Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Slides:



Advertisements
Similar presentations
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Advertisements

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Web server security Dr Jim Briggs WEBP security1.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
SEC835 Database and Web application security Information Security Architecture.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Defining Computer Security cybertechnology security can be thought of in terms of various counter measures: (i) unauthorized access to systems (ii) alteration.
Presented by: Dr. Munam Ali Shah
Computer & Network Security
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.
Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Information Security What is Information Security?
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
Topic 5: Basic Security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Virus Assignment JESS D. How viruses affect people and businesses  What is a virus? A computer virus is a code or a program that is loaded onto your.
Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.
Computer Security Keeping you and your computer safe in the digital world.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
CSCE 548 Secure Software Development Risk-Based Security Testing
Engineering Secure Software
Systems Security Keywords Protecting Systems
Choosing Technologies
Network security threats
Operating system Security
I have many checklists: how do I get started with cyber security?
Engineering Secure Software
Engineering Secure Software
Engineering Secure Software
Engineering Secure Software
Engineering Secure Software
White Box testing & Inspections
Engineering Secure Software
Presentation transcript:

Engineering Secure Software

Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software development technology? (language, tool, library, etc.) Have you ever written software where security mattered? ○ Did you do anything about it then?

Discussion  Increased airport security measures Think: TSA agents, full-body scanners, taking off your shoes, etc. Are we safer because of these measures? If so, is it worthwhile?  Are we safer after the death of Osama bin Laden? © Andrew Meneely

Discussion Takeaways  Security is not black-and-white  Security “Theater” Feeling safer vs. Being safer People act on their perception of reality, not necessarily on reality  Protection can be costly E.g. personal liberty and privacy  Eliminating a Threat vs. Protection  Vulnerability vs. Exploit vs. Threat

More Discussion  In SE we teach you how to build software …but not as much breaking software  How do you know that you have built a system that cannot be broken into? What evidence do you look for? How do you know you’re done?

Vulnerability  Informally, a bug with security consequences  A design flaw or poor coding that may allow an attacker to exploit software for a malicious purpose Non-software equivalent to “lack of shoe-examining at the airport” E.g. allowing easily-guessed passwords (poor coding) E.g. complete lack of passwords when needed (design flaw) McGraw: 50% are coding mistakes, 50% are design flaws  Alternative definition: “an instance of a fault that violates an [implicit or explicit] security policy”

Exploit and Threat  Exploit: a piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability in an effort to cause unintended or unanticipated behavior i.e. maliciously using a vulnerability Can manual or automated Viruses are merely automated exploits Many different ways to exploit just one vulnerability  Threat – two usages of the word (a) An actor or agent that is a source of danger, capable of violating confidentiality, availability, or integrity of information assets and security policy ○ e.g. black-hat hackers (b) A class of exploits ○ e.g. spoofing

[Exploit|Threat|Vulnerability] Protection  Protect against exploits? Anti-virus, intrusion detection, firewalls, etc.  Protect against threats? Use forensics to find & eliminate Mitigate by punishment, if possible  Protect against vulnerabilities? Engineer secure software!

Software Security is…  NOT an arcane black art  Much of it seems arcane Finding a severe vulnerability w/o source code Crafting the exploit Endless clever ways to break software  But, you have much more knowledge than the attackers do  Don’t just leave it to the experts, take responsibility for knowing security

Software Security is…  NOT a myth but a reality  PlayStation Network, Windows, Browsers… just read the news

Software Security is…  NOT a dire apocalyptic future  Fear-mongering will not be tolerated here  Risk management dictates that we deal in the probable more than the possible

Software Security is…  NOT a set of features  Secure software > Security software  Although tools and experts are helpful, You can’t just deploy a magical tool and expect all vulnerabilities to disappear You can’t outsource all of your security knowledge  Even if you are using a security library, know how to use it properly

Software Security is…  NOT a problem for just mathematicians  Cryptography Is important and needed Cannot solve all of your security problems Pick-proof lock vs. open window  Proofs, access control rules, and verification are helpful, but inherently incomplete

Software Security is…  NOT a problem for just networking and operating systems  Software had security problems long before we had the internet  If you left a window open in your house, would you try to fix the roads?

Software Security is…  A reality that everyone must face Not just developers, all stakeholders  A learnable mindset for software engineers  The ability to prevent unintended functionality At all layers of the stack In all parts of your system

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.