Presentation is loading. Please wait.

Presentation is loading. Please wait.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application."— Presentation transcript:

1 August 1, 2006 Software Security

2 August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application firewalls will not make you secure. 50/50 Architecture/Implementation Problems An Emergent Property of Software –Like Usability or Reliability –Not a Feature

3 August 1, 2006 Security Problems SECURITY BUGS 50% Buffer overflow Cross-site scripting Race condition SQL injection Unsafe system calls Untrusted input ARCHITECTURAL FLAWS 50% Cryptography misuse Fragility Insecure auditing Lack of compartmentalization More privilege than necessary Replay attacks

4 August 1, 2006 Security as Risk Management Helps communicate security need to customer. –Cost of security vs. amount of potential losses. No system is 100% secure. –Some risks aren’t cost effective to mitigate. –Humans make mistakes. –New types of vulnerabilities are discovered.

5 August 1, 2006 Risk Management 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.Which risks do we need to mitigate? 4.What security measures would mitigate those risks? 5.Which of those measures is most effective, when considering cost, side effects, etc.?

6 August 1, 2006 Software Security Practices

7 August 1, 2006 Software Security Practices 1.Code reviews 2.Architectural risk analysis 3.Penetration testing 4.Security testing 5.Abuse cases 6.Security operations

8 August 1, 2006 Code Reviews Fix implementation bugs, not design flaws. Benefits of code reviews –Find defects sooner in the lifecycle. –Find defects with less effort than testing. –Find different defects than testing. –Educate developers about security flaws.

9 August 1, 2006 Static Analysis Tools Automated assistance for code reviews –Speed: review code faster than humans can –Accuracy: 100s of secure coding rules False Positives –Tool reports bugs in code that aren’t there. –Complex control or data flow can confuse tools. False Negatives –Tool fails to discover bugs that are there. –Code complexity or lack of rules to check.

10 August 1, 2006 Static Analysis Tools Older simple search tools –Flawfinder –ITS4 –RATS Parsing Tools –Fortify Source Code Analyzer –Klocwork K7 Suite –Secure Software Code Assure

11 August 1, 2006 Architectural Risk Analysis Fix design flaws, not implementation bugs. Risk analysis steps 1.Develop an architecture model. 2.Identify threats and possible vulnerabilities. 3.Develop attack scenarios. 4.Rank risks based on probability and impact. 5.Develop mitigation strategy. 6.Report findings

12 August 1, 2006 Architecture Model Background materials –Use scenarios (use cases, user stories) –External dependencies (web server, db, libs, OS) –Security assumptions (external auth security, &c) –User security notes Determine system boundaries / trust levels –Boundaries between components. –Trust level of each component. –Sensitivity of data flows between components.

13 August 1, 2006 Level 0 Data Flow Diagram

14 August 1, 2006 Level 1 Data Flow Diagram

15 August 1, 2006 Risk Analysis Attack Analysis –Historical attacks and vulnerabilities. –Attack patterns Command Delimiters Multiple Parsers and Double Escapes –Attack trees Ambiguity Analysis –Compare understandings of architects. External Weakness Analysis

16 August 1, 2006 Penetration Testing Test software in deployed environment. Allocate time at end of development to test. –Often time-boxed: test for n days. –Schedule slips often reduce testing time. –Fixing flaws is expensive late in lifecycle. Penetration testing tools –Test common vulnerability types against inputs. –Fuzzing: send random data to inputs. –Don’t understand application structure or purpose.

17 August 1, 2006 Penetration Testing Tools –WebScarab –Paros Proxy –Burp Suite Vulnerability Scanners –Nikto –Nessus

18 August 1, 2006 Security Testing Intendended Functionality Actual Functionality Functional testing will find missing functionality. Injection flaws, buffer overflows, XSS, etc.

19 August 1, 2006 Security Testing Two types of testing –Functional: verify security mechanisms. –Adversarial: verify resistance to attacks generated during risk analysis. Different from traditional penetration testing –White box. –Use risk analysis to build tests. –Measure security against risk model.

20 August 1, 2006 Abuse Cases Anti-requirements –Think explicitly about what software should not do. A use case from an adversary’s point of view. –Obtain Another User’s CC Data. –Alter Item Price. –Deny Service to Application. Developing abuse cases –Informed brainstorming: attack patterns, risks.

21 August 1, 2006 Security Operations User security notes –Software should be secure by default. –Enabling certain features/configs may have risks. –User needs to be informed of security risks. Incident response –What happens when a vulnerability is reported? –How do you communicate with users? –How do you send updates to users?

22 August 1, 2006 References 1.Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison- Wesley, 2004. 2.Gary McGraw, “XP and Software Security?!”, XP Universe, 2003. 3.Gary McGraw, Software Security, Addison-Wesley, 2006. 4.Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. 5.OWASP, The OWASP Top 10 Project, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2006. http://www.owasp.org/index.php/OWASP_Top_Ten_Project 6.OWASP, The OWASP Guide to Building Secure Web Applications, http://www.owasp.org/index.php/OWASP_Guide_Project, 2006. http://www.owasp.org/index.php/OWASP_Guide_Project 7.Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” http://dymaxion.org/trike/, 2005.http://dymaxion.org/trike/ 8.Joel Scambray, Mike Shema, and Caleb Sima, Hacking Web Applications Exposed, 2 nd edition, Addison-Wesley, 2006. 9.Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004. 10.John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. 11.VISA, Payment Card Industry Data Security Standard (PCI-DSS), http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_D ata_Security_Standard.pdf

Download ppt "August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application."

Similar presentations

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Risk Analysis James Walden Northern Kentucky University.

Risk Analysis James Walden Northern Kentucky University.
Risk Analysis James Walden Northern Kentucky University.

Risk Analysis James Walden Northern Kentucky University.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
Threat Modeling for Hostile Client Systems Avni Rambhia.

Threat Modeling for Hostile Client Systems Avni Rambhia.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
A Scanner Sparkly Web Application Proxy Editors and Scanners.

A Scanner Sparkly Web Application Proxy Editors and Scanners.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
1 ISEC0511 Programming for Information System Security Lecture Notes #4 Security in Software Systems (cont)

1 ISEC0511 Programming for Information System Security Lecture Notes #4 Security in Software Systems (cont)
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Similar presentations

Ads by Google