BUILDING SECURITY IN
Editors: Brian Chess, bchess@vantuyl.com | Brad Arkin, barkin@adobe.com
Developing Secure
Products in the Age of
Advanced Persistent
Threats
Eric Baize | EMC Corp.
2 011 was characterized by high-
profile security incidents and
the rise of sophisticated attacks
called advanced persistent threats
(APTs). These attacks often start by
directly targeting a few power users
with malicious software. They then
propagate themselves by exploit-
ing flaws in applications deployed
across the enterprise. Several tech-
nology providers, including Google
and RSA, fell victim to APTs and
made it public.1,2
The rise of APTs has demon-
strated the limitations of network-
centric perimeter security as we’ve
practiced it for more than 20 years.
In this approach, a firewall separates
the assets to protect (servers and
information) from untrusted net-
works. With APTs, all networks are
untrusted and the security perim-
eter has become user-centric. The
user is the attackers’ new focus;
spear-phishing emails and mali-
cious software on USB devices
have become attackers’ favorite
weapons. The software powering
88 May/June 2012 Copublished by the IEEE Computer and Reliability Societies 
IT infrastructures and running
business processes is now the line
separating a compromised user
from the information the attackers
seek. If exploited, it helps the attack
propagate itself within the organiza-
tion. In a user-centric perimeter, the
software has become the new fire-
wall and therefore must become an
active element to defend organiza-
tions against APTs.
APTs are making technology
providers completely reconsider
their assumptions. A Security for
Business Innovation Council report
best summarized the new reality:
“Consider that no organization is
impenetrable. Assume that your
organization might already be com-
promised and go from there.”3 All
technology providers need to review
this assumption against their prod-
uct security programs.
Here, I discuss how these pro-
found changes are impacting tech-
nology providers’ product security
strategy. I suggest an industry road
map for rethinking product security.
I also describe steps EMC has taken
to implement this road map and
strengthen its product development
practices in the face of APTs.
Rethinking Product
Security
In the new threat landscape, if the
software is the new firewall, it had
better be attack resistant.
Attack-Resistant Software:
Necessary but Insufficient
For technology providers, devel-
oping attack-resistant software is a
core element of their product secu-
rity program. It’s also part of their
overall goal of minimizing the risk
of their product introducing vulner-
abilities into their customers’ envi-
ronments. Comprehensive product
security programs typically encom-
pass secure software development
techniques such as threat model-
ing or white-box testing, product
security reviews before product
release, and a coordinated response
to vulnerabilities reported on the
technology providers’ products.
Developing secure software is noth-
ing new and has been broadly docu-
mented.4,5 For several years, EMC
has defined and implemented its
own secure software development
life cycle.6
These practices typically focus
on building products that are more
resistant to attacks when the envi-
ronment in which these products
are deployed is compromised.
However, during the recent wave
of attacks, several technology pro-
viders had to urge their custom-
ers to take precautionary measures
because they, not their customers,
had been attacked.2,7
1540-7993/12/$31.00 © 2012 IEEE
 This leaves technology provid-
ers with a dual challenge. First, they
must make secure software devel-
opment practices more efficient and
more systematic. Second, they must
expand the threat assumptions that
guide the implementation of the
traditional secure software develop-
ment life cycle to account for pos-
sible attacks on the software supply
chain.
Expanding the Secure Software
Development Life Cycle
Expanding the threat assumptions
in this manner leads to consider-
ing new categories of attacks. This
might include attacks against
■■ product code during development,
■■ any supplier or original equipment
manufacturer (OEM) involved in
developing the product’s software
components, or
■■ the product distribution channels.
The secure software develop-
ment life cycle has been the main
vehicle technology vendors have
used to drive adoption of secure
software development techniques
in their engineering organizations.
It’s well suited to also drive the con-
trols that protect against the attacks
I just mentioned:
■■ protection of the overall product
development environment, focus-
ing on not only avoiding source
code leakage but also prevent-
ing unauthorized source code
modification;
■■ integrity of the source code sup-
ply chain for OEM components
and for open source software
being embedded in products; and
■■ embedding controls for product
code integrity and authenticity
verification, during both delivery
and execution of the products.
