Cisco Blogs


Cisco Blog > Security

Security Assessments: More Than Meets the Eye

Is the product safe to use? I have been asked this question on occasion in a non-technical sense and maybe you have too. In a technical context, I could frame the question as “Are the online services and underlying technologies supporting my services safe?”  A continuous effort must go into substantiating the preferable answer (“Yes”) that we are looking for, both prior to and after releasing a product or service into the wild. Security Intelligence Operations (SIO) includes a team of network security experts that form the Security Technology Assessment Team (STAT). They provide security assessment expertise across Cisco’s product and services organizations. In this article, I elaborate on their role and how they complement product and services organizations at Cisco in helping to protect you, our customer.

In the not-so-distant past it used to be that the majority of notoriety around product security was focused more around physical aspects. For example, a manufacturer announces a product recall about a defect (i.e. vulnerability) that could cause potential physical harm or worse. Fast-forward to today where computing devices and associated Internet plumbing comprise an entirely distinct category of product security needed.  Within that category, I would also suggest that services and the underlying supporting infrastructure would also fall into this category in the ongoing quest for achieving network security.  I think that this quote from a U.S. government hearing underscores the value of that quest as well.

When we bring in new technologies, we bring in new exposures and new vulnerabilities, things we really haven’t thought about. It takes a little while before we understand it, and after a while we begin to secure it. But our mindset needs to change. This is not the same as industrial technologies or new ways of doing aircraft or cars. These technologies are global and they expose us globally, literally within milliseconds.

House of Representatives Hearing on Cybersecurity: Emerging Threats, vulnerabilities, and challenges in securing federal information systems

Business units and quality assurance groups at Cisco apply multi-level security processes throughout the development of products and services to ensure that security is embedded into everything that is ultimately delivered to customers. For example, Cisco’s secure development life cycle (SDL) provides a highly effective process in detecting and preventing security vulnerabilities and improving overall system quality.  Cisco SDL has several elements that include, but not limited to, source code analysis and white box testing that feed into the security posture of a product or service.  Cisco has a security advocates program, a virtual community of people who understand network security and secure product development (and testing) and who can share and evangelize that knowledge with their peers, their colleagues, and their management.

Read More »

Tags: , , , , , ,

Commitment and Community: Cisco’s Security DNA

Create community. Drive cross company collaboration. Raise the corporate security consciousness. Educate! These were the major themes present at the synergistic 5th annual Cisco SecCon held December 5-6, 2012, at Cisco’s corporate headquarters in San Jose, CA. The senior leadership team in the Security and Government Group had a clear and present message for the Cisco Engineering community: Security is the differentiator for Cisco! Building and developing our corporate security awareness and driving it into our DNA is part of what makes Cisco—a company dedicated to continuous improvement—unique as a top industry leader.

The message is clear: security must be pervasive in every aspect of every product we design, develop, and deploy. It’s what our customers expect, and SecCon is one of the major delivery vehicles for creating a unified front within the engineering community as part of Cisco’s evolution towards the Internet of Everything. The more the world becomes interconnected, the more important it is that product designers, developers, testers, and implementers are aware and educated about the importance of the security mindset. How we think about security dictates how we act. This is something the Cisco leadership team is keenly aware of, and their intent to mature security capabilities and features into our entire product line is evident as they work to bring together industry security advocates to drive change and continuous improvement at the annual SecCon conference. Read More »

Tags: , , , ,

Security Features vs. Securing Features

December 21, 2012 at 7:08 am PST

Secure software is a hot topic these days and many people have ideas about what should be done to achieve it. For years, the focus of many software vendors was on security features. Add a firewall. Add SSL to secure data flows. Positive security features are great, but they don’t do much to address every potential security issue that result from insecure code.

At this year’s Cisco SecCon conference, Bryan Sullivan, Microsoft’s Security Program Manager, addressed the issue of writing secure code with a diagram like the following:

Security Features vs Securing Features

His point is that there is much more work to do in securing all the features of a product than simply writing the security features. Writing security features, although important, is only 10% of the workload of creating secure code. The other 90% of the coding work is meant to ensure that all non-security codebase is secure. This includes input validation, output encoding, and overflow defense.

