Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Published byBritton McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools."— Presentation transcript:

1 Chapter 1 The Software Security Problem

2 Goals of this course Become aware of common pitfalls. Static Analysis and tools

3 Some common approaches to security Defensive Programming Security Features (vs secure features)‏ Improving Software Quality

4 Some common approaches to security Defensive Programming Security Features (vs secure features)‏ Improving Software Quality (none of these approaches work!)‏

5 So, what works?

6 Usual Software building cycle: Requirements and Specifications Design Code Test and debug Integration test Deliver

7 Best way to detect vulnerable code Through a Static Analysis Tool. However, hand/hard work is still necesary!

8 Vulnerability Classification Generic vs context-specific defects Visible in the code vs visible only in the design Seven pernicious kingdoms:  Input validation and representation  API abuse  Security Features  Time and State  Error Handling  Code Quality  Encapsulation  Environment

9

10 2009 CWE/SANS Top 25 Insecure Component Interaction  Faiulre to preserve page structure (Cross-site scripting)  Improper sanitation of SQL commands (SQL injection)  Cross-site request forgery  Unrestricted upload of file with dangerous type  Improper sanitation of OS command elements (OS command injetion)  Error Message Information leak  URL redirect to untrusted site (open redirect)  Race Condition Risky Resource Management  Buffer overflow  Improper limitation of a pathname in a restricted directory  Buffer access woth incorrect length value  Improper check for unusual or exceptional conditions Improper control of filename for include/require PHP statement  Improper validation of array index.  Integer overflow/wraparound  Incorrect buffer size calculation  Code download without integrity check.  Unlimited resource allocation

11 2009 CWE/SANS Top 25 (cont)‏ Porous Defenses  Improper Access control  Reliance on untrusted inputs in a security decision  Broken or risky cryptography  Hard-coded credentials/passwords  Missing authentication for critical function  Incorrect Permission Assignment for critical Resource  Use of broken or risky cryptography.

Download ppt "Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools."

Similar presentations

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Static code check – Klocwork

Static code check – Klocwork
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
CWE/Sans Top 25 Most Dangerous Programming Errors

CWE/Sans Top 25 Most Dangerous Programming Errors
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
SSW 540 Foundations of Software Engineering Week 9 Risk Management and Software Assurance.

SSW 540 Foundations of Software Engineering Week 9 Risk Management and Software Assurance.
Security Management prepared by Dean Hipwell, CISSP

Security Management prepared by Dean Hipwell, CISSP
A Framework for Automated Web Application Security Evaluation

A Framework for Automated Web Application Security Evaluation

Similar presentations

Ads by Google