These practices aren’t new for
most technology vendors,8 but
they’re typically defined, performed,
www.computer.org/security
and monitored independently from
secure software development. For
instance, source code protection is
typically part of intellectual-property
protection, a major focus for tech-
nology vendors.
To bridge this gap, EMC has
expanded its product security stan-
dards to encompass these practices.
So, the product risk review stage of
our secure software development
life cycle now also assesses practices
for source code management, code
signing, and external-component
management.
Product security and internal IT
security are now converging, with a
serious impact on technology ven-
dors’ organizational design and risk
governance.
A More Integrated Risk
Governance Model
Many end-user organizations, such
as financial institutions, have a soft-
ware security group focused on
the software they develop and use
as part of their IT infrastructure.
These groups are typically aligned
with the organization’s IT secu-
rity group and follow the same IT
risk governance and compliance
policies and standards that manage
the overall risk in the internal IT
infrastructure.
Many technology providers
are different. They have a prod-
uct security group distinct from
the IT security group and respon-
sible for secure software develop-
ment and vulnerability response
within their product-engineering
organization. In terms of reporting
and governance, product security
groups are typically aligned with
the product-engineering organiza-
tion and focus more on reducing
product risk impact on customers’
IT infrastructures.
The evolution toward cloud
computing has initiated a blended
approach to risk management.
Technology providers that have
turned into cloud providers run
PURPOSE: The IEEE Computer Society is the world’s
largest association of computing professionals and is the
leading provider of technical information in the field.
MEMBERSHIP: Members receive the monthly magazine
Computer, discounts, and opportunities to serve (all activities
are led by volunteer members). Membership is open to
all IEEE members, affiliate society members, and others
interested in the computer field.
COMPUTER SOCIETY WEBSITE: www.computer.org
Next Board Meeting: 11–15 June, Seattle, Wash., USA
EXECUTIVE COMMITTEE
President: John W. Walz*
President-Elect: David Alan Grier;* Past President: Sorel
Reisman;* VP, Standards Activities: Charlene (Chuck) Walrad;†
Secretary: Andre Ivanov (2nd VP);* VP, Educational Activities:
Elizabeth L. Burd;* VP, Member & Geographic Activities:
Sattupathuv Sankaran;† VP, Publications: Tom M. Conte (1st VP);*
VP, Professional Activities: Paul K. Joannou;* VP, Technical &
Conference Activities: Paul R. Croll;† Treasurer: James W. Moore,
CSDP;* 2011–2012 IEEE Division VIII Director: Susan K. (Kathy)
Land, CSDP;† 2012–2013 IEEE Division V Director: James W. Moore,
CSDP;† 2012 IEEE Division Director VIII Director-Elect: Roger U.
