unrestricted within the bsimm community – no further distribution © siemens healthcare...
TRANSCRIPT
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved. Securing Our Customers’ Trust.
Software Security, Healthcare and the BSIMMBSIMM Europe 2015-05-14 Jim
Jacobson
Click Here to Initializeinteractive macro-driven content
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 2 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Who is Siemens Healthcare Diagnostics (DX)?
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 3 Siemens Healthcare Diagnostics, Product Security & Privacy Office
The Big Picture at Siemens
Wind Power and RenewablesPower and Gas Power Generation Services Energy Management
Building Technologies Mobility Digital Factory Process Industries and Drives
Corporate TechnologyHealthcare
Strategy and Metrics
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 4 Siemens Healthcare Diagnostics, Product Security & Privacy Office
The Big Picture at Siemens: Software Security Initiative at Siemens – PSS
PSS = Product & Solution Security (Siemens) = Software Security (BSIMM)
GUIDANCE
GOVERNANCEHEALTHCAREGlo
bal
Pro
cedu
re
-Hea
lthca
re-
Strategy and Metrics Standards and Requirements
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 5 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Organization
CEO
Chief PSS Officer
Project++
Product Security
Champion++
Product Security Lead++
Oversight++
Process Review++
Technical Review++
Extended Security Team
PSS Experts++
Expert Program Manager
PSS Experts++
Government & Business
Opportunities
Strategic Initiative Manager
Data Protection
Advisor
BU PSS Officers++
Business Unit Software Security Group (x4)Translation, Execution & Support
DX Software Security GroupStrategy, Governance & Solutions
BU Product Security Office Siemens Healthcare DX Product Security & Privacy Office
Satellite
Strategy and Metrics Compliance and Policy Security Features and Design
Architectural Analysis Penetration Testing
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 6 Siemens Healthcare Diagnostics, Product Security & Privacy Office
PSS Drivers in Siemens Healthcare
PSS
Standards• Industry• Siemens
Regulation• Patient Safety• Privacy
Customers• Government• Commercial
Competition
Regulation• Patient Safety• Privacy
Strategy and Metrics Compliance and Policy
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 7 Siemens Healthcare Diagnostics, Product Security & Privacy Office
FDA
Regulation• Patient
Safety• Privacy
Regulation• Patient Safety• Privacy
PSS Drivers
Regulation• Patient Safety
Pre-Market
Approval
Quality
SystemAudits
Field
Actions
Compliance and Policy
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 8 Siemens Healthcare Diagnostics, Product Security & Privacy Office
The Quality System Drives Compliance (Not the Other Way Around)
Product Development
Product Development
Process
Secure Software
Development
Integrated Security Testing
OEMs and Suppliers
Product Health
Incident Handling
Vulnerability Monitoring
Patch Management
Risk Management
Training and Expertise
Global Procedure GP-099
Evolving Security Landscape
FDA & Other Regulation
Industry Standards
SiemensPSS Guide
Customer Requirements
Competitive Benchmarking
Strategy and Metrics Compliance and Policy
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 9 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Key Components of the Global Procedure
GP
-099
Threat & Risk Analysis
Vulnerability Monitoring
Incident & Vuln. Handling
Project Templates
Overall Security Plan
Secure Supplier Plan
Commercialization Checklist
Customer Security Documents
IH-VH Task Force Registration
SVM Registration
Patch Management Plan
Incident Quality Goals
Incident Quality Report
Master Requirements List
Expertise
Training Requirements
Expert Requirements
Strategy and Metrics Compliance and Policy Standards and Requirements
Architectural Analysis
Security TestingPenetration Testing Configuration & Vulnerability Mgmt.
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 10 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Project Activities Defined by the Global Procedure
Planning Feasibility Implementation Verification Controlled Release Commercialization
PSS classification
threat & risk analysis
information access control
documentation restrictions
usability
static code analysis
coding standards
code reviews
design reviews
vulnerability scanning
fuzz testing
pen testing
patch management
Strategy and Metrics Attack Models Standards and Requirements
Architectural Analysis
Code Review
Penetration TestingSecurity Testing
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 11 Siemens Healthcare Diagnostics, Product Security & Privacy Office
What About Compliance?
