briefing for secure south west 2016-10-05 · •information security community address threat...

Trustworthy Software Foundation

Reducing the Underlying Risk –Trustworthy Software

© Copyright 2003-2016 [TS/2016/066 | v1.0]

TLP WHITE covering TLP GREEN

Ian BryantTSFdn Chief Operating & Technology Officer;

Principle Fellow, University of Warwick Cyber Security Centre

Briefing for

Secure

South West

2016-10-05

Traffic Light Protocol

• Most TSFdn material will be marked with Traffic Light Protocol (TLP) sharing and handling instructions [originated by former UK NISCC, formalised in ISO/IEC 27010:2012]

• TLP: WHITE information may be distributed without restriction, subject to copyright controls

• Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels

• Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information

• Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed

[TS/2016/066]

© Copyright 2003-2016

2

TLP: WHITE

The Cyber Ecosystem: “IOCT”

[TS/2016/066]


3

• Digital technology realms– IT: Information

Technologies

– OT: Operational Technologies

– CT: Consumer Technologies

• “IOCT”

• Generic functions are Processing, Storage and Forwarding• Can be either:

– Data-centric (mainly OT); and/or

– Information-centric (mainly IT/CT)

TLP: WHITE

Elements of the Cyber Ecosystem

[TS/2016/066]


4

TLP: WHITE

Source: Cyber

Security Centre,

University of

Warwick

L= Logic-

based

Hardware

PP=

Processes &

Physical

N=

Non-logic-based

Hardware

S=

Software

E= Environment(especially

Electromagnetic)

W=

Wetware

I=

Information(Plain or Encrypted)

Cyber

Ecosystem

SupplyChain

Software in the Cyber Ecosystem

[TS/2016/066]


5

TLP: WHITE

Software Culture

6

[TS/2016/066]


“Software development is improving.

It used to be absolutely abysmal.

Now it’s merely dismal.”

Alan Cox, Linux Guru

London, January 2006

“Alan Cox is still right ”

Ian Bryant, TSFdn COTO

Launch of TSFdn

London, April 2016

TLP: WHITE

UK’s Modern Engineering Principles

• UK’s Royal Academy of Engineering and Engineering

Council publish consolidated Statement of Ethical

Principles

• This includes:

– Acting in a reliable and trustworthy manner

– Giving due weight to all relevant facts and published

guidance, and the wider public interest

– Identifying, evaluating, and quantifying risks

– Being alert to ways in which work might affect others,

holding health and safety paramount

[TS/2016/066]


7

TLP: WHITE

Challenge – Stovepiped Adversity Views• Few practitioners treat Adversity holistically

• Information Security community address Threat– Deterministic model with problems handling Known,

Unknown and Unknowable (KuU) factors

– Often ignores Hazards

• System Reliability / Safety community address Hazards– Typically Stochastic model

– Approach usually ignores Threat

Trustworthiness approach intended to break down these stovepipes

[TS/2016/066]


8

TLP: WHITE

Holistic Adversity Treatment

[TS/2016/066]


9

Adversities Risk Trustworthiness Protection

Hazards Safety Dependability

Threats Security Defence

Faults

Holistic

Stovepiped

Focus Approach Goal Treatment

∑ ƒ [Safety; Reliability; Availability; Resilience; Security]

TLP: WHITE

Types of Adversity

[TS/2016/066]


10

TLP: WHITE

Source: TSI (UK)/

SwA (US)

Trustworthiness and Security Mapping

[TS/2016/066]


11

Security

Confidentiality

Safety

ResilienceReliability Availability

Integrity

TLP: WHITE

Facets of Technical Trustworthiness

[TS/2016/066]


12

Trustworthiness

Safety

The ability of the

system to

operate without

harmful states

Reliability

The ability of the

system to deliver

services as

specified

Availability

The ability of the

system to deliver

services when

requested

Resilience

The ability of the

system to

transform,

renew, and

recover in timely

response to

events

Security

The ability of the

system to remain

protected against

accidental or

deliberate

attacks

• No de jure or de facto definition of Trustworthiness• Use extended de facto definition of Dependability by

addition of Resilience

TLP: WHITE

Software Incident Impact• Software problems are high cost to economy:

