Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Published byPercival Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?"— Presentation transcript:

1 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

2 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 State of Things Today Many vulnerabilities in commercial software Typical vendors release dozens of fixes annually No indication this is improving

3 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Kinds of Vulnerabilities Design Flaws Implementation Flaws

4 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Design Flaws Occur when software is planned and specified without proper consideration of security requirements and principles Examples: –Cleartext passwords –Weak or proprietary cryptography

5 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Design Flaws Why do Design Flaws happen? –Rushed engineers –Ignorance of security requirements or principles Fortunately, software designs are improving!

6 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Design Flaws As Design Flaws are found, they are fixed in future releases But... These can be deeply ingrained, architectural issues Industry is moving in the right direction Design Flaws are a minority of the security bugs we see

7 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Implementation Flaws Occur when software developers make a mistake when coding software (Just like other bugs, but some have serious security implications!) Implementation Flaws are independent of design

8 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Implementation Flaws Examples: –Buffer overflows –Integer over/underflows –SQL Injection –Format string

9 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Implementation Flaws Why do Implementation Flaws happen? Human error We cannot eliminate human error, but we can do more to minimize it Most serious security bugs are due to these careless mistakes

10 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 How Can We Improve? Education –Not every developer can be a security expert –Every developer must understand security fundamentals At Oracle, we have had success with a web- based, on-demand secure coding training class

11 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 How Can We Improve? Individual accountability –Education makes people accountable! –Hold developers accountable for writing quality code. Automated tools Power of the consumer

12 Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 The End Any questions?

Download ppt "Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?"

Similar presentations

Program Transformations to Remove Integer-Handling Vulnerabilities in C Programs Zack Coker, Munawar Hafiz

Program Transformations to Remove Integer-Handling Vulnerabilities in C Programs Zack Coker, Munawar Hafiz
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.

Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Concrete Vulnerability Demonstrations for Software Engineering Undergraduates Andy Meneely and Samuel Lucidi Department of Software Engineering Rochester.

Concrete Vulnerability Demonstrations for Software Engineering Undergraduates Andy Meneely and Samuel Lucidi Department of Software Engineering Rochester.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Review of EIA Quality A formal step in the EIA process Purpose is to establish if the information in the EIA report is sufficient for decision –making.

Review of EIA Quality A formal step in the EIA process Purpose is to establish if the information in the EIA report is sufficient for decision –making.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -

Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,

Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Software Engineering for Secure Systems Individual Research Project Hiram Garcia.

Software Engineering for Secure Systems Individual Research Project Hiram Garcia.
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.

© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service.

A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service.
AOIT Introduction to Programming Unit 4, Lesson 11 Documenting Bugs and Fixes Copyright © 2009–2012 National Academy Foundation. All rights reserved.

AOIT Introduction to Programming Unit 4, Lesson 11 Documenting Bugs and Fixes Copyright © 2009–2012 National Academy Foundation. All rights reserved.

Similar presentations

Ads by Google