Government of India Embraces Secure Application Development - SDL Chronicles May 2012
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Government of India Embraces Secure Application Development SDL Chronicles May 2012
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2012 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Government of India Embraces Secure Application Development SDL Chronicles NEW DELHI, INDIA — Walk the long halls of the massive government offices here or chat with the legion of impeccably dressed outsourcing execs, and it’s clear that this vast nation has taken a major bet on the knowledge economy. Information technology powerhouses like Tata Consultancy Services, HCL Technologies and Cognizant Technology Solutions are all part of a private sector information technology boom. Estimates from trade groups, like India’s National Association of Software and Services Companies, predict that total IT revenues here will nearly triple over the next eight years, from $88 billion today to $225 billion in 2020. By then, widely accepted estimates say India’s information economy will employ a full 30 million people — more than the population of metropolitan New York City. “India is the favored IT destination for the world’s Fortune 1000,” says Ajit Menon, chief security officer for Tata Consultancy Services. But India’s rise as an international information-age superpower comes at a price: Like many developing nations, the country is ripe territory for cybercrime. A Microsoft Security Intelligence Report covering the first half of 2011 estimated that 11 percent of so-called spambot Web addresses come from India. That’s more than France, Germany, the United States and the United Kingdom combined. Indian banks reported an average loss of about 126 million Indian rupees due to cybercrime in 2010, according to an August 2011 report by Mountain View, CA-based security firm Symantec. That’s not an insignificant figure in a country where the average per capita income is about 54,500 rupees. Also troubling is a wave of high-profile online attacks. Total websites damaged in 2011 exceeded 15,200. In April 2011, prominent member of Parliament Rahul Gandhi — no relation to Mohandas K. “Mahatma” Gandhi, the father of modern India — was widely reported to have had his campaign finance data compromised. Growing concerns over cybersecurity, both in India and around the world, have given important companies investing in offshore information technology — the engine that drives India’s IT prosperity — cause for concern. A recent study of more than 50 Indian information technology companies that compete for overseas clientele found that a full 90 percent of their global customers consider security a top priority — and that software security would affect how those companies spend their IT dollars. “This was the first time we were able to demonstrate that software security is a driver for how international companies spend their outsourcing dollars,” says Sanjay Bahl, chief security officer for Microsoft Corp. India, Private Ltd., who co- authored the report. Cybersecurity has become so important to India that this fast-evolving, information-based nation has taken unparalleled steps to protect it. In both the public and private sectors, India now has the stated goal to make its emerging digital economy one of the world’s most secure. Government of India Embraces Secure Application Development: SDL Chronicles 1
Though India is the world’s largest democracy, its economy is no Western-style, low-regulation business environment. India’s economy is centrally planned. Choices in technology — as well as everything from farming to land management to language training — are made through a series of five-year plans. In the draft of the latest such statement of national economic intent, called the 12th Five-Year Plan because it is literally the twelfth one since India’s independence, strict new language will beef up security measures throughout digital India. If, as expected, the language is approved later this year, new mandates will further improve security policies and compliance, and provide more money for research and development. And earlier this year, the government gave regulators tough new powers to levy fines against telecom service providers who cannot maintain the security of their networks. “These fines are not insignificant,” says Akhilesh Tuteja, executive director for KPMG, an international management consultancy with offices here. “They can be as high as $10 million.” Both in the private and public sectors, as India moves to make its software more secure, it is relying on a software development process called the Security Development Lifecycle, which was formalized by Microsoft a decade ago. Dubbed the SDL, this approach to creating secure software anticipates the risk an application might face before a line of code is written. Application security has found several champions inside India’s techno-elite. Among the most passionate is Dr. Gulshan Rai, who leads the country’s response to cyberthreats. Rai, the trim, energetic director general of India’s Computer Emergency Response Team, will explain to any listener the role secure software development must play in India’s future. “Application security is absolutely critical to the software we create,” says Rai. “The processes