– US Government National Institute of Standards & Technology (NIST) ~$60 billion / year to US alone

– No definitive figure for UK / worldwide

• Software a major source of IT project failure:– University of Oxford Saïd Business School / McKinsey 2011;

Standish Chaos Reports 2004 onwards; et al

• Software bugs “source of 90% of ICT Incidents”– (GovCERT-UK, 2012-09)

• Mitre’s Common Weakness Enumeration (CWE) is a maintained list of generic software weakness types – 706 distinct CWEs (+ 3 Chains & 5 Composites) in Jun-2016

13

[TS/2016/066]

© Copyright 2003-2016TLP: WHITE

Treating Adversity

14

[TS/2016/066]


Classic “Bow Tie” Model

Proactive

ControlsReactive Controls

Resp

on

se

Pre

pa

red

ness Recovery

Investigate /

Disrupt

The only community that

can care exclusively about Threat rather than Adversity

Adversity, the Superset of:

• Hazard ... UNDIRECTED sources of risk (e.g.

Natural Disasters, Accident

• Threat .... DIRECTED sources of risk (e.g.

Foreign Powers, Organised Crime)

To

address

Trustworthiness and Facet Lifecycles

[TSI2016/066]


15

TrustworthySoftware

ManagementSystem

{TrustworthinessFacet}

ManagementSystem(s)

Specify Realise Use

Ve

rify

; D

ep

loy

Co

nfi

gure

; V

alid

ate

; M

ain

tain

• Safety

• Reliability

• Availability

• Resilience

• Security

• “Information

Security”

• “Cyber

Security”

• Quality

• …

Focus of TS Activity

Activity in aligned domains

TLP: WHITE

Emergent Challenges to Software

• Current global Technological / Societal challenges:

– Distributed application platforms and services (“Cloud”)

– Internet of Things (IoT) / Machine to Machine (M2M)

– Mobile Devices and Lightweight operating systems

– Consumerisation / Bring-Your-Own-Device (BYOD)

– Commoditisation in previously closed architectures

– Consolidation for energy efficiency (Low Carbon / Green)

• These are likely to present Disruptive Challenges, fundamentally deepening dependence on Software

[TS/2016/066]


16

TLP: WHITE

Impediment to Trustworthiness Adoption

[TS/2016/066]


17

• Long memories of massive Hype / Hysteria surrounding “Y2K”

• Despite many Academics and Practitioners suggesting nuanced approach, commercial interests and The Press grossly over-inflated potential risk

• Consequently software risks often treated as “Crying Wolf!”, as success from Y2K activity not visible (“a problem that didn’t happen”)

TLP: GREEN

Trustworthy Software Requirement• Requirements for Trustworthy Software can arise

from

• Explicit (Functional) Requirement for Trustworthiness

• Implicit (Non Functional) Requirement (NFR) for Trustworthiness

• Direct NFR for software under consideration

• As Collateral NFR from other software in environment

• Requirements cover whole IOCT domain (including ICS) and activities (Specification, Realisation and Use)

• Assurance requirements range from Due Diligence (all software) to Comprehensive

[TS/2016/066]


18

TLP: WHITE

Choosing Appropriate Granularity

[TS/2016/066]


19

TLP: WHITE

1 ∞

Optimale.g. agreed Archetypes

and Catalogues

Single Answer, but with

Exception Handling

“Single Answer”

(Taylorism)

Highly Variant: Complex

Unfeasibly Variant:

Emergence

c.f. Aristoltean

Golden Mean

“Special Snowflake

Syndrome”Combinatorial

Explosion

Stifles Diversity /

Innovation

Generalised Optimal Effort

[TS/2016/066]


