SecCon is our internal security conference, which for the past five years has taken place live in San Jose. Many industry recognized experts over the years have graced the stage, and the security community at Cisco looks forward to each December where we gather together to network and learn about the new threats that face our products. In past years, remote sites around the globe were linked into San Jose, sharing part of the speaker line-up and also giving local security people at remote sites the ability to speak to a local audience. In 2013, for the first time ever, SecCon events were hosted in remote locations.
The goal of these events is twofold: first, to provide high-quality, topical security education to those people responsible for building our products, and second, to growthe security community amongst our engineering population. We believe that security must be part of everyone’s job description at Cisco. We are all part of the security solution, and we use these SecCon events to band together. Read More »
Tags: cisco sdl, Cisco Security, cisco sio, CSDL, seccon 2013, security training
The theme for this year’s SecCon was “Building on a Foundation of Security.” The breadth of topics discussed that are relevant to being a trusted vendor and producing trustworthy products is quite significant. Naturally many of the discussions revolved around the Cisco Secure Development Lifecycle (CSDL), Cisco’s approach to building secure products and solutions. As Graham Holmes mentioned in a recent blog post, CSDL takes a layered approach, with one of the key components being the security of the underlying operating system. As a standard part of the development process, Cisco’s product teams implement a comprehensive set of CSDL requirements to harden the base OS. These requirements were created not only by leveraging Cisco’s significant in-house security expertise, but also drawing from best practices available in the industry.
In keeping with the theme of SecCon 2012, we have decided to publish these foundational OS security requirements to enhance the knowledge of our partner ecosystem, and advance the industry as a whole. As of today, Cisco is releasing two documents that have been an integral part of CSDL: “Linux Hardening Recommendations For Cisco Products” and “Product Security Baseline Linux Distribution Requirements.” Read More »
Tags: cisco-seccon-2012, CSDL, Linux, product security, SecCon, security
Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.
It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.
I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:
Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment. Read More »
Tags: Cisco Security, cisco-seccon-2012, CSDL, intellishield, product security, psirt, SecCon, security, third party software
Having recently wrapped up the 5th Annual Cisco SecCon Conference, I’d like to take this opportunity to share with you what Cisco SecCon is and the benefits to our products and you, our customers. With that, let’s start with a brief overview!
What is Cisco SecCon?
SecCon is a security conference for Cisco engineers that focuses on two critical elements for a healthy corporate Security intelligence: 1) expansion of knowledge for all and 2) building a sense of community. We allocate two days for intensive hands-on security training, and then we provide two general session days to discuss a variety of security topics including:
- Cisco Secure Development Lifecycle
- Best practices for security test suites
- Cutting-edge cryptography
- Implementation challenges
- Current threat landscape
- Vulnerability trends
Read More »
Tags: Cisco Secure Development Lifecycle, Cisco Security, cisco-seccon-2012, CSDL, product security, SecCon, security
Over the past month, many of the Cisco Security Blog contributors have provided their view on Cybersecurity and its implications for customer network designs, architectures, protections, and services. These, in aggregate, stress what we all know: security is best achieved using a layered defense that includes securing endpoints, hosts, and network and services infrastructures. Cisco adds some unique layers to this defense, which stems from our experience developing capabilities and solutions that meet the needs of critical infrastructure and government networks. We are applying these lessons, capabilities, and our layered defensive approach to critical business infrastructures, as well.
Cisco takes a “build-in security” approach to provide device, system, infrastructure, and services security, and is the basis of the development approach that we use called the Cisco Secure Development Lifecycle (CSDL). Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment.
Read More »
Tags: CSDL, cyber-security-month-2012, secure development, Secure Development Lifecycle