Advanced Threats are deeply impacting the way we develop secure products by fundamentally changing our working assumptions. We used to design and develop products to be attack resistant assuming that the environment where they will be deployed may be compromised. We now have to develop and design products assuming that every system in the customer environment, in the development environment and in the supply chain may be compromised.
Software security industry consortium SAFECode recently released a comprehensive set of guidelines and tools for software developers everywhere employing Agile software development methods. SAFECode members Reeny Sohndi of EMC and Edward Bonver of Symantec talk through the highlights and numerous benefits of SAFECode’s latest “Software Security Guidance for Agile Practitioners” white paper.
Eric Baize is Senior Director of the Product Security Office at EMC Corporation. You can read all of Eric’s new and previous blog posts at: http://productsecurityblog.emc.com/
Guest Blog Post by Dan Schiappa, Senior Vice President, Identity & Data Protection
As researchers from SensePost have recently demonstrated in their attack simulations on one type of RSA SecurID authenticator – the RSA SecurID Software Token for Windows – scrutiny of security methods, processes, and operating environments is a valuable exercise. It can deliver benefit to the software industry and its ecosystem of vendors, security practitioners, and the users they protect in their organizations. Ultimately it helps ensure better and safer products.
Threat modeling isn’t all that’s required in engineering built-in security, not by a long shot. You need to have effective design principles to ensure security (threat modeling is one), effective secure coding practices and effective testing.
The news: there is a smartcard / symmetric key vulnerability that potentially affects RSA SecurID® 800 Authenticator. This was first discovered by a group of third-party security researchers; and to be clear, it only affects symmetric keys (not digital certificates) and it only affects a specific type of symmetric key. To date, there are no known instances of breach or loss of data (and no other RSA authenticators affected), and there is a non-disruptive fix (software only – no hardware / firmware changes) available through RSA SecurCare Online.
Last Thursday, a six-institution team of scientists (Kleinjung et al.) announced the successful factorization of RSA-768. RSA-768 is a 768-bit (232 decimal-digit) RSA public key created in 2001 by RSA Laboratories as a cryptanalytic challenge number. The fall of RSA-768 is a landmark result, but no surprise. It reflects a consistent pace of growth in computing power, and continuing scientific interest in the problem of factoring, not an algorithmic breakthrough.
In Art’s keynote last week at RSA Conference, he made a clear call to the industry. We have to be more organized, more coordinated and more collaborative than either the enemy or than the industry has a history of being. Art had three calls to action:
- Integrate and Interoperate
- Create and Adopt Standards
- Share Technology