20

• “Pareto Principle”, or “80-20 Rule”• Vilfredo Pareto (1848-1923), Professor of Political Economy at Lausanne, Switzerland from 1893• Observed "Eighty percent of the wealth is held by twenty percent of the people" • Extended by Juran, Zipf, and others to apply to almost all other distribution scenarios as well

Time

and/or

Effort

“The Sweet Spot”

Benefit

Delivered

Typically 20%

Typically 80%

TLP: WHITE

The Art Of The Possible• For any large scale and/or complex System,

“perfection” (i.e. the complete absence of Defects) is typically an illusion, for a variety of reasons including:– “Combinatorial explosion”

– Chaotic behaviours

– Emergent properties

• Nonetheless Good Engineering Practice across all domains remains to minimise avoidable Defects, noting the Pareto Principle (“80:20”)

• Software should be treated like every other engineering activity

21[TS/2016/066]


Supply-side Audience Clusters

[TSI/2016/066]


22

Where Supply-side:

– Mainstream = “The Industry” (e.g. Microsoft, Oracle, ...)

– Niche = Specialist Industries (e.g. Aviation, “Security”) but with Stovepiped Adversity view

– Dispersed = Small scale developers (e.g. SmartPhone Apps)

– Collateral = Developers don’t consider themselves as such (e.g. Embedded components, website CMS users, spreadsheets, …)

– Gap = Suppliers who regard Adversity Holistically

Likely Process-tolerance

Likely Trustworthiness-as-Functionality

Mainstream

NicheCollateralD

ispersed

Gap

TLP: WHITE

UK Trustworthy Software History

[TS/2016/066]


23

TLP: WHITE

Professional Bodies

Industry

Government

Academia

Ad HocStudies

(2003-6)

PAS754:2014

CSTKN SSD WG(2007-8)

SSDP(2009-10)

SSDRI/TSI(2011-16)

TSFdn(2016-)

TS-BOK

ACTSTS

RoadmapMultinational

“Paris Workshop”

TS Roadmap – 2013 Edition

[TS/2016/066]


24

Adoption (ADO) ADO.1: Understand

audience needs and

attitudes

ADO.2: Develop

appropriate

approaches for

audience behaviour

modification, with

understanding of

business case(s)

ADO.3: Establish and

monitor appropriate

communications

channel(s)

ADO.4: Integrate

Trustworthy Software

and SCRM with public

sector, regulated

industries' and CNI

acquisition processes

ADO.5: Establish

legislative and

regulatory framework

Body of Knowledge

(BOK)

BOK.1: Develop

inventory of tools,

techniques and

components

BOK.2: Establish


Framework (TSFr) and

Repository (CMDR)

BOK.3: Establish risk-

based

Trustworthiness

Levels (TL)

BOK.4: Develop

approach for dynamic

data sharing

BOK.5: Develop

Concepts, Research &

Innovation (CRI)

Framework

Coherence (COH) COH.1: Develop

national Trustworthy

Software guidance

COH.2: Develop


international

guidance

COH.3: Integrate


approaches with

Supply Chain Risk

Management (SCRM)

COH.4: Develop

national Trustworthy

Software and SCRM

standards

COH.5: Develop


and SCRM

international

standards

Training, Education

and Awareness (TEA)

TEA.1: Design

curricula for

undergraduate

education

TEA.2: Investigate

and develop options

for other education

TEA.3: Develop

training packages for

current workforce

TEA.4: Develop

approaches to

practitioner

verification

TEA.5: Work with

professional bodies

on approaches for

continuing

development

Verification (VER) VER.1: Establish the

role of "independent

mentor"

VER.2: Develop

approaches, tools and

techniques for

verification

assessments

VER.3: Define

interoperability

standards for

functionality and

testing

VER.4: Define

approach for

Organisation

Verification

VER.5: Develop

analysis and testing

tools for deployed

systems and systems

of systems

TLP: WHITE

UK Trustworthy Software Initiative (TSI)