Fujii†
*voting member of the Board of Governors †nonvoting member
BOARD OF GOVERNORS
Term Expiring 2012: Elizabeth L. Burd, Thomas M. Conte, Frank
E. Ferrante, Jean-Luc Gaudiot, Paul K. Joannou, Luis Kun, James W.
Moore, William (Bill) Pitts
Term Expiring 2013: Pierre Bourque, Dennis J. Frailey, Atsuhiro
Goto, André Ivanov, Dejan S. Milojicic, Paolo Montuschi, Jane Chu
Prey, Charlene (Chuck) Walrad
EXECUTIVE STAFF
Executive Director: Angela R. Burgess; Associate Executive Director,
Director, Governance: Anne Marie Kelly; Director, Finance & Accounting:
John Miller; Director, Information Technology & Services: Ray Kahn;
Director, Membership Development: Violet S. Doan; Director, Products
& Services: Evan Butterfield; Director, Sales & Marketing: Chris Jensen
COMPUTER SOCIETY OFFICES
Washington, D.C.: 2001 L St., Ste. 700, Washington, D.C. 20036-4928
Phone: +1 202 371 0101 • Fax: +1 202 728 9614
Email: hq.ofc@computer.org
Los Alamitos: 10662 Los Vaqueros Circle, Los Alamitos, CA 90720-1314 •
Phone: +1 714 821 8380 • Email: help@computer.org
Membership & Publication Orders
Phone: +1 800 272 6657 • Fax: +1 714 821 4641 • Email: help@computer.org
Asia/Pacific: Watanabe Building, 1-4-2 Minami-Aoyama, Minato-ku, Tokyo
107-0062, Japan • Phone: +81 3 3408 3118 • Fax: +81 3 3408 3553 •
Email: tokyo.ofc@computer.org
IEEE OFFICERS
President: Gordon W. Day; President-Elect: Peter W. Staecker; Past
President: Moshe Kam; Secretary: Celia L. Desmond; Treasurer: Harold
L. Flescher; President, Standards Association Board of Governors: Steven
M. Mills; VP, Educational Activities: Michael R. Lightner; VP, Membership
& Geographic Activities: Howard E. Michel; VP, Publication Services &
Products: David A. Hodges; VP, Technical Activities: Frederick C. Mintzer;
IEEE Division V Director: James W. Moore, CSDP; IEEE Division VIII
Director: Susan K. (Kathy) Land, CSDP; IEEE Division VIII Director-Elect:
Roger U. Fujii; President, IEEE-USA: James M. Howard
revised 22 Feb. 2012
89
BUILDING SECURITY IN

on their internal IT infrastructure third party is compromised, so is can distinguish legitimate input
applications supporting their cus- the system’s entire security. Such from input containing a malicious
tomers’ critical business processes. designs have serious limitations if string. We’ve done the hard work,
Their internal IT infrastructure you assume that every computer in but with a little more effort, we can
is becoming an extension of their the environment in which the sys- greatly improve the response time
customers’ IT infrastructure. This tem operates is compromised. to a real-time attack. If secure soft-
makes it more difficult for them to This gives new life to old concepts ware can detect and stop malicious
distinguish internal IT risk from such as Adi Shamir’s secret sharing9 strings, it can and should also log
risk on customers’ IT infrastructure. and secure multiparty computation.10 and report incidents that are being
The need to take a holistic approach Applying these concepts in secure prevented. This will provide the
to product risk is accelerating this software design leads to systems in intelligence that security products
transformation. which compromising one system need to better monitor activity and
This led EMC to profoundly element doesn’t compromise the ensure quick attention, which can
change its risk manage- lead to prevention of data
ment approach. First, we
Defensive software development techniques breaches.
integrated product secu- As I mentioned
rity in our overall risk gov- alone won’t be sufficient. We need to before, if the software is
ernance and compliance the new firewall, it must
innovate and develop new techniques
structure, facilitating the take a more active role in
coordination between to build “attack-aware products.” the defense strategy in an
all the risk stakehold- IT infrastructure. It must
ers in the corporation. also build on top of tra-
Second, we created the position of system’s overall security. RSA Labo- ditional software security defense
chief risk officer (a position popular ratories’ work provides early dem- techniques to better detect attacks
in the financial-services industry) onstrations of such systems applied in their early stage.
to oversee all risk-related func- to authentication.11
tions, including product security. We should also expect to see Securing the Ecosystem
This new structure, along with our more software integrity controls Modern IT infrastructures run on
expanded secure software develop- being built into products. Tech- software that’s open, component
ment life cycle, sets us up for holis- niques such as Intel’s Trusted Exe- based, and multivendor. Even if
tically assessing and reviewing all cution Technology and application the largest technology providers
aspects of risk. whitelisting enable runtime check- are investing millions of dollars to
ing of executable integrity. They solve the software security equa-
The Road Ahead for also help further defend against the tion, attackers need only exploit one
Product Security insertion of malicious software in 0-day vulnerability in one software
Better governance and an expanded the product delivery chain. component to be successful.
secure software development life Software security must become
cycle are only the first steps toward Building Attack- ubiquitous, designed into modern
the broader changes needed in soft- Aware Products software components, and acces-
ware engineering and across the In a world with APTs, early detec- sible to any software developer.
industry regarding how to build tion is critical in stopping attacks. Software security expertise remains
and deliver products that effectively Defensive software development too centralized, in the hands of a few
resist APTs. We, as software security techniques alone won’t be sufficient. experts in the largest organizations.
practitioners, have an opportunity We need to innovate and develop Microsoft led the way by sharing
to innovate and collaborate to bet- new techniques to build “attack- early on many aspects of its Security
ter prepare our products to address aware products” that facilitate early Development Lifecycle.5 In recent
this new class of threats. detection of advanced threats. years, initiatives have emerged to
Software security practitioners share with the broader community
Adapting Secure Software have made great progress incorpo- the insight of some of the most suc-
Design Techniques to rating into software the techniques cessful software security practices.
the New Threats that stop attacks targeting the most Here are two examples:
Many security designs still rely on common security flaws: SQL injec-
a trusted third party holding the tion, cross-site scripting, and buffer ■■ BSIMM (Building Security In
master keys to the kingdom. If this overflow. Most modern software Maturity Model; www.bsimm.

