One of the things I like best about Cisco’s focus on security is the internal SecCon conference we put on each year. It focuses on security threats, defenses, and innovation. Although I participate as a trainer, organizer, and reviewer, my favorite role this year was as an attendee. The conference theme, The State of the Hack, encompassed many elements, but the key one for me was trust and the human element.
The two external keynotes set the tone for talking about trust. Bruce Schneier started by pointing out that trust is an inherent element of living in a society of humans. It allows people to work together, and enables banking, transport, commerce, government, and all the elements necessary for a society to function. Without it, we’d have to raise our own food, and live independently of electricity, money, and even neighbors. Bruce mentioned the four mechanisms that enforce trust: morals, reputation, institutional (rules), and security systems. As security practitioners, we tend to focus on the latter, but should remember the first three as well. Reputation is the currency of trust, and is what allows us to trust financial institutions, police, friends, and our food supply. Reputation takes a long time to build up, over many interactions. Banks and stores need to be in business for years to build trust. You trust your friends and neighbors gradually with money, keys, and babysitting. But trust can be destroyed in just one action, as many transgressing politicians and security-breached vendors can attest.
Read More »
Tags: SecCon, security
A thief on the loose you say, at Cisco Systems, in San Jose? Turns out he was invited. Apollo Robbins was one of the headliners for Cisco SecCon in San Jose during the first week of December. Mr. Robbins taught us an important lesson about security: seeing is not always believing. Apollo demonstrated the art of “social engineering” using techniques he perfected working on a pickpocket show in Las Vegas. Apollo taught us to expand our thinking, to look behind the curtain of what motivates people. This helped us to better understand the trust people put in each other and in our products. Bruce Schneier was the second headliner, and spoke to us about the idea of trust. Bruce’s talk was not heavily focused on technology, but instead approached trust from the human perspective. He answered questions such as why people trust, and how trust is passed amongst groups of people. This is beneficial because Cisco strives to be trustworthy to our customers, corporately, as individuals, and with our products.
SecCon is our annual internal security conference where the security community at Cisco gathers together to network and learn. 2013 represented SecCon’s sixth year. Our goal is to strengthen the security community and employee knowledge of how to build products that are more secure. This experience is not limited to those in San Jose. SecCon links remote sites such as Research Triangle Park (Raleigh), NC and Boxborough, MA with the speakers in San Jose. The remote sites also host local speakers, all in the name of growing the security community at Cisco.
A Cisco Executive kicked off each morning. SVP Chris Young provided an overview of our security product strategy and spoke of the new technologies incorporated into Cisco from Sourcefire. SVP John Stewart continued his impassioned plea for engineers at Cisco to be “all in” with our approach to product security and Cisco Secure Development Lifecycle (SDL) adoption. Cisco VP Sumeet Arora spoke of how his organization is adopting Cisco SDL and how everyone must be trained in awareness of product security. One specific quote from Sumeet is, “Cisco SDL is like brushing your teeth.” That stuck with me, as a member of the core Cisco SDL team at Cisco. Cisco SDL is expected as a part of our daily routine. From all of the executive keynotes, a few messages were clear: Cisco SDL is mandatory for Cisco products, and product security awareness is a key driver for our success. We launched our product security awareness program last year at SecCon, and we saw it grow exponentially this year. This awareness program is so popular that it received plugs from each keynote as well as many times during the employee talks.
In the fifty talks given by employees, we were shown methods that some teams have used to build security in to their products. We saw reverse engineering displays and examples of historic vulnerabilities in Cisco products, all so that the people gathered can learn about the problems of the past. This builds a solid foundation for us, as a community, to minimize these problems in the future.
SecCon 2013 offered eleven security-based, bootcamp-style training classes that employees had an opportunity to attend. These classes are “boot camps” because they are in depth and demanding. The classes include lecture, but primarily each student works through interactive exercises and applies the security knowledge as they learn.
The boot camp courses were divided into three high-level categories: fundamentals of product security, hacking, and network defense. The fundamentals of product security lay a foundation for our engineers in some basic topics of security, including secure coding in C / C++, IPv6, and web application security testing. The hacking category included a basic course on the tools and techniques of hackers, understanding and hacking secure protocols, reverse engineering, and mobile application hacking. Network defense taught our students to properly configure and monitor networks. This category included “Network Threat Defense, Countermeasures, and Controls” and “Advanced IPv6 Security with Pen Testing”.
