Failure to protect stored data

Slides:

Advertisements

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Advertisements

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Secure Coding Weasel nomad mobile research centre.

Secure Software Development Chris Herrick 01/29/2007.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Application and Website Security 101 Daniel Owens IT Security Professional.

Stuart Cunningham - Computer Platforms COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.

Lightweight Mobile Applications Certification: Prepared By: Rahul Biswas.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

May 2, 2007St. Cloud State University Software Security.

August 1, The Software Security Problem August 1, 2006.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Computer & Network Security

Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Security in Computer System 491 CS-G(172) By Manesh T

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.

Module 6: Designing Security for Network Hosts

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Securing Java Applications

Security and Web Programming/Design. cell phones bio-facilities Sodas, junk food, and coffee Welcome to the No Smoking State.

General Concerns on WWW Security Name: Huaying Chen ID# Instructor: Dr Mort Anvari.

.Net Security By: Joe Schuldt. Introduction.Net Security.Net Security –“Developers want to build safe applications, but most developers don't want to.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Topic 8 – Security Methods 1)TechMed scenario covers Security methods and devices, including biometrics In the scenario: Implied.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

USABILITY Ben Aaron.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

UNM Encryption Services in Development

A CSCE 548 presentation: Trusting Network Name Resolution

C++ Catastrophes “if C allows you to shoot yourself in the foot, then C++ is giving you a machine gun!” James Prince.

Sabrina Wilkes-Morris CSCE 548 Student Presentation

Securing Network Servers

Web Applications Security Cryptography 1

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

CSCE Student presentation LARRY PARKER

Manuel Brugnoli, Elisa Heymann UAB

Execution with Unnecessary Privileges

Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation

Theodore Lawson CSCE548 Student Presentation, Topic #2

CSCE 548 Secure Software Development Final Exam – Review 2016

Cross Sight scripting: Type-2

Teaching Computing to GCSE

James Walden Northern Kentucky University

Dialing Avast support number relieves you from all sorts of technical worries

SUBMISSION TITLE Srinivas Munigala & Principal QA Engineer

Security Measures Module 7 Section 1.

Lesson 16-Windows NT Security Issues

Engineering Secure Software

Student: Ying Hong Course: Database Security Instructor: Dr. Yang

12 STEPS TO A GDPR AWARE NETWORK

Course Information Teacher: Cliff Zou Office: HEC

PROTECT Meeting #34 Paris

6. Application Software Security

Design Principles Thanks to Matt Bishop 2006 CS 395: Computer Security.

Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham

Presentation transcript:

Failure to protect stored data Austin Woodruff CSCE 548

Learning OBjectives Technical Overview of the Problem Examples Detection Methods and Error Mitigation Conclusion

Technical Overview Comes from the idea that software designers will often worry about protecting data and information in transit more so than they will when it is on the disk. The reality is that the data spends more time on the disk than in transit. To protect stored data the two big aspects to consider are having weak or missing access control mechanisms, and lousy or lacking data encryption.

Access Control on Stored Data Windows: Access Control Lists (ACLs) UNIX: Permission Model Bad Practice

Encryption of Stored data Don’t be lazy, do it! Don’t do it lousy!

Related topics to help understanding Information leakage Race conditions Use of weak password-based systems Poor random numbers to generate encryption keys Using the wrong cryptography

Examples SMS remote control program Cybration’s ICUII Mozilla installer software

Detection Look for code that… Sets access controls Creates an object without setting access controls Writes configuration information into a shared area Writes sensitive information into an area readable by low-priviledged users

Detection in code review

Mitigation Don’t be lousy in protection! Take it step by step Encrypt! Encrypt! Encrypt!

Conclusion ACLs and permissions Encrypt! Integrate your defense! Apply Analyze Test and retest for weaknesses Encrypt! Integrate your defense!

Works Cited "Common Weakness Enumeration." CWE - CWE-217: DEPRECATED: Failure to Protect Stored Data from Modification (2.9). N.p., n.d. Web. 26 July 2016. Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, 2010. Print. "Common Vulnerabilities and Exposures." CVE - CVE-2000-0100. N.p., n.d. Web. 26 July 2016. "Common Vulnerabilities and Exposures." CVE - CVE-2005-1411. N.p., n.d. Web. 26 July 2016. "Common Vulnerabilities and Exposures." CVE - CVE-2004-0907. N.p., n.d. Web. 26 July 2016.