Security Assessments: More Than Meets the Eye
Is the product safe to use? I have been asked this question on occasion in a non-technical sense and maybe you have too. In a technical context, I could frame the question as “Are the online services and underlying technologies supporting my services safe?” A continuous effort must go into substantiating the preferable answer (“Yes”) that we are looking for, both prior to and after releasing a product or service into the wild. Security Intelligence Operations (SIO) includes a team of network security experts that form the Security Technology Assessment Team (STAT). They provide security assessment expertise across Cisco’s product and services organizations. In this article, I elaborate on their role and how they complement product and services organizations at Cisco in helping to protect you, our customer.
In the not-so-distant past it used to be that the majority of notoriety around product security was focused more around physical aspects. For example, a manufacturer announces a product recall about a defect (i.e. vulnerability) that could cause potential physical harm or worse. Fast-forward to today where computing devices and associated Internet plumbing comprise an entirely distinct category of product security needed. Within that category, I would also suggest that services and the underlying supporting infrastructure would also fall into this category in the ongoing quest for achieving network security. I think that this quote from a U.S. government hearing underscores the value of that quest as well.
“When we bring in new technologies, we bring in new exposures and new vulnerabilities, things we really haven’t thought about. It takes a little while before we understand it, and after a while we begin to secure it. But our mindset needs to change. This is not the same as industrial technologies or new ways of doing aircraft or cars. These technologies are global and they expose us globally, literally within milliseconds.”
Business units and quality assurance groups at Cisco apply multi-level security processes throughout the development of products and services to ensure that security is embedded into everything that is ultimately delivered to customers. For example, Cisco’s secure development life cycle (SDL) provides a highly effective process in detecting and preventing security vulnerabilities and improving overall system quality. Cisco SDL has several elements that include, but not limited to, source code analysis and white box testing that feed into the security posture of a product or service. Cisco has a security advocates program, a virtual community of people who understand network security and secure product development (and testing) and who can share and evangelize that knowledge with their peers, their colleagues, and their management.
STAT intersects product and services organizations through collaboration and focused penetration testing that augments the development teams’ internal security testing. That collaboration may include participation in:
- Threat Modeling
- Attack Surface Mapping
- Design Reviews
- Test Planning
The following interview with a STAT engineer specializing in penetration testing offers insight into how they manage their responsibilities on a daily basis.
What is the background of a STAT penetration test engineer?
It helps to have basic security knowledge. Most team members have Computer Science or Electrical Engineering degrees. Above all, the folks are fairly well seasoned in the Cybersecurity field. It also helps to have a creative mindset in order to look for holes in the product’s design. Some of the initial members of the team have a government defense background. They have also previously worked in security practice groups involved with penetration testing of customer networks.
What does one do to come up to speed?
You need to study and become familiar with security technologies and tools, the fundamentals of security communication channels (for example, using cryptography), how protocols should work (i.e. IPv6, chat protocols), and some of commercial tools for web testing. As it is a continuously evolving threat landscape, skills have a shelf life. Therefore, you need to build a foundation based on fundamentals of secure development practices. You need to develop knowledge and techniques to perform good evaluations and to also understand what actions can be applied to mitigate issues that are encountered.
What do you like most about your role? (i.e., Why would you want to do this)?
It’s impossible to get bored. We’re looking at the latest products and service offers. For example, before something is released, we get the prototypes to evaluate first.
Can you share some insights on what your day-to-day core activities involve?
There are a variety of things we do. It could be initial engagements, meetings to define what an evaluation should be. There is a ramp-up phase that involves working with the business unit engineers to establish labs that are set up to mirror real-world scenarios. We might be running security tests and possibly writing custom tools. At the tail-end of our evaluation process we are reporting the results of testing, including recommendations. There is also follow-up work, checking/verifying fixes to make sure that issues are truly resolved and not just instrumented to pass a particular test case.
How does your day usually begin?
Like most folks at Cisco, we catch up on email to see what responses we received from other business units or internal customers situated in other theatres (time zones). And then we go from there.
What is a key aspect (i.e., qualitative or quantitative) of being successful?
Multitasking can be a large part of it. You also need to have good project management skills and understand where you are on different phases of a project at the same time. Think outside of the box and not according to a product’s specifications; instead think more along the lines of how to break things.
Can you share with me one of the more challenging situations you have experienced in this team?
STAT is an internal organization whose customers are the internal development teams. It was a situation where a business unit had specific requirements that were being derived from their external customers. We needed to make sure that both the business unit’s and the customer’s concerns and expectations were being met. Another challenging situation can be evaluating newly acquired products because they often have multiple tracks in addition to security, such as the assimilation of new personnel–not to mention the integration of a new product as part of the Cisco portfolio.
What else can you recommend to others regarding optimizing their practices based on your experience?
Having a good process and process management tools are helpful because it makes knowledge more easily accessible and consistently repeatable by more than one person. An example would be how to manage projects, track testing activities, and deliver status reports. Stay on top of the backlog and coordinate evaluations at the right time in the development cycle (i.e. the code is stable enough for our level of testing). Analyze each evaluation to glean improvements that can be applied in the future.