defined by the Security Development Lifecycle are critical to application security. It is getting integrated into everything we touch.” Sophisticated outsourcing firms like HCL Technologies, an international IT development firm based in the Delhi suburb of Noida, now compete to be world leaders in information technology security, against other big India IT stars like Tata Consultancy and Cognizant Technologies. Even non-security-oriented executives in these shops are fluent in such security standards as the International Standards Organization 27001, which defines general operational security, and the Payment Card Industry Security Standards used in the banking industry. “Today’s global customer for information technology demands that security be built into the product,” says M.V. Roop Chandar, global operations director for information security at HCL Technologies. “It takes time. But when a contract is put on the table, it has to get done. We have no choice.” The drive to make India the global leader in information security has made its way into the country’s digital trenches. Chas Jeffries, a lead project manager at Microsoft who teaches software security around the globe, says Indian training sessions are the most passionate and well attended of any he has supported. “Usually, in other countries, you set up a classroom for 30 and maybe 20 come, and everyone wants to leave by 5,” says Jeffries. “But in the India session, we set up for 30, 90 crowded the room, 90 more were turned away. And they never leave. They will stay for as long as you stay. They want to learn the material.” Government of India Embraces Secure Application Development: SDL Chronicles 2
India’s march toward application security comes as its citizens become increasingly dependent on technology. The government reports that, at the end of November 2011, India had a mind-boggling 884 million cell phone subscriptions, having added 3 million users in the previous month alone. But just 40 percent of Indians have access to banking facilities. The Oxford Poverty and Human Development Initiative reported in 2011 that roughly half of Indians are poor compared to the rest of the world — a percentage usually found in undeveloped nations like Cameroon and Nigeria. Officials say a digital economy can help reverse those trends. “Information technology has become absolutely critical to the future of India,” says B.J. Srinath, senior director for India’s Computer Emergency Response Team, the government agency that manages the response to cyberthreats. “It is the thing we can use to define ourselves in the world and it helps us face our most difficult problems.” Government of India Embraces Secure Application Development: SDL Chronicles 3
The Indian Story is a Security Story Places like the Khan Market here in New Delhi swarm with honking auto rickshaws, BMWs, wandering dogs and people. Many, many people. But beneath this over-amped atmosphere is a quiet, standards-based culture with a deep respect for process and security. One of the foundational myths of Indian society is of Manu, a modest man begged by a small fish to give it a safe home from predators. Manu kept the fish safe in a jar and was rewarded with news of an impending flood. He survived. Most did not. India’s sense for anticipating disaster is evident in its current march toward secure software development and the adoption of the Security Development Lifecycle. Following independence in 1947, India established a democratically elected government, but also began conscious, nationwide economic planning. Information technology was seen as a smart investment. In 1950, the same year the Constitution of India came into force, the nation’s government created a Planning Commission, headed by India’s prime minister and managed by a mix of appointed officials and bureaucrats. The Commission plays keeper to an apiary of Indian industry verticals, including information technology, all of which interact with the private sector to deliver services. An important creation of the Planning Commission was the National Informatics Centre, established in 1976. The Centre is housed across the way from the Computer Emergency Response Team in a more modern wing of the Central Government Office complex here. It is well guarded, and for good reason. It’s tough to find a corner of Indian government not directly touched by the Centre. Everything from election-enabling software to emergency short-messaging services to peer-to- peer farm loans are managed here. And it’s all directed by one surprisingly relaxed, avuncular man: Dr. B.K. Gairola. At any opportunity, Gairola will spring from his government-issued, domestically built Ambassador car — which, in classic Indian style, comes with a driver — to speak at length about the opportunities and challenges of information technologies for a new India. The Security Development Lifecycle is a key part of that discussion. The public sector adoption of the SDL started in earnest around late 2008, according to Microsoft representatives here. That’s when researchers for the government realized that software security was as important as solid firewalls, up-to-date software and limited access to computer files. Software security was done mostly on a by-project basis, usually by individual developers and coders developing specific applications. But as