Cisco Blogs


Cisco Blog > Security

Protecting Our Networks: It’s a Team Game Now!

January 3, 2013 at 12:31 pm PST

I have been coaching youth sports for the past seven plus years now and one of my common mantras when speaking to the girls and boys each season is that “we will win as a team and lose as a team.”  In other words, I will never tolerate one player acting selfishly enough to think he or she is above everyone else on the team.  I strive to instill the objective that we will collectively pool our talents for the betterment of the team.  We use this approach because each boy and girl, believe it or not, brings with himself or herself a unique set of abilities and strengths with which the entire team will benefit.

So why should you care about my coaching philosophies?  :-)  Read More »

Tags: , , , , ,

Commitment and Community: Cisco’s Security DNA

Create community. Drive cross company collaboration. Raise the corporate security consciousness. Educate! These were the major themes present at the synergistic 5th annual Cisco SecCon held December 5-6, 2012, at Cisco’s corporate headquarters in San Jose, CA. The senior leadership team in the Security and Government Group had a clear and present message for the Cisco Engineering community: Security is the differentiator for Cisco! Building and developing our corporate security awareness and driving it into our DNA is part of what makes Cisco—a company dedicated to continuous improvement—unique as a top industry leader.

The message is clear: security must be pervasive in every aspect of every product we design, develop, and deploy. It’s what our customers expect, and SecCon is one of the major delivery vehicles for creating a unified front within the engineering community as part of Cisco’s evolution towards the Internet of Everything. The more the world becomes interconnected, the more important it is that product designers, developers, testers, and implementers are aware and educated about the importance of the security mindset. How we think about security dictates how we act. This is something the Cisco leadership team is keenly aware of, and their intent to mature security capabilities and features into our entire product line is evident as they work to bring together industry security advocates to drive change and continuous improvement at the annual SecCon conference. Read More »

Tags: , , , ,

Security Features vs. Securing Features

December 21, 2012 at 7:08 am PST

Secure software is a hot topic these days and many people have ideas about what should be done to achieve it. For years, the focus of many software vendors was on security features. Add a firewall. Add SSL to secure data flows. Positive security features are great, but they don’t do much to address every potential security issue that result from insecure code.

At this year’s Cisco SecCon conference, Bryan Sullivan, Microsoft’s Security Program Manager, addressed the issue of writing secure code with a diagram like the following:

Security Features vs Securing Features

His point is that there is much more work to do in securing all the features of a product than simply writing the security features. Writing security features, although important, is only 10% of the workload of creating secure code. The other 90% of the coding work is meant to ensure that all non-security codebase is secure. This includes input validation, output encoding, and overflow defense.

These practices are part of software quality, and they don’t usually appear on a feature list and often fail to appear on customer requirements lists. Customers don’t often ask for things such as:

  • This product should be free of cross-site scripting vulnerabilities
  • This product shouldn’t have client-side security validation that can be bypassed by a determined attacker
  • This product shouldn’t store my passwords or key data in plain text files might be leaked

Read More »

Tags: , ,

Securing Linux Based Products With CSDL

The theme for this year’s SecCon was “Building on a Foundation of Security.” The breadth of topics discussed that are relevant to being a trusted vendor and producing trustworthy products is quite significant. Naturally many of the discussions revolved around the Cisco Secure Development Lifecycle (CSDL), Cisco’s approach to building secure products and solutions. As Graham Holmes mentioned in a recent blog post, CSDL takes a layered approach, with one of the key components being the security of the underlying operating system. As a standard part of the development process, Cisco’s product teams implement a comprehensive set of CSDL requirements to harden the base OS. These requirements were created not only by leveraging Cisco’s significant in-house security expertise, but also drawing from best practices available in the industry.

In keeping with the theme of SecCon 2012, we have decided to publish these foundational OS security requirements to enhance the knowledge of our partner ecosystem, and advance the industry as a whole. As of today, Cisco is releasing two documents that have been an integral part of CSDL: “Linux Hardening Recommendations For Cisco Products” and “Product Security Baseline Linux Distribution Requirements.” Read More »

Tags: , , , , ,

Let’s Hack Some Cisco Gear at SecCon!

December 18, 2012 at 8:54 am PST

Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.

It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.

I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:

Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment. Read More »

Tags: , , , , , , , ,