Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Slides:



Advertisements
Similar presentations
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Advertisements

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Static code check – Klocwork
A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Chapter 4 Application Security Knowledge and Test Prep
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
CWE/Sans Top 25 Most Dangerous Programming Errors
Workshop 3 Web Application Security Li Weichao March
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
SSW 540 Foundations of Software Engineering Week 9 Risk Management and Software Assurance.
Security Management prepared by Dean Hipwell, CISSP
A Framework for Automated Web Application Security Evaluation
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Attacking Applications: SQL Injection & Buffer Overflows.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Building Secure Web Applications With ASP.Net MVC.
Secure Programming 程式安全 The Software Security Problem Defensive Programming Security Features != Secure Features The Quality Fallacy Static Analysis in.
COMP1321 Digital Infrastructures Richard Henson University of Worcester April 2013.
The OWASP Foundation OWASP Education Computer based training 2010 CWE/SANS Top 25 with OWASP Top 10 and PCI DSS V2 Mapping Nishi Kumar.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
ACM Columbia University 25 February 2009 What's a CS to do?
SANS Top 25 Most Dangerous Programming Errors Catagory 1: Insecure Interaction Between Components These weaknesses are related to insecure ways.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
Chapter 11 Software Security. Many vulnerabilities result from poor programming practices Consequence from insufficient checking and validation of data.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
ITU-T CYBEX standards for cybersecurity information dissemination and exchange Youki Kadobayashi, Ph.D. NICT Japan / Rapporteur, ITU-T SG17 Q.4 ITU-T SG17.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Content Coverity Static Analysis Use cases of Coverity Examples
Web Application Security
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Theodore Lawson CSCE548 Student Presentation, Topic #2
SE604: Software Testing and QA Secure SW Development for QA Lecture#3
A Security Review Process for Existing Software Applications
Marking Scheme for Semantic-aware Web Application Security
1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.
Security Issues CS 560 Lecture 9.
COMP1321 Digital Infrastructures
CS2S562 Secure Software Development
Covering CWE with Programming Languages and Tools
Mid Term II Review.
Introduction to Static Analyzer
Chapter 29: Program Security
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Software Security Slide Set #10 Textbook Chapter 11 Clicker Questions
Presentation transcript:

Chapter 1 The Software Security Problem

Goals of this course Become aware of common pitfalls. Static Analysis and tools

Some common approaches to security Defensive Programming Security Features (vs secure features)‏ Improving Software Quality

Some common approaches to security Defensive Programming Security Features (vs secure features)‏ Improving Software Quality (none of these approaches work!)‏

So, what works?

Usual Software building cycle: Requirements and Specifications Design Code Test and debug Integration test Deliver

Best way to detect vulnerable code Through a Static Analysis Tool. However, hand/hard work is still necesary!

Vulnerability Classification Generic vs context-specific defects Visible in the code vs visible only in the design Seven pernicious kingdoms:  Input validation and representation  API abuse  Security Features  Time and State  Error Handling  Code Quality  Encapsulation  Environment

2009 CWE/SANS Top 25 Insecure Component Interaction  Faiulre to preserve page structure (Cross-site scripting)  Improper sanitation of SQL commands (SQL injection)  Cross-site request forgery  Unrestricted upload of file with dangerous type  Improper sanitation of OS command elements (OS command injetion)  Error Message Information leak  URL redirect to untrusted site (open redirect)  Race Condition Risky Resource Management  Buffer overflow  Improper limitation of a pathname in a restricted directory  Buffer access woth incorrect length value  Improper check for unusual or exceptional conditions Improper control of filename for include/require PHP statement  Improper validation of array index.  Integer overflow/wraparound  Incorrect buffer size calculation  Code download without integrity check.  Unlimited resource allocation

2009 CWE/SANS Top 25 (cont)‏ Porous Defenses  Improper Access control  Reliance on untrusted inputs in a security decision  Broken or risky cryptography  Hard-coded credentials/passwords  Missing authentication for critical function  Incorrect Permission Assignment for critical Resource  Use of broken or risky cryptography.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.