Compliance and Policy Standards and Requirements
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 12 Siemens Healthcare Diagnostics, Product Security & Privacy Office
How We Work Together
Expert Program Manager
PSS Experts++
Government & Business
Opportunities
Strategic Project
Manager
Data Protection
Advisor
CEO
Project++
Product Security
Champion++
Product Security Lead++
Oversight++
Process Review++
Technical Review++
Extended Security Team
PSS Experts++
BU PSS Officers++
Chief PSS Officer
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 13 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Product Security & Privacy Office
How We Work Together
Common Solutions Shared Expertise One Quality System Local Implementations
Joint Strategy
StrategyQuarterly Strategy Sessions
MaturityAssessment
Uncovering Unique
Challenges
Establish & Maintain Roadmap
Resulting inStrategic Initiatives
Expert Program Manager
Government & Business
Opportunities
Strategic Project
Manager
Data Protection
Advisor
BU PSS Officers++
Chief PSS Officer
PSS Experts++
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 14 Siemens Healthcare Diagnostics, Product Security & Privacy Office
PSS Maturity From The Beginning
(3/3
) _x0
00d_
(2+/
3) _
x000
d_
(3/3
) _x0
00d_
(2+/
3) _
x000
d_
(2+/
3) _
x000
d_
(0+/
3) _
x000
d_
(1+/
3) _
x000
d_
(0+/
3) _
x000
d_
(0+/
3) _
x000
d_
(3/3
) _x0
00d_
(1/2
) _x0
00d_
(0+/
2) _
x000
d_0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
Q3FY12: 07.7%
Q4FY12: 08.9%
Q1FY13: 10.0%
Q2FY13: 12.5%
Q3FY13: 17.2%
Q1FY14: 27.0%
Q2FY14: 45.6%
Q4FY14: 60.1%
Q2FY15: 72.6%
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 15 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Product Security Dashboard
Strategy and Metrics
Dashboard Redacted for Distribution
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 16 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Challenges and Initiatives
Challenge Initiative
Insecure Legacy Products ALPS: Assessment of Legacy Product Security
Selling to the US DoD Managed DoD Program
Unpatchable Products PoP: Patch our Products
Too Many Hardening Activities SBI: Secure Baseline Image
PSS Expert Shortage in the BUs PSS Expert Program
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 17 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Challenges and Initiatives
Challenge Initiative
Insecure Legacy Products ALPS: Assessment of Legacy Product Security
PSS Expert Shortage in the BUs PSS Expert Program
Selling to the US DoD Managed DoD Program
Unpatchable Products PoP: Patch our Products
Too Many Hardening Activities SBI: Secure Baseline Image
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 18 Siemens Healthcare Diagnostics, Product Security & Privacy Office
PSS Expert Program
Guidance DocumentsSharePoint CollabDistribution ListsSecurity Tooling
PSS FoundationalSecurity Boot CampSecure CodingPen Testing CertificationHCISPP, CISSP, CISLP
Hardening MeasuresVulnerability Scans
Pen and Fuzz TestingRisk AssessmentsIncident Handling
Patch Management
Quarterly Round-RobinAnnual Black Hat F2F
DX Internal Bug Bounty
Contribution
ResourcesEvents
Education
Strategy and Metrics Training Security Features and Design
Code ReviewSecurity TestingPenetration Testing
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 19 Siemens Healthcare Diagnostics, Product Security & Privacy Office
PoP: Patch our Products
Customer Participates Siemens Healthcare End-to-end
Gold Self-Administered Remote Update
Silver Secure Download Remote Session
Bronze Send Media Service Call
Knowledge DB, Vendor update
Scanning, filtering, analysis
Process, Investigate, consolidate
Monitoring
Product Sustaining Engineer (also responsible for complete cycle)
Notification
Verification Engineer Product Support Engineer
Patch Delivery Engineer
ReportPackage
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 20 Siemens Healthcare Diagnostics, Product Security & Privacy Office
SBI: Secure Baseline Image Program
Siemens Security Suite – built in anti-malware, patch management and remote support
Security Checked – hardened, tested and maintained compliant with security standards
blank hard drive hardening hardened testing hardened and tested product development
Old
For every security updateFor every product
Used in multiple products
New
Built-in by the supplier
Security Features and Design
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 21 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Security Tooling – Centrally Provided and/or Coordinated
Direct TrainingVendor TrainingLicense CoordinationLicense Seeding
WhitelistingTraditional AV (Blacklisting)Patch ManagementRemote SupportRemote Monitoring
Code AnalysisCode Signing
Project ClassificationThreat & Risk Analysis
Vulnerability Monitoring
Vulnerability ScanningHardening Standards
Fuzzing
Development
Training & Licensing
Testing
In the Product
Training Attack Models Architectural Analysis
Code ReviewSecurity TestingSoftware Environment
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 22 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Supply Chain Management
Suppliers
Custom Software &
OEM
Gold Silver Bronze
COTS & Other OTS
Qualified Unqualified
Combined H/W & S/W
Strategic Non-strategic
Cloud Computing
Compliance and Policy
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 23 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Training Required by Global Procedure
Training Description
Product Security Awareness Posters, flyers, in person presentations, interactive self-guided version pending
Basic Security Concepts 2 day classroom session through Learn@Siemens, web-based pending
Secure Coding Basics Self-guided web-based
General Secure Coding 2 day classroom session / self-guided web based
Expert-level Security Training Part of comprehensive Siemens program (external & internal)
Security Incident Coding Self-guided through Learn@Siemens
Security Vulnerability Monitoring Recorded webinar and online PSS Guide
Security Incident Handling Self-guided document review and online PSS Guide
Secure Product Development Self-guided presentation
PSS Officer 4 day classroom session through PSS Initiative
Training Attack Models Code Review
Configuration & Vulnerability Mgmt.
