER.3: Define
interoperability
standards for
functionality and
testing
VER.4: Define
approach for
Organisation
Verification
VER.5: Develop
analysis and testing
tools for deployed
systems and systems
of systems
TLP: WHITE
UK Trustworthy Software Initiative (TSI)
• During the 5 year period (2011-2016) of the UK’s first National Cyber Security Programme (NCSP), the Trustworthy Software Initiative (TSI) was established and funded to coalesce ad hoc activity across 5 Facets of Trustworthy Software (Safety –Reliability – Availability – Resilience – Security [SRARS]) into a single management focus, and address aspects of Multinational Trustworthy Software Roadmap of highest priority to the UK
• Its major milestones have included the publication of the Comprehensive Framework (BS PAS754:2014), a simplified “TS Essentials” for the mass market, and development of Reference Curricula and other materials for Education and Training
• Sustainment of support and evolution of outputs being transitioned to an independent, not-for-profit, entity to be sponsored by relevant Professional Bodies
[TS/2016/066]
© Copyright 2003-2016
25
BS PAS754
TS Essentials
TLP: GREEN
Trustworthy Software Foundation – TSFdn(1)
The independent, not-for-profit, entity is the Trustworthy Software Foundation, founded to:
a. Primarily curate a Trustworthy Software Body of Knowledge (TS-BOK), to serve as a living backbone for signposting to diverse, but often obscure, sources of Good Practice
b. Secondarily address other aspects of the multi-nationally produced 2009 Trustworthy Software Roadmap
26
[TS/2016/066]
© Copyright 2003-2016TLP: WHITE
Trustworthy Software Foundation – TSFdn(2)
• The TSFdn Company is “subscribed” (sponsored) by UK Professional Bodies
• Current Subscribers
– Institution of Analysts and Programmers (IAP)
– Institute of Information Security Professionals (IISP)
– UK Testing Board (UKTB) [UK element of ISTQB]
• Dialogue in progress with the other relevant Professional Bodies to join as future Subscribers
• Chief Operating and Technical Officer (COTO) sits on Board and acts as Company Secretary
27
[TS/2016/066]
© Copyright 2003-2016TLP: WHITE
Model of Audience Applicability
[TSI/2016/066]
© Copyright 2003-2016
28
Applicability Risk Segment Approach Goal Metric
(No requirement) Negligible (TL0)
Mass Market
/ Implicit Need (M/I)
Low -Medium
TL1 –Fundamental Practice Baseline
(Prescriptive):
“TS Essentials”(TS502-x)
Existence (MoEx)
Mass Market / Explicit Need (M/E)
TL2 –StructuredPractices
Performance(MoPe)
Niche Market / Explicit Need (N/E)
Medium -High
TL3 –EnhancedPractices
Comprehensive(Descriptive):
BS PAS754:2014
Effectiveness (MoEf)
TL4 –SpecialistPractices
OperationalEffectiveness (MoOE)
TLP: WHITE
TS Audience Scale
[TSI/2016/066]
© Copyright 2003-2016
29
Indicative world market sizes per TL modelled as a discrete variable mapped against a log
scale: if natural, ordinal numbers were used, the TL4 market (M/I only) would be so dominant
that all other segments (the TL2 element of M/I; M/E at both TL2 and TL3; N/E at both TL3
and TL4) would not be visible
TLP: WHITE
Why Standardise?
[TSI/2016/066]
© Copyright 2003-2016
30
TLP: WHITE
“If you think of standardization as the best that you know today, but which is to be improved tomorrow; you get somewhere.”