• During the 5 year period (2011-2016) of the UK’s first National Cyber Security Programme (NCSP), the Trustworthy Software Initiative (TSI) was established and funded to coalesce ad hoc activity across 5 Facets of Trustworthy Software (Safety –Reliability – Availability – Resilience – Security [SRARS]) into a single management focus, and address aspects of Multinational Trustworthy Software Roadmap of highest priority to the UK

• Its major milestones have included the publication of the Comprehensive Framework (BS PAS754:2014), a simplified “TS Essentials” for the mass market, and development of Reference Curricula and other materials for Education and Training

• Sustainment of support and evolution of outputs being transitioned to an independent, not-for-profit, entity to be sponsored by relevant Professional Bodies

[TS/2016/066]


25

BS PAS754

TS Essentials

TLP: GREEN

Trustworthy Software Foundation – TSFdn(1)

The independent, not-for-profit, entity is the Trustworthy Software Foundation, founded to:

a. Primarily curate a Trustworthy Software Body of Knowledge (TS-BOK), to serve as a living backbone for signposting to diverse, but often obscure, sources of Good Practice

b. Secondarily address other aspects of the multi-nationally produced 2009 Trustworthy Software Roadmap

26

[TS/2016/066]


Trustworthy Software Foundation – TSFdn(2)

• The TSFdn Company is “subscribed” (sponsored) by UK Professional Bodies

• Current Subscribers

– Institution of Analysts and Programmers (IAP)

– Institute of Information Security Professionals (IISP)

– UK Testing Board (UKTB) [UK element of ISTQB]

• Dialogue in progress with the other relevant Professional Bodies to join as future Subscribers

• Chief Operating and Technical Officer (COTO) sits on Board and acts as Company Secretary

27

[TS/2016/066]


Model of Audience Applicability

[TSI/2016/066]


28

Applicability Risk Segment Approach Goal Metric

(No requirement) Negligible (TL0)

Mass Market

/ Implicit Need (M/I)

Low -Medium

TL1 –Fundamental Practice Baseline

(Prescriptive):

“TS Essentials”(TS502-x)

Existence (MoEx)

Mass Market / Explicit Need (M/E)

TL2 –StructuredPractices

Performance(MoPe)

Niche Market / Explicit Need (N/E)

Medium -High

TL3 –EnhancedPractices

Comprehensive(Descriptive):

BS PAS754:2014

Effectiveness (MoEf)

TL4 –SpecialistPractices

OperationalEffectiveness (MoOE)

TLP: WHITE

TS Audience Scale

[TSI/2016/066]


29

Indicative world market sizes per TL modelled as a discrete variable mapped against a log

scale: if natural, ordinal numbers were used, the TL4 market (M/I only) would be so dominant

that all other segments (the TL2 element of M/I; M/E at both TL2 and TL3; N/E at both TL3

and TL4) would not be visible

TLP: WHITE

Why Standardise?

[TSI/2016/066]


30

TLP: WHITE

“If you think of standardization as the best that you know today, but which is to be improved tomorrow; you get somewhere.”

Henry Ford 1863-1947(American industrialist and pioneer of the moving assembly-line production method)

Niche View

to augment

Existing

practices

Mass Market View

for (Pareto)

general use

Trustworthiness Levels (TL)

[TS/2016/066]


31

RiskAnalysis

TL 1/2

Prescriptive

Approach

NoRequirement

ComprehensiveTSF

Specification(PAS754)

BaselineTSF

Profile( Essentials )

DescriptiveApproach

OrganisationalProcesses

TL

0

TL

3/4

Software +Use

Parameters

Comprehensive

Specification

Baseline

Specification

BS PAS754

TS Essentials

TLP: WHITE

Trustworthy Software Framework (TSFr)

[TS/2016/066]


32

TLP: WHITE

Level 0Title

Level 1Areas

Level 2Groups

Level 3Control Consensus

Level 4 Repository

e.g. Citations

e.g. TE – Technical

e.g. TE.02 – Appropriate Tool Choice

e.g. TE.02.10 – Programming Language(s)

e.g. ISO/IEC 24772

“Guidance on language selection”

