Presentation is loading. Please wait.

Presentation is loading. Please wait.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Published byHeather Tibbett Modified over 9 years ago

Similar presentations

Presentation on theme: "Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,"— Presentation transcript:

1 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Secure Software Development Chapter 18

2 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Objectives Describe how secure coding can be incorporated into the software development process. List the major types of coding errors and their root cause. Describe good software development practices and explain how they impact application security. Describe how using a software development process enforces security inclusion in a project.

3 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Key Terms Agile model Black-box testing Buffer overflow Canonicalization error Code injection Common Vulnerabilities and Exposures (CVE) Common Weakness Enumeration (CWE) Cryptographically random Deprecated functions Fuzzing Grey-box testing Least privilege Misuse case Penetration testing Requirements phase Secure development lifecycle (SDL) model Spiral model SQL injection Testing phase Top 25 list Use case Waterfall model White-box testing

4 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Software Engineering Software engineering is the systematic development of software to fill a variety of functions. Nonfunctional requirements take a low priority. Security described as a nonfunctional requirement in many projects and has been neglected. Growing dependency on software demands better software security.

5 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Software Engineering Process Several specific models have been developed to make the process of programming more effective and efficient. Some major models include: –The waterfall model –The agile model –The secure development lifecycle model (SDL)

6 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Process Models The waterfall model The spiral model The evolutionary model The agile model/RAD (rapid app dev) The secure development model (SDL)

7 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Secure Development Lifecycle Firms have recognized the need for secure code. Security should be an issue that is addressed throughout the development process. The SDL accounts for security in each of its four major phases: –Requirements phase –Design phase –Coding phase –Testing phase

8 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition SDL Requirements Phase Define the specific requirements of the project. Ensure the resultant software functions as desired. Items specifically regarding security should be enumerated during this step. Outcome of this phase is a document guiding security throughout the rest of the process. Adding security later tends to cost exponentially more than implementing it from the start.

9 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Analysis of security and privacy risk Authentication and password management Audit logging and analysis Authorization and role management Code integrity and validation testing Cryptography and key management Security Considerations for Requirements Phase

10 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Data validation and sanitization Network and data security Ongoing education and awareness Team staffing requirements Third-party component analysis Security Considerations for Requirements Phase (continued)

11 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Buffer Overflows Nearly half of all exploits of computer programs stem historically from some form of buffer overflow. The generic classification of buffer overflows includes many variants: –Static buffer overruns –Indexing errors –Format string bugs –Unicode and ANSI buffer size mismatches –Heap overruns

12 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Improper Input Handling Users have the ability to manipulate inputs and it is up to the programmer to appropriately handle the input to prevent malicious entries from having an effect. Canonicalization is when application programs manipulate strings to a base form, creating a foundational representation of the input. Canonicalization errors are inputs to a web application may be processed by multiple applications, such as web server, application server, and database server, each with its own parsers to resolve appropriate canonicalization issues.

13 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Injections Another issue with unvalidated input is the case of code injection. Rather than the input being appropriate for the function, this code injection changes the function in an unintended way. A SQL injection attack is a form of code injection aimed at any Structured Query Language (SQL)–based database, regardless of vendor.

14 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Testing for SQL Injection Vulnerability There are two main steps associated with testing for SQL injection vulnerability. –The first step is to confirm that the system is at all vulnerable. –The second step is to use the error message information to attempt to perform an actual exploit against the database. SELECT * FROM `users` WHERE `username` LIKE 'namuoc' LIMIT 0, 30

15 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Least Privilege Least privilege requires that the developer understand what privileges are required specifically for an application to execute and access all its required resources. Determine what needs to be accessed and what the appropriate level of permission is, then use that level in design and implementation.

16 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Testing Methodologies 3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning White-box testing: Tests the internal structures Black-box testing: tests the actual functionality Grey-box testing: Tests structure and function

17 Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond, Third Edition Chapter Summary Describe how secure coding can be incorporated into the software development process. List the major types of coding errors and their root cause. Describe good software development practices and explain how they impact application security. Describe how using a software development process enforces security inclusion in a project.

Download ppt "Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,"

Similar presentations

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 4 Slide 1 Software Processes.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
©Ian Sommerville 2000 Software Engineering, 6th edition Slide 1 Software Processes l Coherent sets of activities for specifying, designing, implementing.

©Ian Sommerville 2000 Software Engineering, 6th edition Slide 1 Software Processes l Coherent sets of activities for specifying, designing, implementing.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 2 The process Process, Methods, and Tools

Chapter 2 The process Process, Methods, and Tools

Similar presentations

Ads by Google