I work with a lot of customers discussing how they can reduce their cyber risk and increase resiliency with an effective security strategy. It’s easy to talk about leading practices for security, but figuring out how to put them into practice can be a whole other story.
As I mentioned in a recent post, the Security and Trust team is headed to CiscoLive Berlin with the goal of sharing real and actionable security practices that are designed to be taken home and put into practice straight away. Read More »
Tags: CiscoLive Berlin, CSDL, integrity verification service, Secure Boot, TECSEC-4000, Trust Anchor
It’s December and the 2013 cyber security news cycle has just about run its course. We’ve seen more and increasingly virulent attacks, continued “innovation” by adversaries, and a minor revival of distributed denial of services (DDOS) actions perpetrated by hacktivists and other socio-politically motived actors.
Against this, Cisco stood up tall in recognizing the importance of strong security as both an ingredient baked into all Cisco products, services, and solutions, and a growing understanding of how to use the network to identify, share information about, and defeat threats to IT assets and value generation processes. I can also look back at 2013 as the year that we made internal compliance with the Cisco Secure Development Lifecycle (CSDL) process a stop-ship-grade requirement for all new Cisco products and development projects. Read More »
Tags: asr, CSDL, CSO, cyber security, DDoS, John Stewart, security
SecCon is our internal security conference, which for the past five years has taken place live in San Jose. Many industry recognized experts over the years have graced the stage, and the security community at Cisco looks forward to each December where we gather together to network and learn about the new threats that face our products. In past years, remote sites around the globe were linked into San Jose, sharing part of the speaker line-up and also giving local security people at remote sites the ability to speak to a local audience. In 2013, for the first time ever, SecCon events were hosted in remote locations.
The goal of these events is twofold: first, to provide high-quality, topical security education to those people responsible for building our products, and second, to growthe security community amongst our engineering population. We believe that security must be part of everyone’s job description at Cisco. We are all part of the security solution, and we use these SecCon events to band together. Read More »
Tags: cisco sdl, Cisco Security, cisco sio, CSDL, seccon 2013, security training
The theme for this year’s SecCon was “Building on a Foundation of Security.” The breadth of topics discussed that are relevant to being a trusted vendor and producing trustworthy products is quite significant. Naturally many of the discussions revolved around the Cisco Secure Development Lifecycle (CSDL), Cisco’s approach to building secure products and solutions. As Graham Holmes mentioned in a recent blog post, CSDL takes a layered approach, with one of the key components being the security of the underlying operating system. As a standard part of the development process, Cisco’s product teams implement a comprehensive set of CSDL requirements to harden the base OS. These requirements were created not only by leveraging Cisco’s significant in-house security expertise, but also drawing from best practices available in the industry.
In keeping with the theme of SecCon 2012, we have decided to publish these foundational OS security requirements to enhance the knowledge of our partner ecosystem, and advance the industry as a whole. As of today, Cisco is releasing two documents that have been an integral part of CSDL: “Linux Hardening Recommendations For Cisco Products” and “Product Security Baseline Linux Distribution Requirements.” Read More »
Tags: cisco-seccon-2012, CSDL, Linux, product security, SecCon, security
Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.
It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.
I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:
Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment. Read More »
Tags: Cisco Security, cisco-seccon-2012, CSDL, intellishield, product security, psirt, SecCon, security, third party software