the awareness of software security grew, the Informatics Centre began investing in more formal SDL training. Most of the agency’s software developers and programmers now attend SDL classes, and agency managers see application security as key to the software they deploy. “Security is an integral part of the software development lifecycle, not external to it,” Dr. Y.K. Sharma, the Centre’s deputy director general, says from his uncluttered, nearly spotless office. “You can’t ignore it. If a piece of code is not secure, it simply can't be claimed to work.” The Security Development Lifecycle is also finding a home in the systems India uses to respond to software attacks. Its national Computer Emergency Response Team manages the country’s testing and response methods for cyberassaults. When the organization runs an attack simulation, the Security Development Lifecycle often defines the process and the tools used. That’s been the case since about 2005, when a growing worldwide awareness of the importance of application security caught the attention of the Indian Computer Emergency Response Team. Srinath, the team’s energetic senior director, serves on several international technology committees, and during these interactions and his contact with the private sector, application security became a common topic of discussion. Government of India Embraces Secure Application Development: SDL Chronicles 4
“The SDL is one of the approaches we use to maintain our software security,” he says. “As professionals, we felt we had to deploy it.” A uniquely Indian security solution is the Data Security Council of India. Formed in 2008 by the National Association of Software and Services Companies, the Council has roughly 20 employees, but is managed by a board of directors representing the public and private sectors, as well as academia. The Council sponsors what amounts to application security grassroots education. And it highlights the training and outreach of the Security Development Lifecycle. “Our goal is to create a security culture in the country,” says Vinayak Godse, who sports the same relaxed, open-collar shirts and jackets that a college professor might. But he is dead serious as the Council’s director of data protection. “To get people to actually deploy it, you need to have this sort of direct touch with the end user.” The SDL’s influence extends beyond traditional IT infrastructure. One of the Council’s responsibilities is training India’s 10,000 or so cybercops, who conduct application security investigations using methods adapted from SDL principles. These digital investigators are part of India’s national security forces, both in the government and the private sector. Citizens who are the victims of, say, an email phishing attack go to their local police precinct, file a complaint and an investigation begins. For now, the biggest threat in India is phishing vectors, usually from Nigeria. In a ruthlessly competitive market, the ability to offer security is also a crucial sales tool. Fear of a security breach and worries that companies might lose control of their data are a big part of the reason overseas clients in the international outsourcing market demanded better application security in the first place. For many of India’s top IT firms, developing their own sophisticated application security solutions is a way to set themselves apart from their competition — overseas clients need to know their data is in good hands. And in basing their solutions off of a globally known standard, the SDL gives them a chance to show clients a transparent process to help build trust that the right security procedures will be followed. “We saw there was an opportunity for setting up a practice based mostly around application security,” says M. Srinivas Rao, co-founder of Aujas Networks, an information technology security company and an SDL Pro Network member with Microsoft, with offices across India. “Once companies began seeing there was real risk to their brands, they realized that application security was worth the spend.” Now, India’s mature international IT firms vie to prove to overseas clients that their software security is the best on earth. In many cases, these robust security practices are based on standards and principles defined by the SDL: anticipating the risk an application will face, building barriers between parts of code to segment the exposure if there is a breach, and reducing how much of an application can be accessed by a potential attacker, among other tenets. “The SDL is the de-facto security application development infrastructure for IT in India,” says Satish Das, chief security officer for Cognizant Technology Solutions, an integrated information technology firm here. “So how it makes its software secure is important.” Government of India Embraces Secure Application Development: SDL Chronicles 5