Trustworthy Software Framework (TSFr)

Facet Mapping: Cyber Security

[TS/2016/066]


33

Trustworthy SoftwareCyber Security

Specify Realise Use

Ve

rify

; D

ep

loy

Co

nfi

gure

; V

alid

ate

; M

ain

tain

TSI / TechForum

Patching June 2015

Lo

w-M

ed

ium

Ris

k

Med

ium

-Hig

h

Ris

k

ISO/IEC27001BS PAS754†

CS EssentialsTS Essentials

TLP: WHITE

BSI Project to update and transform

PAS754:2014 to BS10754commences 4Q2016

News!

Verification of Verifiers

Trustworthy

Components

Verification of Trustworthiness

[TS/2016/066]


34

Trustworthy

Practitioners

Trustworthy

Organisations

Trustworthiness Instruction

Trustworthiness Advice

TLP: WHITE

TS Verification Activity• Focus is Verification (conformance), not Validation (appropriateness)

• Verification (VER) Workstream was on Back Burner during NCSP funded Stages 1 and 2 (Jul-2011 to Mar-2016)

– Concepts developed

– Dialogue with existing N/E Domains (e.g. Security and Safety, both at TL3/4) as to Beneficial Deltas from adopting more holistic approach of Trustworthiness

– Proof of Concept exercise of Organisation (ORG - OVA) and Component (COM -CVA) Verification at TL1/2 (i.e. those for the M/I and M/E Domains)

• With start of Independent Stage 3 (under TSFdn) in Apr-2016:– Verification Assessment (xVA) definitions finalised

– Work has commenced with partners to investigate wider xVA deployment options

– In addition to generic xVA options, interested in working with partners for Domain Extension Profiles (i.e. add specific requirements such as xxx Security)

35

[TS/2016/066]

© Copyright 2003-2016TLP: GREEN

“Brexit”

[TS/2016/066]


36

TLP: WHITE

Pro-Leave “Brexiter” Pro-Remain

UK Brexit Status

[TS/2016/066]


37

TLP: WHITE

Statement on the Status of EU

“The decision about when to trigger Article 50 [of The Treaty on

European Union a.k.a. The Lisbon Treaty] and start the formal

process of leaving the EU will be for the [new] Prime Minister.

The UK remains a member of the EU throughout this process, and

until Article 50 negotiations have concluded.”

Cabinet Office, Home Office, and Foreign & Commonwealth Office

11 July 2016

Questions

[TS/2016/066]


38

TLP: WHITE

•Any Questions ?

• Any Questions ?

• Any Questions ?• Any Questions ?

• Any Questions ?

• Any Questions ?

Brexit and Example International Relationships

[TS/2016/066]


39

TLP: GREEN

European Union Other “Europe” Not “Europe”

(EU)- EC (Administration)- ECJ (Court)- EDA (Defence)- EDPB (Data Protection)- ENISA (ICT Security)- …

EEA (EU + EFTA)- CEN (SDO)- CENELEC (SDO)- …

SDOs:- IEC- ISO- ITU

Council of Europe- ECHR (Court)- EUR-OPA (Hazards)- GRECO (Corruption)- …

Defence- NATO- FPDA- 5 Eyes- …

CEPT- ETSI (SDO)- …

Security/LE- Interpol- CTA (IE/UK)- Sangatte (BE/FR/UK)

EHEA (Education)- GÉANT (NREN)

Security/LE- ECU (Customs)- OCSE

?

Contact

40

[TS/2016/066]


Ian Bryant

Chief Operating and Technical Officer

TS Foundation Office

Cyber Security Centre

Room 255 International Manufacturing Centre

University of Warwick

University Road, Westwood Heath, Coventry, CV4 7AL, England

[email protected]

+44 300 030 1924

www.tsfdn.org

TLP: WHITE

BS PAS754 TS Essentials

mailto:[email protected]

briefing for secure south west 2016-10-05 · •information security community address threat...

Documents