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 24 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Awareness, Outreach, Collaboration
https://moss-us.healthcare.siemens.com/content/20002385/
Standards and Requirements
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 25 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Thank You
Any questions?
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 26 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Via Siemens CorporateJust launchedIn development
Filling Holes
[CP3.2]
[T2.6]
[T3.1]
[SR1.4]
[SR3.2]
[AA2.3]
[CR2.5]
[ST2.1]
[AM1.4]
[AM1.5]
[AM3.1]
[PT3.1]
[SE1.2]
[CP2.1]
[SM3.2]
[CP3.3]
[T3.3]
[SE2.2]
2015-05-14Page 27 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Additional Material
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 28 Siemens Healthcare Diagnostics, Product Security & Privacy Office
PaSS-Time Events
Hacking Web Applications for Fun and for Profit
Typical Findings in Enterprise Application Hacking Attacks
Privacy by Design
Security Vulnerability Monitoring
Public Key Infrastructure
Mobile Top 10 Security Risks
Security Incident Handling and Vulnerability Handling
PSS Project Classification
Security Certification & Accreditation in a Regulated Environment
Static Code Analysis Supports Secure Coding
Cleaning up the Past: Secure Handling of Credentials in Medical Devices
Training
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 29 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Functions Requiring Training per Global Procedure
Software Development
Service & Support
Project Team Members
Engineering Management
Program Management
MarketingProduct Management
Regulatory AffairsQuality Management
Supply Chain Management Procurement
PSS Officer
Legal
Corporate Communications
Training
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 30 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Awareness, Outreach, Collaboration
https://intranet.healthcare.siemens.com/cms/DX/en/Departments/PSPO/
2015-05-14Page 31 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Reference
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 32 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: SM
[SM1.1] Publish process (roles, responsibilities, plan), evolve as necessary.[SM1.2] Create evangelism role and perform internal marketing.[SM1.3] Educate executives.
[SM1.4] Identify gate locations, gather necessary artifacts.[SM1.6] Require security sign-off.[SM2.1] Publish data about software security internally.[SM2.2] Enforce gates with measures and track exceptions.[SM2.3] Create or grow social network/satellite system.[SM2.5] Identify metrics and use them to drive budgets.
[SM3.1] Use internal tracking application with portfolio view.[SM3.2] Run external marketing program.
GOVERNANCEStrategy and Metrics
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 33 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: CP
[CP1.1] Unify regulatory pressures.[CP1.2] Identify PII obligations.[CP1.3] Create policy.
[CP2.1] Identify PII data in systems (inventory).[CP2.2] Require security sign-off for compliance-related risk.[CP2.3] Implement and track controls for compliance.[CP2.4] Paper all vendor contracts with SLAs compatible with policy.[CP2.5] Promote executive awareness of compliance and privacy obligations.
[CP3.1] Create regulator eye-candy.[CP3.2] Impose policy on vendors.[CP3.3] Drive feedback from SSDL data back to policy (T: strategy/metrics).
Compliance and PolicyGOVERNANCE
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 34 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: T
[T1.1] Provide awareness training.[T1.5] Offer role-specific advanced curriculum (tools, technology stacks, bug parade).[T1.6] Create and use material specific to company history.[T1.7] Deliver on-demand individual training.
[T2.5] Enhance satellite through training and events.[T2.6] Include security resources in onboarding.[T2.7] Identify satellite during training.
[T3.1] Reward progression through curriculum (certification or HR).[T3.2] Provide training for vendors or outsource workers.[T3.3] Host external software security events.[T3.4] Require annual refresher.[T3.5] Establish SSG office hours.
TrainingGOVERNANCE
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 35 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: AM
[AM1.1] Build and maintain a top N possible attacks list.[AM1.2] Create data classification scheme and inventory.[AM1.3] Identify potential attackers.[AM1.4] Collect and publish attack stories.[AM1.5] Gather attack intelligence.[AM1.6] Build internal forum to discuss attacks (T: standards/req).
[AM2.1] Build attack patterns and abuse cases tied to potential attackers.[AM2.2] Create technology-specific attack patterns.
[AM3.1] Have a science team that develops new attack methods.[AM3.2] Create and use automation to do what the attackers will do.
