CCE Security Best Practice Guide Carlos Gonzales, CBABU Engineering Manager BRKCCT-1041 Agenda Cisco Secure Development Lifecycle • UCCE Security Best Practice Guide • Security Reference Information • PCI-DSS Guidance • UCCE Security Update for 11.0 • Cisco Secure Development Lifecycle (CSDL) Purpose and Intent • Provide awareness. • Cisco Secure Development Lifecycle is an internal security baseline. • CSDL does not intend to full fill customer certification requirements. • Security is a broad and endless topic to be covered in a 90 min. presentation. Product Security Requirements • Product Security Baseline (PSB) • Product Security Baseline 5.1 • Attack Surface Reduction / • Privacy and Data Security Documentation • Secure Development • Logging / Audit Infrastructure • Application Security • Trusted Product Architecture • Authentication and Authorization • Credential / Password Controls • Encryption • Traffic Controls • Infrastructure Security • Processes • Logging and Auditability • Vulnerability Management • Support and Operations 3rd Party Security • Cisco Open Source Initiative (COSI) • Register libraries in IP Central • Establish maintenance plan • Address known vulnerabilities • Cisco Intelishield Alert Manager (CIAM) • Register for alerts on any 3rd party code Secure Design • Threat Modeling • Identify system data flow and trust boundaries • Review auto-generated threats • Prioritize and implement mitigations Secure Coding • Cisco/CBABU Secure Coding Guidelines • Use “SAFE” libraries • Cisco’s Safe C libraries • Open Web Application Security Project (OWASP) • Enterprise Security API (ESAPI) Toolkit • Security Awareness/Training/Emphasis • Cisco White/Green/Black Belt Ninja Training • Annual Security Conference Static Analysis • Tools • Coverity for C/C++ • Jtest or Sonar for Java • 70+ rule checks for code inspection • Automated as part of the build and Continuous Integration