This year was another great conference. You only had to listen to the quality of any talk to gain an appreciation for the depth of security knowledge and talent that exists within Cisco. With this base, we all learned that trust is so important to Cisco. Trust is the foundation of how our customers perceive Cisco and our products. It was clear through each of the presentations that trust is something that we must constantly earn. After this SecCon experience, I am even more aware of Cisco’s commitment to continue to strive to be the trustworthy IT vendor, working hard to identify and defend again the “thief” be they inside or outside our domain.
For more information on SecCon, please visit the SecCon page on Cisco.com. Photos by Bill Thomson.
Tags: SecCon, seccon 2013, security
Create community. Drive cross company collaboration. Raise the corporate security consciousness. Educate! These were the major themes present at the synergistic 5th annual Cisco SecCon held December 5-6, 2012, at Cisco’s corporate headquarters in San Jose, CA. The senior leadership team in the Security and Government Group had a clear and present message for the Cisco Engineering community: Security is the differentiator for Cisco! Building and developing our corporate security awareness and driving it into our DNA is part of what makes Cisco—a company dedicated to continuous improvement—unique as a top industry leader.
The message is clear: security must be pervasive in every aspect of every product we design, develop, and deploy. It’s what our customers expect, and SecCon is one of the major delivery vehicles for creating a unified front within the engineering community as part of Cisco’s evolution towards the Internet of Everything. The more the world becomes interconnected, the more important it is that product designers, developers, testers, and implementers are aware and educated about the importance of the security mindset. How we think about security dictates how we act. This is something the Cisco leadership team is keenly aware of, and their intent to mature security capabilities and features into our entire product line is evident as they work to bring together industry security advocates to drive change and continuous improvement at the annual SecCon conference. Read More »
Tags: cisco-seccon-2012, SecCon, secure software, security, software security
Secure software is a hot topic these days and many people have ideas about what should be done to achieve it. For years, the focus of many software vendors was on security features. Add a firewall. Add SSL to secure data flows. Positive security features are great, but they don’t do much to address every potential security issue that result from insecure code.
At this year’s Cisco SecCon conference, Bryan Sullivan, Microsoft’s Security Program Manager, addressed the issue of writing secure code with a diagram like the following:
His point is that there is much more work to do in securing all the features of a product than simply writing the security features. Writing security features, although important, is only 10% of the workload of creating secure code. The other 90% of the coding work is meant to ensure that all non-security codebase is secure. This includes input validation, output encoding, and overflow defense.
These practices are part of software quality, and they don’t usually appear on a feature list and often fail to appear on customer requirements lists. Customers don’t often ask for things such as:
- This product should be free of cross-site scripting vulnerabilities
- This product shouldn’t have client-side security validation that can be bypassed by a determined attacker
- This product shouldn’t store my passwords or key data in plain text files might be leaked
Read More »
Tags: cisco-seccon-2012, SecCon, security
The theme for this year’s SecCon was “Building on a Foundation of Security.” The breadth of topics discussed that are relevant to being a trusted vendor and producing trustworthy products is quite significant. Naturally many of the discussions revolved around the Cisco Secure Development Lifecycle (CSDL), Cisco’s approach to building secure products and solutions. As Graham Holmes mentioned in a recent blog post, CSDL takes a layered approach, with one of the key components being the security of the underlying operating system. As a standard part of the development process, Cisco’s product teams implement a comprehensive set of CSDL requirements to harden the base OS. These requirements were created not only by leveraging Cisco’s significant in-house security expertise, but also drawing from best practices available in the industry.
In keeping with the theme of SecCon 2012, we have decided to publish these foundational OS security requirements to enhance the knowledge of our partner ecosystem, and advance the industry as a whole. As of today, Cisco is releasing two documents that have been an integral part of CSDL: “Linux Hardening Recommendations For Cisco Products” and “Product Security Baseline Linux Distribution Requirements.” Read More »
Tags: cisco-seccon-2012, CSDL, Linux, product security, SecCon, security