90 IEEE Security & Privacy May/June 2012

 com) is a survey of more than
40 software security initiatives
undertaken by large technology
vendors and end-user organiza-
tions.12 It provides a model of the
key software security activities
they perform.
■■ SAFECode (Software Assurance
Forum for Excellence in Code;
www.safecode.org) is a vendor-led
organization that documents effec-
tive software security approaches.4
EMC has been closely involved
with both initiatives from their
inception. We’ll remain involved
until software security has become
ingrained in every facet of software
engineering.
Modeling and Assessing
Supply Chain Assurance
As software security practitio-
ners, we’re used to performing
threat models, creating dataflow
diagrams showing component
interactions, highlighting attack
surfaces, and defining trust bound-
aries and risk scores.
We now need to start applying
this approach to the software sup-
ply chain. The consumers of tech-
nology products want to know
the risk associated with the prod-
ucts they deploy in their environ-
ment. The product providers want
to assess the security of the com-
ponents they integrate in their
products and want to show their
customers that they apply sound
software security practices.
The problem is extremely com-
plex, involving national and inter-
national regulations, the software
industry’s globalization, and the defi-
nition of simple risk metrics for soft-
ware security. It brings into question
what practical, meaningful infor-
mation about technology provid-
ers’ software and practices can and
should be shared to convey a sense of
confidence to customers who must
deploy and rely on that technology.
Security certification programs
www.computer.org/security
such as Common Criteria (www.
commoncriteriaportal.org) have
attempted to solve the product
assurance evaluation problem.
Recently, the Open Group Trusted
Technology Forum (www.open
group.org/ottf ), a collabora-
tion between industry and gov-
ernment, defined supply chain
integrity best-practices require-
ments for technology providers.13
This work represents a step on a
long path toward measuring and
assessing security throughout the
­supply chain.
M ost of the changes in prod-
uct security I discussed
here are nontechnical and won’t be
easy to implement. They involve
internal governance, software devel-
opment processes, industry col-
laboration, and standardization. By
AdvertiSer informAtion • mAy/June 2012
Advertiser PAge
IEEE Biometrics Cover 4
Usenix 2012 Cover 2
Advertising Personnel
Marian Anderson
Sr. Advertising Coordinator
Email: manderson@computer.org
Phone: +1 714 816 2139
Fax: +1 714 821 4010
Sandy Brown
Sr. Business Development Mgr.
Email: sbrown@computer.org
Phone: +1 714 816 2144
Fax: +1 714 821 4010
Advertising Sales Represen-
tatives (display)
Central, Northwest, Far East:
Eric Kincaid
Email: e.kincaid@computer.org
Phone: +1 214 673 3742
Fax: +1 888 886 8599
Northeast, Midwest, Europe,
Middle East:
Ann & David Schissler
Email: a.schissler@computer.org,
starting an open conversation on
EMC’s experience and approach, I
hope to make it easier for all of us
to evolve our product security prac-
tices to more effectively face the
new threat landscape.
References
1. D. Drummond, “A New Approach
to China,” blog, 12 Jan. 2010;
htt p : / / go o g l ebl o g .bl o g s p o t .
com/2010/01/new-approach-to
-china.html.
2. A. Coviello, “Open Letter to RSA
Customers,” RSA, Mar. 2011; www.
rsa.com/node.aspx?id=3872.
3. “When Advanced Persistent
Threats Go Mainstream,” white
paper, Security for Business Innova-
tion Council, Aug. 2011.