SDL Gets Written Into the Plan A commitment to secure software development principles, many of which are codified in the Security Development Lifecycle, is being written into India’s long-term economic planning. Starting in mid-2011, those close to the nation’s central planning process began hearing whispers that improved information technology security would be part of the upcoming 12th Five-Year Plan. These whispers were confirmed when some 25 people from the public and private sectors were invited to sit on an eSecurity Committee being organized by the Department of Information Technology. Members of that committee met in the summer of 2011 to consider improved IT security, including tightening the standards for application security. At the first formal meeting, the committee agreed to break into six sub-committees — and application security got the attention of two of them. So began a month-long debate over what security approaches would be adopted in the coming Five-Year Plan. Committee members understood that application security should play a role. However, even the simplified implementation of the SDL is 17 pages long — not the kind of thing to include in a relatively short, top-level planning document. The trick was finding words specific enough so industry players could trust that government dollars would flow to applications projects, but broad enough to let companies adopt the SDL in their own way. B.J. Srinath, of the Computer Emergency Response Team, knew this delicate balance of techno-planning was critical, since the Five-Year Plan defines what the public and private sectors each do. It was important that committee members not overwrite or underwrite — nor bias application security language toward one industry player or another. Any of those missteps could ruin application security’s chances for formalized entry into the plan. By July 2011, after much deliberation, the final language was cast. Two short sentences ended up in the 217-page draft document. One, in Article 7.5 — “Security Awareness, Skill Development and Training” — called for “promoting secure coding practices.” The other, in Article 7.2 — “Security Policy, Compliance and Assurance” — called for “publishing guidelines and mandate for secure development and deployment of ICT systems.” And so it was done. Assuming the draft language is ratified in the coming year, India will formally commit to the principles of secure software development, many of which are defined by the Security Development Lifecycle. “It is critical to this country that the world knows that we are creating the most secure software possible,” says Srinath. "We cannot risk our place in the world because of application security.” Government of India Embraces Secure Application Development: SDL Chronicles 6
Much Work Remains to be Truly Secure Today’s digital India deserves real credit for aggressively deploying application security. But those close to the process, both in the public and private sectors, are concerned about the nation’s practical will to deliver on the promise of the Security Development Lifecycle. The biggest worries swirl around the country’s ability to fully commit to security. Despite India’s dogged efforts and the national conversation surrounding cybersecurity, India faces similar challenges in improving many aspects of its fast- growing culture. Transparency International, the Berlin-based watchdog organization that tracks the perceived level of government effectiveness, puts India about halfway between the most and least organized countries worldwide. And India faces the tough challenge of managing its infrastructure. Government planners point out that this is a nation that has a history of investing untold resources in spectacular — but non-essential — projects like the Taj Mahal, but has struggled to deploy less flashy but more critical projects like basic transportation and plumbing. Then there is the reality that even in this land of seemingly endless human resources, the application security industry is challenged to find enough trained, quality employees. “Skilled manpower is the same problem for us as it is for everybody else,” says Dr. Rai, of the Computer Emergency Response Team. “It’s a subtle thing, developing application security, and those skills are limited. Even here.” All those close to the process of deploying modern secure applications in this ancient country realize that while the upfront costs of developing software using the SDL may be higher, the investment pays off long term. Indian IT professionals agree that using the SDL saves on the expense of fixing breached code, the hard costs of lost data if there is an attack and the brand damage incurred when software turns out not to be as safe as expected. But on a larger level, insiders believe information technology is a problem India is culturally predisposed to solve. Srinath speaks passionately about his country’s near-mystical ability to manage complex, largely invisible problems like software development. Indians tend to be comfortable with the intangible, he says, and have the native mindset for managing application development. Because of this predisposition for secure applications, Srinath believes India, through software, has a chance to revolutionize itself. “Our society has not been very comfortable with technology in the past. But now we are cozy with it. And we realize it is something we can add value to,” he says. “It is redesigning the way we exist. It is becoming who we are. And now that we are holding on to the handle bar of a running train, we have no choice but to run as fast as we can, and try to jump onto the train.” Government of India Embraces Secure Application Development: SDL Chronicles 7
One Microsoft Way
Redmond, WA 98052-6399
microsoft.com/security
www.microsoft.com/sdlYou can also read