These practices are part of software quality, and they don’t usually appear on a feature list and often fail to appear on customer requirements lists. Customers don’t often ask for things such as:

  • This product should be free of cross-site scripting vulnerabilities
  • This product shouldn’t have client-side security validation that can be bypassed by a determined attacker
  • This product shouldn’t store my passwords or key data in plain text files might be leaked

Read More »

Tags: , ,

Securing Linux Based Products With CSDL

The theme for this year’s SecCon was “Building on a Foundation of Security.” The breadth of topics discussed that are relevant to being a trusted vendor and producing trustworthy products is quite significant. Naturally many of the discussions revolved around the Cisco Secure Development Lifecycle (CSDL), Cisco’s approach to building secure products and solutions. As Graham Holmes mentioned in a recent blog post, CSDL takes a layered approach, with one of the key components being the security of the underlying operating system. As a standard part of the development process, Cisco’s product teams implement a comprehensive set of CSDL requirements to harden the base OS. These requirements were created not only by leveraging Cisco’s significant in-house security expertise, but also drawing from best practices available in the industry.

In keeping with the theme of SecCon 2012, we have decided to publish these foundational OS security requirements to enhance the knowledge of our partner ecosystem, and advance the industry as a whole. As of today, Cisco is releasing two documents that have been an integral part of CSDL: “Linux Hardening Recommendations For Cisco Products” and “Product Security Baseline Linux Distribution Requirements.” Read More »

Tags: , , , , ,

Have You Architected Your Data Center Survival Strategy for A Dystopic Cyber Landscape?

Drawing from a recent read of “Case 1: The Seeds of Dysptopia” in the World Economic Forum 2012 Global Risks 2012 Seventh Edition, it’s now more than apparent than ever that the impact of crime and terrorism in the digital world is fast mirroring that of a physical world.  We’re living in an era where attempts to build a more secure world may have unintentionally gone astray  as evidenced in Ellen Messmer’s Worst Security Snafus of 2012  where such consequences were clearly not imagined or intended by security vendors and businesses alike.   We’re indeed dealing with the opposite of Utopia.

Our digital reality can be very fragile when one considers that how heavily we rely on mobile devices and cloud applications not only to conduct business but also in our personal lives.  And the data that is transmitted via these devices and to various cloud applications is increasingly a target for scammers, thieves and hactivists.

And, it’s not only government entities, critical infrastructure and key verticals that are the targets of such attacks; in today’s climate every organization is a prime target.  Take the very recent case of an Australian healthcare organization that is being held to ransom by hackers to the tune of AU$4,000 who recently hacked into their database and encrypted the data – it seems an extraordinary scenario for a small organization to be facing.   Not only has their data been compromised but it has been rendered inaccessible as the organization now has to find a way to decrypt that data, which is proving to be rather challenging.

So what should organizations do to shore up their defenses?  Start by treating data as the key asset to be protected versus fortifying your infrastructure.  In today’s world data takes on increased significance --  bank account statements, personal information, credit card numbers, trade secrets, government documents. Every one has data  they  need to ensure tight control off and aligning security controls to the  CIA (Confidentiality, Integrity and Availability ) triad can help ensure the right measures are taken.

When we talk about confidentiality of information, it’s about about protecting  information from disclosure to unauthorized parties. In addition to measures like encryption, look to beef up  access controls  by feeding security decisions and intelligence across various enforcement points in the network rather than only at a single choke point in the data stream. Integrity of information refers to protecting information from being modified by unauthorized parties. Leverage global correlation and threat intelligence with reputation-based feeds to protect against new threat vectors and emerging malware. Availability of information  means ensuring that authorized parties are able to access the information when needed. Think of the network as a data enforcement layer and link that to a strategy that identifies users based on contextual attributes (where, when, how and business need to know) when accessing critical of confidential information assets.  So, what I have outlined is a starting point towards moving one step at a time towards a Utopian Digital Future. What are your strategies?  We’d love to hear from you.

Tags: , ,