Building Secure Products and Solutions

摘要

Many security vulnerabilities in current information technology (IT) solutions and products are the result of a piecemeal "strap-on" security approach. The inclusion of many security add-ons, such as firewalls, antivirus software, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs), may imply that the security objectives were an afterthought, not adequately defined initially, or that the required security objectives were never met by the individual system components. In fact, a "grounds-up" approach to security, where each component is individually secure, in a defined network deployment scenario helps meet the need of minimal risk exposure. Security should not be bolted on; rather, it should be the prime consideration from the beginning and throughout the entire lifecycle-from concept to deployment and ongoing operation for each product in the solution. Given the ever increasing sophistication of attacks, developing and monitoring secure products have become increasingly difficult. Despite the wide- scale awareness of common security flaws in software products, e.g., buffer overflows, resource exhaustion, and structured query language (SQL) injection, the same flaws continue to exist in some of the current products. The objective of this paper is to introduce a technology-agnostic approach to integrating security into the product development lifecycle. The approach leverages the Bell Labs Security Framework, the foundation of the International Telecommunication Union, Telecommunication Standardization Sector (ITU-T) X.805 global standard. Building this framework into the product lifecycle supports the goal of realizing secure products. The security framework can be applied to any product domain to facilitate security requirements analysis and the development of usable tools such as checklists, guidelines, and security policies. The application of Bell Labs Security Framework concepts and its use in the development of secure products are illustrated using the example of a centrally managed firewall product.