Attack ModelsINTELLIGENCE
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 36 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: SFD
[SFD1.1] Build and publish security features.[SFD1.2] Engage SSG with architecture.
[SFD2.1] Build secure-by-design middleware frameworks/common libraries (T: code review).[SFD2.2] Create SSG capability to solve difficult design problems.
[SFD3.1] Form review board or central committee to approve and maintain secure design patterns.[SFD3.2] Require use of approved security features and frameworks (T: AA).[SFD3.3] Find and publish mature design patterns from the organization.
INTELLIGENCESecurity Features and Design
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 37 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: SR
[SR1.1] Create security standards (T: sec features/design).[SR1.2] Create a security portal.[SR1.3] Translate compliance constraints to requirements.[SR1.4] Use secure coding standards.
[SR2.2] Create a standards review board.[SR2.3] Create standards for technology stacks.[SR2.4] Identify open source.[SR2.5] Create SLA boilerplate.
[SR3.1] Control open source risk.[SR3.2] Communicate standards to vendors.
INTELLIGENCEStandards and Requirements
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 38 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: AA
[AA1.1] Perform security feature review.[AA1.2] Perform design review for high-risk applications.[AA1.3] Have SSG lead review efforts.[AA1.4] Use risk questionnaire to rank apps.
[AA2.1] Define and use AA process.[AA2.2] Standardize architectural descriptions (include data flow).[AA2.3] Make SSG available as AA resource/mentor.
[AA3.1] Have software architects lead design review efforts.[AA3.2] Drive analysis results into standard architectural patterns (T: sec features/design).
Architectural AnalysisSSDL TOUCHPOINTS
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 39 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: CR
[CR1.1] Create top N bugs list (real data preferred) (T: training).[CR1.2] Have SSG perform ad hoc review.[CR1.4] Use automated tools along with manual review.[CR1.5] Make code review mandatory for all projects.[CR1.6] Use centralized reporting to close the knowledge loop and drive training (T: strategy/metrics).
[CR2.2] Enforce coding standards.[CR2.5] Assign tool mentors.[CR2.6] Use automated tools with tailored rules.
[CR3.2] Build a factory.[CR3.3] Build capability for eradicating specific bugs from entire codebase.[CR3.4] Automate malicious code detection.
SSDL TOUCHPOINTSCode Review
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 40 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: ST
[ST1.1] Ensure QA supports edge/boundary value condition testing.[ST1.3] Drive tests with security requirements and security features.
[ST2.1] Integrate black box security tools into the QA process (including protocol fuzzing).[ST2.4] Share security test results with QA.
[ST3.1] Include security tests in QA automation.[ST3.2] Perform fuzz testing customized to application APIs.[ST3.3] Drive tests with risk analysis results.[ST3.4] Leverage coverage analysis.[ST3.5] Begin to build and apply adversarial security tests (abuse cases).
SSDL TOUCHPOINTSSecurity Testing
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 41 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: PT
[PT1.1] Use external pen testers to find problems.[PT1.2] Feed results to defect management and mitigation system (T: config/vuln mgmt).[PT1.3] Use pen testing tools internally.
[PT2.2] Provide pen testers with all available information (T: AA & code review).[PT2.3] Periodic scheduled pen tests for application coverage.
[PT3.1] Use external pen testers to perform deep dive analysis(one-off bugs/fresh thinking).[PT3.2] Have SSG customize penetration testing tools and scripts.
DEPLOYMENTPenetration Testing
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 42 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: SE
[SE1.1] Use application input monitoring.[SE1.2] Ensure host/network security basics are in place.
[SE2.2] Publish installation guides created by SSDL.[SE2.4] Use code signing.
[SE3.2] Use code protection.[SE3.3] Use application behavior monitoring and diagnostics.
DEPLOYMENTSoftware Environment
2015-05-14
Unrestricted within the BSIMM Community – no further distribution © Siemens Healthcare Diagnostics Inc. 2015 All rights reserved.
Page 43 Siemens Healthcare Diagnostics, Product Security & Privacy Office
Reference: CMVM
[CMVM1.1] Create/interface with incident response.[CMVM1.2] Identify software defects found in operations monitoring and feed back to development.
[CMVM2.1] Have emergency codebase response.[CMVM2.2] Track software bugs found during ops through the fix process.[CMVM2.3] Develop an operations inventory of apps.
[CMVM3.1] Fix all occurrences of software bugs from ops in the codebase (T: code review).[CMVM3.2] Enhance dev processes (SSDL) to prevent cause of software bugs found in ops.[CMVM3.3] Simulate software crisis.[CMVM3.4] Operate a bug bounty program.
Configuration Management and Vulnerability ManagementDEPLOYMENT