Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.

Slides:



Advertisements
Similar presentations
Verification and Validation
Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Tutorial 8: Developing an Excel Application
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Software Engineering Lecture 11 Software Testing.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Nov 10, Fall 2006IAT 8001 Debugging. Nov 10, Fall 2006IAT 8002 How do I know my program is broken?  Compiler Errors –easy to fix!  Runtime Exceptions.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Introducing Computer and Network Security
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Lecture 11 Reliability and Security in IT infrastructure.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
Chapter 24 - Quality Management Lecture 1 1Chapter 24 Quality management.
TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
CSCI 5801: Software Engineering
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Verification and Validation.
CS 501: Software Engineering Fall 1999 Lecture 16 Verification and Validation.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Jun 16, 2014IAT 2651 Debugging. Dialectical Materialism  Dialectical materialism is a strand of Marxism, synthesizing Hegel's dialectics, which proposes.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 22 Slide 1 Verification and Validation Slightly adapted by Anders Børjesson.
ICAPRG301A Week 4Buggy Programming ICAPRG301A Apply introductory programming techniques Program Bugs US Navy Admiral Grace Hopper is often credited with.
General Programming Introduction to Computing Science and Programming I.
1 Lecture 19 Configuration Management Software Engineering.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.
07 Coding Conventions. 2 Demonstrate Developing Local Variables Describe Separating Public and Private Members during Declaration Explore Using System.exit.
DEBUGGING. BUG A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
Information Security What is Information Security?
Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.
CHAPTER 9: VERIFICATION AND VALIDATION 1. Objectives  To introduce software verification and validation and to discuss the distinction between them 
Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Computer Security By Duncan Hall.
Karlstad University Computer Science Design Contracts and Error Management External and internal errors and their contracts.
Refactoring Agile Development Project. Lecture roadmap Refactoring Some issues to address when coding.
Programming & Debugging. Key Programming Issues Modularity Modifiability Ease of Use Fail-safe programming Style Debugging.
Computer threats, Attacks and Assets upasana pandit T.E comp.
©Ian Sommerville 2000Dependability Slide 1 Chapter 16 Dependability.
Exceptions Lecture 11 COMP 401, Fall /25/2014.
References & User group Reference: Software Testing and Analysis Mauro Pezze Software Engineering Ian Sommerville Eight Edition (2007) User group:
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Welcome to the ICT Department Unit 3_5 Security Policies.
SE-1021 Software Engineering II
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Verification and Validation
Answer the questions to reveal the blocks and guess the picture.
Verification and Validation
Verification and Validation
Verification and Validation Unit Testing
Topic 5: Communication and the Internet
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Presentation transcript:

Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should you be concerned about security?

Security - Why Bother? Most secure coding practices stem from the following principle: –For an attacker to develop an exploit against your project, some bug in your code must form the basis for that attack. –Bugs => exploits –Bugs => programmer headaches –No bugs => fewer exploits and fewer headaches

Security - Why Bother? The headaches associated with debugging grow along with the project size and complexity. –Very small errors can become buried in a large project, and can be difficult to find later. –Secure programming practices make bugs easier to find and less likely to occur.

Security – Why Bother? People just like you write software that is used in the real world and it gets hacked all the time. Don’t be that guy!

Common Security Terms Exposure –Possible loss or harm in a computing system Vulnerability –A weakness in a computer-based system that may be exploited to cause loss or harm Attack –An exploitation of a system vulnerability Threats –Circumstances that have potential to cause loss or harm Control –A protective measure that reduces a system vulnerability

Types of damage from External Attack Denial of Service –Normal usage of the system by authorized users has been denied Corruption of programs or data –Program or data contents can be modified, producing undesirable results Disclosure of confidential information –Including things like passwords or SSN

To Ensure Security of a System 1.Vulnerability Avoidance –i.e. don’t connect a computer to the network if it doesn’t need to communicate with others 2.Attack Detection & Neutralization –i.e. using a virus checker to protect the computer from further exploitation 3.Exposure Limitation –i.e. regular back ups and constant security patch application protect a system from long term exposure

Dependable Software Fault Avoidance –Design and implement the system in such a way as to minimize human error Fault Tolerance –Design and implement the system such that even if faults do occur, they do not negatively impact the system

Documentation Comments are important for security –People who run your code should know what to expect Document preconditions, postconditions, error handling, semantics of usage. –People who examine and debug your code should know exactly how it works Document your actual code so that others can follow it.

Documentation Readability is key, both for comments and code. –Whitespace –Indentation Always keep in mind the idea that someone else might have to maintain your code after you. Think golden rule!

Checking Input and Bounds Many errors stem from not validating user input, or not checking array bounds –These problems lead to classic exploit types, such as the stack smashing attacks –Some languages, like Java, will perform some bounds-checking automatically, but it is still a good idea to handle it yourself. Write your own checks Handle exceptions generated by the language

Checking Input and Bounds DTA (Don’t Trust Anyone) –Users are not the only source of bad input Open-source programs Project components written by other group members Project components written by you –If your code validates input and results from all external sources, errors will be less prevalent Also, the source of an error will be much easier to track down. –Don’t go overboard with validation.

Network Aware Code Cautions Always be suspect of software designed to communicate over a network –More opportunities for outsiders to abuse your program –An error/bug in your code could negatively affect the network resources and other host computers

Pointers and Access Control Access control is a great feature of Object- Oriented Programming –Can lock down private data members Security support from language Excellent from a debugging standpoint –Pointers can violate this scheme What happens if a client program gets a pointer to some private data of a class instance? –Security problem –Debugging nightmare

Pointers and Access Control Be careful with pointers –This is usually easy in C/C++ Pointers have special characters like *, &, and -> associated with them (most of the time) –Not necessarily so easy in Java In Java, there are no pointers. Non-primitive variables are really pointers, but there is no obvious distinction in your code.

Secure Programming Practices In short - try to expect all possible exceptional cases your code could encounter. –Handle them appropriately –Printing debugging information can be useful, but in your final revision, too much information can help adversaries work against you –Granting root-level access is not an appropriate exception handling policy.

Good Testing Reduces Dangers Requirements inspection & management –Continually review your requirements to make sure that you are developing your code to spec Code inspections –Have your peers review your code looking for common problems and ask why you designed certain things in certain ways Static analysis –Run a tool like lint or ITS4 against your code to search for common programming errors –See for more information and other toolshttp:// Good Test planning & management –Ensures that you cover all the bases and ensures that system requirements match up well with the final product

Static Analysis Software tool which scans the source text of a program and detects possible faults or anomalies Frequently used during code inspections Can be integrated into your development environment –ITS4 can be melded with emacs –/GS is the new part of MS Visual C++

Static Analysis Checks For… Control flow analysis –Highlights loops with multiple entry & exit points and unreachable code Data use analysis –Checks variable usage for things like Variables that are declared but never used Variables that are written twice without an intervening assignment

Static Analysis Checks For… Interface Analysis –Performs additional type checking to ensure proper use Information Flow Analysis –Identifies dependencies between input and output variables Path Analysis –Unravels your program to show all the possible paths

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.