Avatar

Cisco SecCon 2012 brought together hundreds of engineers, live and virtually, from Cisco offices around the globe with one common goal: to share their knowledge and learn best practices about how to increase the overall security posture of Cisco products.

It is amazing to see how many definitions the word “hack” has out on the Internet. Just look at Wikipedia: http://en.wikipedia.org/wiki/Hack. In short, the word “hack” does not always mean a “bad” or “malicious” action.

I’ve had the opportunity and honor to present at SecCon several times, 2012 being my fourth year. My session this year was titled “Cisco PSIRT Vulnerability Analysis: What Has Changed Since Last SecCon”. As you probably already know (or might have guessed), I’m part of Cisco’s Product Security Incident Response Team (PSIRT). During my talk I went over an analysis of the vulnerabilities that were discovered, driven to resolution, and disclosed during this past year, as well as lessons learned from them. I also highlighted several key accomplishments Cisco has achieved during the last few years. For example, Cisco now has the ability to correlate and patch third-party software vulnerabilities. Additionally, we have grown Cisco’s Secure Development Lifecycle (CSDL) into a robust, repeatable and measurable process. As Graham Holmes mentioned in a recent blog post:

Our development processes leverage product security baseline requirements, threat modeling in design or static analysis and fuzzing in validation, and registration of third-party software to better address vulnerabilities when they are disclosed. In the innermost layer of our products, security is built-in to devices in both silicon and software. The use of runtime assurance and protection capabilities such as Address Space Layout Randomization (ASLR), Object Size Checking, and execution space protections coupled with secure boot, image signing, and common crypto modules are leading to even more resilient products in an increasingly threatening environment.

SecCon began with a two-day security “boot camp” full of technical presentations where Cisco’s software and hardware engineers learned numerous hacking techniques to enable them to find and mitigate security problems and proactively enhance the security posture of our products. The training included the use of fuzzing, scanning, static analysis, and many other security tools and methodologies. IPv6 security training was also delivered by engineers in my greater organization.

After the technical sessions were completed, we had two days of briefings. Chris Young, SVP of the Security and Government Group at Cisco, discussed the importance of network security on each and every of our products, customers’ expectations, and market trends. Additionally, he described how security and its complexity continue to change in this ever-morphing world. Via a video message, Cisco CEO, John Chambers, explained why security is one of the major requirements within Cisco. Security is as important as quality and is one of our first priorities at Cisco. Every employee is a stakeholder and must make it a priority.

Chris was followed by a great session titled “Building On A Foundation Of Security” where Russ Smoak, Sr. Director of Cisco’s Security Research & Operations, interviewed Howard Schmidt, the Cyber-Security Coordinator operating in the Executive Office of the President of the United States under both Presidents Obama and Bush.

Greg Akers, SVP of Advanced Security Research within Cisco’s Global Government Solutions Group, discussed trends in network security inside and outside of Cisco. He emphasized that everyone within Cisco is called to action to help increase and maintain the overall security of our products. Every engineer, manager, and employee is responsible for ensuring that security is one of the highest priorities at Cisco.

We also heard from HB Gary’s CSO, Jim Butterworth. He shared his experiences when dealing with security threats and incidents at HB Gary.

I really enjoyed the presentation delivered by Reeny Sondhi, Director of Product Security at EMC Corporation. Ms. Sondhi shared some of the same challenges that many vendors, such as Cisco, are currently facing and how these challenges can become opportunities. She provided great insight on how EMC’s product security incident response team operate and work in coordination with other organizations, including Cisco.

Another great presentation was delivered by Joe Clarke, Distinguished Services Engineer from Cisco’s Technical Assistance Center (TAC). He explained how security is viewed in the eyes of our customers and how disruptive security problems can be for our customers.

Now the nerd candy: dozens of technical presentations were conducted by many internal and external engineers. Topics included runtime protection, memory management, secure coding, security robustness testing, web application security, and many others. Troy Fridley, a friend and colleague, delivered a presentation about third-party software (TPS) security and its importance. Cisco now has greater visibility into TPS security vulnerabilities by correlating information from the Cisco IntelliShield database and other internal sources.

I am very proud to see how Cisco is committed to protecting customers and enhancing the security of our products by organizing events like SecCon. SecCon not only serves as a training event, but allows engineers and executives to meet face-to-face and discuss current and emerging security threats in an effort to help address security issues in Cisco products and protect our customers.

For all things Security don’t forget to visit our Cisco Security Intelligence Operations (SIO) Portal—the primary outlet for Cisco’s security intelligence and the public home to all of our security-related content. And, we’re easy to remember! Just go to cisco.com/security!



Authors

Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations