In an important Juniper security announcement last month it was revealed that:
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections.”
Firewalls are a core part of an organisation’s security defences, so important that a large part of the UK Government’s Cyber Essentials security standard is about managing firewalls. As such, products of this nature need to be trustworthy.
However, products that contain unauthorised code are implicitly untrustworthy, which is why Juniper is in such a flurry to resolve the issue with their NetScreen® firewall.
PAS 754 is a governance and management framework to support the development of trustworthy software. It was sponsored by the Trustworthy Software Initiative (TSI) and the UK Government’s National Cyber Security Programme. It includes governance, risk, personnel security, physical security, procedural controls, technical controls and compliance.
Under the procedural controls area, there is a control group “Perform trusted software asset management”, which looks at how you know exactly what software is in a product.
This, when combined with the following controls: “Maintain configuration management”, “Provide artefact protection” and “Enable dependable deployment” (which includes controls about the chain of custody of source code) start to provide a framework to ensure you don’t have unauthorised code appearing in your products.
At the current time it is not known how the unauthorised code appeared in the Juniper products. On January 8th in a second announcement, Advancing the Security of Juniper Products, Juniper commented:
“The investigation of the origin of the unauthorized code continues.”
One assumes the possibilities being investigated include:
- Lack of configuration control process;
- Legitimate engineer not following correct internal process;
- Insider attack, deliberately modifying the code; and
- External attack, deliberately modifying the code.
The PAS 754 controls sets, if implemented well, may have been able to prevent, or provided earlier detection of the problem.
PAS 754 also provides elements in the framework to “Maintain defect management”, “Perform internal verification” and “Maintain ongoing review”. This is an area where Juniper appear to have got it right – their quality control processes identified an issue; and more importantly enabled escalation resulting in an ad-hoc security update.
So “Could PAS 754 have helped Juniper?”. The details are too thin to provide a definitive answer, but the thing we can be sure of is that Juniper will be reviewing their processes.
As such, PAS 754 is a framework they would be well advised to look at.
Should you undertake a PAS 754 review before you are the next Juniper?