CSC 593: Secure Software Engineering Seminar

Slides:



Advertisements
Similar presentations
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Advertisements

Risk Analysis James Walden Northern Kentucky University.
Risk Analysis James Walden Northern Kentucky University.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Threat Modeling for Hostile Client Systems Avni Rambhia.
Introducing Computer and Network Security
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Secure Software Development Chris Herrick 01/29/2007.
SEC835 Database and Web application security Information Security Architecture.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Secure Design Principles CSC 482/582: Computer SecuritySlide #1.
CSCD 303 Essential Computer Security Winter 2014 Lecture 16 Creating Secure Programs.
Architecting secure software systems
Information Systems Security Computer System Life Cycle Security.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
May 2, 2007St. Cloud State University Software Security.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Risk Analysis James Walden Northern Kentucky University.
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Threat Modeling.
CSCD 303 Essential Computer Security Spring 2013 Lecture 18 Creating Secure Programs.
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Module 6: Designing Security for Network Hosts
Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?
Code Reviews James Walden Northern Kentucky University.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Topic 5: Basic Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Practical Threat Modeling for Software Architects & System Developers
CSCE 548 Secure Software Development Security Operations.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
1 Lecture 1: Introduction Outline course’s focus intruder’s capabilities motivation for security worms, viruses, etc. legal and patent issues.
Ingredients of Security
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Computer threats, Attacks and Assets upasana pandit T.E comp.
CSCE 201 Identification and Authentication Fall 2015.
Module 7: Designing Security for Accounts and Services.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
CS457 Introduction to Information Security Systems
Securing Network Servers
Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.
Threat Modeling - An Overview All Your Data is Mine
Secure Software Confidentiality Integrity Data Security Authentication
Evaluating Existing Systems
Controlling Computer-Based Information Systems, Part II
Evaluating Existing Systems
Security Engineering.
CSCD 303 Essential Computer Security Fall 2017
Operating System Security
Security.
Copyright Gupta Consulting, LLC.
Crisis and Aftermath Morris worm.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

CSC 593: Secure Software Engineering Seminar James Walden and Charles Frank Secure Development Lifecycle CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Topics Common Approaches. Categories of Security Flaws. Security first and last. The Lifecycle. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Common Approaches Penetrate and Patch Let someone else find flaws, then we’ll fix it. Penetration Testing We’ll test it until we find all the flaws. Secure Coding Follow this checklist, and everything is fine. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Penetrate and Patch Discover flaws after deployment. Often by attackers. Users may not deploy patches. Patches may have security flaws (15%?) Patches are map to vulnerabilities. Attackers reverse engineer to create attacks. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Penetration Testing Allocate time at end of development to test. Often time-boxed: test for n days. Schedule slips often reduce testing time. Problem: fixing flaws is expensive late in lifecycle. Regular testing Demonstrate that features work as desired. Security testing Demonstrate that application has no extra capabilities. How can you prove a negative? CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Secure Coding Secure coding Coding methods training. Checklist-based approach. Problem: relies on flawless developers. Not all problems are implementation based. Requirements may be wrong. Design may not allow for security. CSC 593: Secure Software Engineering Seminar

Categories of Security Flaws Architectural/design-level flaws: security issues that original design did not consider or solve correctly. Implementation flaws: errors made in coding the design. Operational flaws: problems arising from how software is installed or configured. CSC 593: Secure Software Engineering Seminar

Architecture/Design Flaws Race Condition Application checks access control, then accesses a file as two separate steps, permitting an attacker to race program and substitute the accessible file for one that’s not allowed. Replay Attack If an attacker can record a transaction between a client and server at one time, then replay part of the conversation without the application detecting it, a replay attack is possible. Sniffing Since only authorized users could directly access network in original Internet, protocols like telnet send passwords in the clear. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Implementation Flaws Buffer overflow Application with fixed-size buffer accepts unlimited length input, writing data into memory beyond buffer in languages w/o bounds checking like C/C++. Input validation Application doesn’t check that input has valid format, such as not checking for “../” sequences in pathnames, allowing attackers to traverse up the directory tree to access any file. Back door Programmer writes special code to bypass access control system, often for debugging or maintenance purposes. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Operational Flaws Denial of service System does not have enough resources or ability to monitor resources to sustain availability under large number of requests. Default accounts Default username/password pairs allow access to anyone who knows default configuration. Password cracking Poor passwords can be guessed by software using dictionaries and permutation algorithms. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Why security first? Adding security later is wrapping security around existing features, not designing features with security in mind. Adding security later is expensive. Adding security may change how you implement application features. Adding security may change user interface. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar SDLC Artifacts CSC 593: Secure Software Engineering Seminar

Trustworthy Computing SDLC CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar SD3+C Secure by Design protect application and its data. Secure by Default designers should assume that security flaws exist. principles: least privilege and fail-safe defaults Secure in Deployment documentation and tools for users and administrators. easy to install security updates. Communications communicate openly and responsibly with end users and/or administrators to help them take protective action. CSC 593: Secure Software Engineering Seminar

What is Threat Modeling? Assessing security risks of a software system from an adversary’s perspective. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Requirements Management support Security advisor / officer Security Features Authentication, access control, cryptography. Misuse Cases How might application features be abused? Threat Modeling What assets are you protecting? What threats to those assets exist? CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Design Design Principles Least Privilege Compartmentalize Design Patterns Threat Modeling Identify assets. Identify entry points. Design security mechanisms. CSC 593: Secure Software Engineering Seminar

