Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
VM: Chapter 5 Guiding Principles for Software Security.
Secure Design Principles  secure the weakest link  reduce the attack surface  practice defense in depth  minimize privilege  compartmentalize  fail.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
1 An Overview of Computer Security computer security.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE , Fall Security Strategies.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
SEC835 Database and Web application security Information Security Architecture.
Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.
Information Systems Security Computer System Life Cycle Security.
Cryptography and Network Security
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Information Security What is Information Security?
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Security Development Life Cycle Baking Security into Development September 2010.
Scott Charney Cybercrime and Risk Management PwC.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Quality of Information System (IS) reflecting local correctness and reliability of the operating system; the logical completeness of the hardware and software.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Security Vulnerabilities in A Virtual Environment
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Ingredients of Security
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security and Web Programming/Design. cell phones bio-facilities Sodas, junk food, and coffee Welcome to the No Smoking State.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Computer Security By Duncan Hall.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.
CS457 Introduction to Information Security Systems
SE-1021 Software Engineering II
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Design for Security Pepper.
Chapter 1: Introduction
Software Security Testing
Controlling Computer-Based Information Systems, Part II
Security Engineering.
Understanding Security Layers
development lifecycle & Principles
Engineering Secure Software
6. Application Software Security
Presentation transcript:

Engineering Secure Software

A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow for privacy violations e.g. secretary can view everyone’s patient records  Introducing a design flaw, e.g. giving plug-ins total access  Introducing a code-level vulnerability, e.g. buffer overflow  Missing a vulnerability in code inspections & testing  Introducing a vulnerability by regression in maintenance  Not facilitating a secure deployment, e.g. installation defaults © Andrew Meneely

Security at Every Step Requirements & Planning Abuse cases Risk Assessment Threat Modeling Design Architectural risk Secure design patterns Formalism Implementation Vulnerability Taxonomy Input/Output Handling Auditability Testing Penetration Testing Exploratory Testing Automated Testing Deployment Networking & Cryptography DefaultsPermissions Maintenance PatchingRegressionAssessment

Core Security Properties  Software security breaks into these categories Confidentiality Integrity Availability  Very broad, multi-dimensional categories  Some people add in “auditability”, but we consider that part of “integrity”

Confidentiality  The system must not disclose any information intended to be hidden E.g. your credit card information on a website  Note: open source software can still be confidential

Integrity  The system must not allow assets to be subverted by unauthorized users E.g. changing a prisoner’s release date  We must be able trust what is in the system The data being stored The functionality being executed

Availability  The system must be able to be available and operational to users E.g. bringing down Amazon.com  These are extremely hard to protect against Any system performance degradation that can be triggered by a user can be used for denial of service attacks Concurrency issues, infinite loop, or resource exhaustion

Misc. Philosophies & Proverbs  Defense in depth If they break into this, they can’t get any farther Think Middle-Age castles Original meaning of “firewall”, not today’s firewall  Least privilege Every user or module is given the least amount of privilege it needs Evil: sudo chmod –R a+rw /

More Misc. Philosophies & Proverbs  Fail securely Exceptions put the system into weird states Error message information leak Take care of those exceptions properly!  Security by obscurity You can’t rely upon being obscure to be secure ○ Crowds are good at guessing ○ Insiders are corruptible Some notable exceptions: passwords, encryption keys

Even More Misc. Philosophies & Proverbs  Detect and record Even if you can’t always sift through that data ahead of time Post-mortem analysis  Don’t trust [input | environment | dependencies | *] Know what to trust Know how to trust

Even Even More Misc. Philosophies & Proverbs  Secure by default Don’t rely on your users to use it correctly Convention over configuration  Keep it simple YAGNI Speculative generality can be risky Minimize the attack surface

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.