Henry Ford 1863-1947(American industrialist and pioneer of the moving assembly-line production method)
Niche View
to augment
Existing
practices
Mass Market View
for (Pareto)
general use
Trustworthiness Levels (TL)
[TS/2016/066]
© Copyright 2003-2016
31
RiskAnalysis
TL 1/2
Prescriptive
Approach
NoRequirement
ComprehensiveTSF
Specification(PAS754)
BaselineTSF
Profile( Essentials )
DescriptiveApproach
OrganisationalProcesses
TL
0
TL
3/4
Software +Use
Parameters
Comprehensive
Specification
Baseline
Specification
BS PAS754
TS Essentials
TLP: WHITE
Trustworthy Software Framework (TSFr)
[TS/2016/066]
© Copyright 2003-2016
32
TLP: WHITE
Level 0Title
Level 1Areas
Level 2Groups
Level 3Control Consensus
Level 4 Repository
e.g. Citations
e.g. TE – Technical
e.g. TE.02 – Appropriate Tool Choice
e.g. TE.02.10 – Programming Language(s)
e.g. ISO/IEC 24772
“Guidance on language selection”
Trustworthy Software Framework (TSFr)
Facet Mapping: Cyber Security
[TS/2016/066]
© Copyright 2003-2016
33
Trustworthy SoftwareCyber Security
Specify Realise Use
Ve
rify
; D
ep
loy
Co
nfi
gure
; V
alid
ate
; M
ain
tain
TSI / TechForum
Patching June 2015
Lo
w-M
ed
ium
Ris
k
Med
ium
-Hig
h
Ris
k
ISO/IEC27001BS PAS754†
CS EssentialsTS Essentials
TLP: WHITE
BSI Project to update and transform
PAS754:2014 to BS10754commences 4Q2016
News!
Verification of Verifiers
Trustworthy
Components
Verification of Trustworthiness
[TS/2016/066]
© Copyright 2003-2016
34
Trustworthy
Practitioners
Trustworthy
Organisations
Trustworthiness Instruction
Trustworthiness Advice
TLP: WHITE
TS Verification Activity• Focus is Verification (conformance), not Validation (appropriateness)
• Verification (VER) Workstream was on Back Burner during NCSP funded Stages 1 and 2 (Jul-2011 to Mar-2016)
– Concepts developed
– Dialogue with existing N/E Domains (e.g. Security and Safety, both at TL3/4) as to Beneficial Deltas from adopting more holistic approach of Trustworthiness
– Proof of Concept exercise of Organisation (ORG - OVA) and Component (COM -CVA) Verification at TL1/2 (i.e. those for the M/I and M/E Domains)
• With start of Independent Stage 3 (under TSFdn) in Apr-2016:– Verification Assessment (xVA) definitions finalised
– Work has commenced with partners to investigate wider xVA deployment options
– In addition to generic xVA options, interested in working with partners for Domain Extension Profiles (i.e. add specific requirements such as xxx Security)
35
[TS/2016/066]
© Copyright 2003-2016TLP: GREEN
“Brexit”
[TS/2016/066]
© Copyright 2003-2016
36
TLP: WHITE
Pro-Leave “Brexiter” Pro-Remain
UK Brexit Status
[TS/2016/066]
© Copyright 2003-2016
37
TLP: WHITE
Statement on the Status of EU
“The decision about when to trigger Article 50 [of The Treaty on
European Union a.k.a. The Lisbon Treaty] and start the formal
process of leaving the EU will be for the [new] Prime Minister.
The UK remains a member of the EU throughout this process, and
until Article 50 negotiations have concluded.”
Cabinet Office, Home Office, and Foreign & Commonwealth Office
11 July 2016
Questions
[TS/2016/066]
© Copyright 2003-2016
38
TLP: WHITE
•Any Questions ?
• Any Questions ?
• Any Questions ?• Any Questions ?
• Any Questions ?
• Any Questions ?
Brexit and Example International Relationships
[TS/2016/066]
© Copyright 2003-2016
39
TLP: GREEN
European Union Other “Europe” Not “Europe”
(EU)- EC (Administration)- ECJ (Court)- EDA (Defence)- EDPB (Data Protection)- ENISA (ICT Security)- …
EEA (EU + EFTA)- CEN (SDO)- CENELEC (SDO)- …
SDOs:- IEC- ISO- ITU
Council of Europe- ECHR (Court)- EUR-OPA (Hazards)- GRECO (Corruption)- …
Defence- NATO- FPDA- 5 Eyes- …
CEPT- ETSI (SDO)- …
Security/LE- Interpol- CTA (IE/UK)- Sangatte (BE/FR/UK)
EHEA (Education)- GÉANT (NREN)
Security/LE- ECU (Customs)- OCSE
?
Contact
40
[TS/2016/066]
© Copyright 2003-2016
Ian Bryant
Chief Operating and Technical Officer
TS Foundation Office
Cyber Security Centre
Room 255 International Manufacturing Centre
University of Warwick
University Road, Westwood Heath, Coventry, CV4 7AL, England
+44 300 030 1924
www.tsfdn.org
TLP: WHITE
BS PAS754 TS Essentials