4. “Fundamental Practices for
Secure Software Development,
2nd Edition: A Guide to the Most
Effective Secure Development
d.schissler@computer.org
Phone: +1 508 394 4026
Fax: +1 508 394 1707
Southwest, California:
Mike Hughes
Email: mikehughes@computer.org
Phone: +1 805 529 6790
Southeast:
Heather Buonadies
Email: h.buonadies@computer.org
Phone: +1 973 585 7070
Fax: +1 973 585 7071
Advertising Sales
Representative (Classified
Line)
Heather Buonadies
Email: h.buonadies@computer.org
Phone: +1 973 585 7070
Fax: +1 973 585 7071
Advertising Sales
Representative (Jobs Board)
Heather Buonadies
Email: h.buonadies@computer.org
Phone: +1 973 585 7070
91
BUILDING SECURITY IN

Practices in Use Today,” SAFE-
Code, 8 Feb. 2011; www.safecode.
org/publications/SAFECode
_Dev_Practices0211.pdf.
5. M. Howard and S. Lipner, The Secu-
rity Development Life Cycle, Micro-
soft Press, 2006.
6. D. Dhillon, “Developer-Driven
Threat Modeling: Lessons Learned
in the Trenches,” IEEE Security &
Privacy, vol. 9, no. 4, 2011, pp. 41–47.
Any comments or feedback?
Please email your letters to the editor to
lead editor Kathy Clark-Fisher
(kclark-fisher@computer.org).
All letters will be edited for
brevity, clarity, and language.
IEEE_half_horizontal_Q6:Layout 1 4/21/11
7. “Claims by Anonymous about
Symantec Source Code,” Syman-
tec, Jan. 2012; www.symantec.
com/theme.jsp?themeid
=anonymous-code-claims.
8. “Software Integrity Controls: An
Assurance-Based Approach to Min-
imizing Risks in the Software Supply
Chain,” SAFECode, 14 June 2010;
www.safecode.org/publications/
SAFECode_Software_Integrity
_Controls0610.pdf.
9. A. Shamir, “How to Share a
Secret,” Comm. ACM, vol. 22,
no. 11, 1979, pp. 612–613;
doi:10.1145/359168.359176.
10. A.C. Yao, “Protocols for Secure
Computations” (extended abstract),
Proc. 23rd Ann. Symp. Foundations of
Computer Science, IEEE CS, 1982,
pp. 160–164.
11. J. Brainard et al., “A New Two-Server
Approach for Authentication with
4:21 PM Page 1
Short Secrets,” Proc. 12th Usenix
Security Symp. (SSYM 03), Usenix
Assoc., 2003, pp. 201–214.
12. G. McGraw, B. Chess, and S.
Migues, “Building Security In
Maturity Model,” Sept. 2011;
http://bsimm.com.
13. “Open Trusted Technology Pro-
vider Standard (O-TTPS) Snap-
shot,” Open Group, Feb. 2012;
www.opengroup.org/bookstore/
catalog/s121.htm.
Eric Baize is the senior director and
head of the EMC Corporation’s
Product Security Office. He rep-
resents EMC on the SAFECode
(Software Assurance Forum for
Excellence in Code) board of direc-
tors and serves on the BSIMM
(Building Security In Maturity
Model) advisory board. Contact
him at eric.baize@emc.com.

Experimenting with your hiring process?

Finding the best computing job or hire shouldn’t be left to chance.
IEEE Computer Society Jobs is your ideal recruitment resource, targeting
over 85,000 expert researchers and qualified top-level managers in software
engineering, robotics, programming, artificial intelligence, networking and
communications, consulting, modeling, data structures, and other computer
science-related fields worldwide. Whether you’re looking to hire or be hired,
IEEE Computer Society Jobs provides real results by matching hundreds of
relevant jobs with this hard-to-reach audience each month, in Computer
magazine and/or online-only!

http://www.computer.org/jobs
The IEEE Computer Society is a partner in the AIP Career Network, a collection of online job sites for scientists, engineers, and
computing professionals. Other partners include Physics Today, the American Association of Physicists in Medicine (AAPM), American
Association of Physics Teachers (AAPT), American Physical Society (APS), AVS Science and Technology, and the Society of Physics
Students (SPS) and Sigma Pi Sigma.

92 IEEE Security & Privacy May/June 2012