Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software

Published byManuela Rosa Castanho Modified over 5 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software"— Presentation transcript:

1 Engineering Secure Software
What is secure?

2 Does Security Even Matter?
Find two other people near you Introduce yourself What is your favorite software development technology? (language, tool, library, etc.) Have you ever written software where security mattered? Did you do anything about it then?

3 Discussion Increased airport security measures
Think: TSA agents, full-body scanners, taking off your shoes, etc. Are we safer because of these measures? If so, is it worthwhile? © Andrew Meneely

4 Discussion Takeaways Security is not black-and-white
Security “Theater” Feeling safer vs. Being safer People act on their perception of reality, not necessarily on reality Protection can be costly E.g. personal liberty and privacy Eliminating a Threat vs. Protection Vulnerability vs. Exploit vs. Threat

5 An Engineer’s Concern In SE we teach you how to build software
…but not as much breaking software How do you know that you have built a system that cannot be broken into? What evidence do you look for? How do you know you’re done?

6 Vulnerability Informally, a bug with security consequences
A design flaw or poor coding that may allow an attacker to exploit software for a malicious purpose Non-software equivalent to “lack of shoe-examining at the airport” E.g. allowing easily-guessed passwords (poor coding) E.g. complete lack of passwords when needed (design flaw) McGraw: 50% are coding mistakes, 50% are design flaws Alternative definition: “an instance of a fault that violates an [implicit or explicit] security policy”

7 Exploit and Threat Exploit: a piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability in an effort to cause unintended or unanticipated behavior i.e. maliciously using a vulnerability Can manual or automated Viruses are merely automated exploits Many different ways to exploit just one vulnerability Threat – two usages of the word (a) An actor or agent that is a source of danger, capable of violating confidentiality, availability, or integrity of information assets and security policy e.g. black-hat hackers (b) A class of exploits e.g. spoofing

8 [Exploit|Threat|Vulnerability] Protection
Protect against exploits? Anti-virus, intrusion detection, firewalls, etc. Protect against threats? Use forensics to find & eliminate Mitigate by punishment, if possible Protect against vulnerabilities? Engineer secure software!

9 Software Security is… NOT a myth but a reality
Insecure software causes immeasurable harm Sony, NSA, Android, Browsers… just read the news

10 The number of vulnerabilities is…
Increasing, decreasing, or stabilizing? Source:

11 Why is there a growing trend?
Connectivity Cloud computing, Internet of Things Extensibility Mobile code, dynamically loadable drivers and devices, plugin architectures, Complexity

12 Code Complexity Source:

13 Code complexity, vulnerabilities, and security incidents
Source: Gary McGraw (After Dan Geer)

14 Software Security is… NOT an arcane black art Much of it seems arcane
Finding a severe vulnerability w/o source code Crafting the exploit Endless clever ways to break software But, you have much more knowledge than the attackers do Don’t just leave it to the experts, take responsibility for knowing security

15 Software Security is… NOT a dire apocalyptic future
Fear-mongering will not be tolerated here Risk management dictates that we deal in the probable more than the possible

16 Software Security is… NOT a set of features
Secure software > Security software Although tools and experts are helpful, You can’t just deploy a magical tool and expect all vulnerabilities to disappear You can’t outsource all of your security knowledge Even if you are using a security library, know how to use it properly

17 Software Security is… NOT a problem for just mathematicians
Cryptography Is important and needed Cannot solve all of your security problems Pick-proof lock vs. open window Proofs, access control rules, and verification are helpful, but inherently incomplete

18 Software Security is… NOT a problem for just networking and operating systems Software had security problems long before we had the internet If you left a window open in your house, would you try to fix the roads?

19 Software Security is… A reality that everyone must face
Not just developers, all stakeholders A learnable mindset for software engineers The ability to prevent unintended functionality At all layers of the stack In all parts of your system

20 Student Security Maturity
Denial I don’t have to think about this. Let me just code. Leave it to the experts. I could never understand this anyway. Irrational fear, superstition EVERYTHING IS POSSIBLE NOW!!! EVERY MITIGATION IS NECESSARY!!! ENCRYPT EVERYTHING!!! Bag of Tricks Let’s just try these tricks that worked in the past We’ve done these 10 things. That’s a lot. Close enough, right? Reasoned, Balanced, Defensive Mindset If we do X, we mitigate Y, which is worthwhile because of Z.

Download ppt "Engineering Secure Software"

Similar presentations

Security Presented by: Mark Davis & Shahein Moussavi.

Security Presented by: Mark Davis & Shahein Moussavi.
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.

Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
CSCE 522 Secure Software Development Best Practices.

CSCE 522 Secure Software Development Best Practices.
Information Security What is Information Security?

Information Security What is Information Security?
CSCE 548 Building Secure Software. CSCE 727 - Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,

CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.

Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.

Similar presentations

Ads by Google