Goals of Threat Modeling Understand threats to guard against during requirements analysis. Provide basis for which security mechanisms to include during design. Verify security of system design. Provide basis for prescribing secure implementation practices. Provide basis for testing system security after implementation. CSC 593: Secure Software Engineering Seminar

Threat Modeling Process Understand adversary’s view of system. Characterize security of system. Evaluate threats. CSC 593: Secure Software Engineering Seminar

Understanding the Adversary’s View Identify System Assets. System resources that an adversary might attempt to access, modify, or steal. Ex: credit cards, network bandwidth, user access. Identify Entry Points. Any location where data or control transfers between the system being modeled and another system. Ex: network sockets, RPCs, web forms, files Determine Trust Levels. Privileges external entities have to legitimately use system resources. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Entry Points Any method for system to accept input Example: http://at204m02/ctrl.psp?pg=login Web server: at204m02 All network protocols that can access host Web server specific attacks ctrl.psp Your controller application pg=login The login subsystem invoked by controller CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Data Flow Diagrams Visual model of how system processes data. Hierarchical Level 0: Models whole system. Level 1: Models subsystems, … 1. System Client Report System Database CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Evaluate Threats Identify Threats For each entry point, determine how an adversary may attempt to affect an asset. Based on asset, predict what adversary would try to do and what his goals would be. Analyze Threats. Decompose threats into individual, testable conditions using techniques like attack trees. Evaluate risk of threat with DREAD categories. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Identify Threats Can an unauthorized network user view confidential information such as addresses or passwords? Can an unauthorized user modify data like payments or purchases in the database? Could someone deny authorized users access to the application? Could an authorized user exploit a feature to raise their privileges to administrator level? CSC 593: Secure Software Engineering Seminar

STRIDE Threat Categorization Spoofing ex: Replaying authentication transaction. Tampering ex: Modifying authentication files to add new user. Repudiation ex: Denying that you purchased items you actually did. Information disclosure ex: Obtaining a list of customer credit card numbers. Denial of service ex: Consuming CPU time via hash algorithm weakness. Elevation of privilege ex: Subverting a privileged program to run your cmds. See also CERT’s OCTAVE assessment technique at www.cert.org/octave CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Analyze Threats Decompose threats into individual, testable conditions using attack trees. Attack Trees Hierarchical decomposition of a threat. Root of tree is adversary’s goal in the attack. Each level below root decomposes the attack into finer approaches. Child nodes are ORed together by default. Special notes may indicate to AND them. CSC 593: Secure Software Engineering Seminar

Attack Trees—Graph Notation Goal: Read file from password-protected PC. Graph represents decision-making process of attacker. Root node represents goal; leaves represent methods of achieving goals. Leaves become more specific lower in tree. Most child nodes represent logical ORs, but some represent ANDs (get encrypted key file AND password used to encrypt it.) Assign values to nodes, representing perceived risk, i.e. how feasible is the attack. CSC 593: Secure Software Engineering Seminar

Attack Trees—Text Notation Goal: Read message sent from one PC to another. 1. Convince sender to reveal message. 1.1 Blackmail. 1.2 Bribe. 2. Read message when entered on sender’s PC. 1.1 Visually monitor PC screen. 1.2 Monitor EM radiation from screen. 3. Read message when stored on receiver’s PC. 1.1 Get physical access to hard drive. 1.2 Infect user with spyware. 4. Read message in transit. 1.1 Sniff network. 1.2 Usurp control of mail server. CSC 593: Secure Software Engineering Seminar

Evaluate Risk with DREAD Damage Potential Extent of damage if vulnerability exploited. Reproducibility How often attempt at exploitation works. Exploitability Amount of effort required to exploit vulnerability. Affected Users. Ration of installed instances of system that would be affected if exploit became widely available. Discoverability Likelihood that vulnerability will be discovered. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Quantifying Threats Calculate risk value for nodes in attack tree Start at bottom of tree. Assign a number 1-10 to each DREAD item. Assign average of numbers to node. Propagate risk values to parent nodes. Sum risk values if child nodes are ANDed together. Use highest risk value of all children if nodes are ORed together. Alternate technique: monetary evaluation Estimate monetary value to carry out attacks. Propagate values to parent nodes as above. Note: smaller values are higher risks in this method. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Implementation Coding standards Acceptable libraries and functions. Checklists. Static analysis tools Identifies common errors. Code reviews More effective than testing in many reports. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Verification Fuzz Testing Automatic testing with random data. Unit Tests Test security features. Penetration Testing Driven by application risks. Threat model identifies most important assets and entry points. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar Maintenance Prepare before release time. Receiving vulnerability reports. Releasing security advisories. Developing, testing, and distributing patches. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar SDLC at Microsoft Management support Bill Gates letter about 2002 security push. Mandatory education For managers and engineers. Annual updates. Metrics Education coverage. Vulnerabilities discovered. Central Security Team Ensures someone is responsible. Keeps process and education updated. CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar SDLC Results CSC 593: Secure Software Engineering Seminar

CSC 593: Secure Software Engineering Seminar References Brad Arkin, “Software Penetration Testing,” IEEE Security & Privacy, 3(1):84-87, 2005. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. Graff, Mark and van Wyk, Kenneth, Secure Coding: Principles & Practices, O’Reilly, 2003. Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004. Howard, Michael and LeBlanc, David, Writing Secure Code, 2nd edition, Micorosft Press, 2003. Steve Lipner and Michael Howard, “The Trustworthy Computing Secure Development Lifecycle,” http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/sdl.asp, 2005. Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. CSC 593: Secure Software Engineering Seminar

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.