Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.

Published byCalvin Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development."— Presentation transcript:

1 Engineering Secure Software

2 Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development technology? (language, tool, library, etc.) Have you ever written software where security mattered? ○ Did you do anything about it then?

3 Discussion  Increased airport security measures Think: TSA agents, full-body scanners, taking off your shoes, etc. Are we safer because of these measures? If so, is it worthwhile? © 2011-2012 Andrew Meneely

4 Discussion Takeaways  Security is not black-and-white  Security “Theater” Feeling safer vs. Being safer People act on their perception of reality, not necessarily on reality  Protection can be costly E.g. personal liberty and privacy  Eliminating a Threat vs. Protection  Vulnerability vs. Exploit vs. Threat

5 An Engineer’s Concern  In SE we teach you how to build software …but not as much breaking software  How do you know that you have built a system that cannot be broken into? What evidence do you look for? How do you know you’re done?

6 Vulnerability  Informally, a bug with security consequences  A design flaw or poor coding that may allow an attacker to exploit software for a malicious purpose Non-software equivalent to “lack of shoe-examining at the airport” E.g. allowing easily-guessed passwords (poor coding) E.g. complete lack of passwords when needed (design flaw) McGraw: 50% are coding mistakes, 50% are design flaws  Alternative definition: “an instance of a fault that violates an [implicit or explicit] security policy”

7 Exploit and Threat  Exploit: a piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability in an effort to cause unintended or unanticipated behavior i.e. maliciously using a vulnerability Can manual or automated Viruses are merely automated exploits Many different ways to exploit just one vulnerability  Threat – two usages of the word (a) An actor or agent that is a source of danger, capable of violating confidentiality, availability, or integrity of information assets and security policy ○ e.g. black-hat hackers (b) A class of exploits ○ e.g. spoofing

8 [Exploit|Threat|Vulnerability] Protection  Protect against exploits? Anti-virus, intrusion detection, firewalls, etc.  Protect against threats? Use forensics to find & eliminate Mitigate by punishment, if possible  Protect against vulnerabilities? Engineer secure software!

9 Software Security is…  NOT a myth but a reality  Insecure software causes immeasurable harm  Sony, NSA, Android, Browsers… just read the news

10 Software Security is…  NOT an arcane black art  Much of it seems arcane Finding a severe vulnerability w/o source code Crafting the exploit Endless clever ways to break software  But, you have much more knowledge than the attackers do  Don’t just leave it to the experts, take responsibility for knowing security

11 Software Security is…  NOT a dire apocalyptic future  Fear-mongering will not be tolerated here  Risk management dictates that we deal in the probable more than the possible

12 Software Security is…  NOT a set of features  Secure software > Security software  Although tools and experts are helpful, You can’t just deploy a magical tool and expect all vulnerabilities to disappear You can’t outsource all of your security knowledge  Even if you are using a security library, know how to use it properly

13 Software Security is…  NOT a problem for just mathematicians  Cryptography Is important and needed Cannot solve all of your security problems Pick-proof lock vs. open window  Proofs, access control rules, and verification are helpful, but inherently incomplete

14 Software Security is…  NOT a problem for just networking and operating systems  Software had security problems long before we had the internet  If you left a window open in your house, would you try to fix the roads?

15 Software Security is…  A reality that everyone must face Not just developers, all stakeholders  A learnable mindset for software engineers  The ability to prevent unintended functionality At all layers of the stack In all parts of your system

16 Student Security Maturity 1. Denial I don’t have to think about this. Let me just code. Leave it to the experts. I could never understand this anyway. 2. Irrational fear, superstition EVERYTHING IS POSSIBLE NOW!!! EVERY MITIGATION IS NECESSARY!!! ENCRYPT EVERYTHING!!! 3. Bag of Tricks Let’s just try these tricks that worked in the past We’ve done these 10 things. That’s a lot. Close enough, right? 4. Reasoned, Balanced, Defensive Mindset If we do X, we mitigate Y, which is worthwhile because of Z.

Download ppt "Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development."

Similar presentations

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Bruce Schneier Lanette Dowell November 25, 2009. Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.

Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Similar presentations

Ads by Google