Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

Published byAusten Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting."— Presentation transcript:

1 What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting from interactions with other systems   production deadlines   cost limitations _________   lack of basic security awareness   not aware of threats inherent to underlying technologies   unfamiliar with best mitigation practices

2 Software Assurance Responsibilities of the software engineer   minimize functional flaws   minimize development time and cost   maximize performance   maximize maintainability   maximize usability   maximize testability, portability, reusability   minimize security vulnerabilities

3 Software Engineering Where are the security breaches? Note that functional requirements define what the software is suppose to do.

4 How to be responsible (as a software engineer) Know your language! Know your environment! Follow sound software engineering habitually Follow sound security engineering habitually Test, test, test!   test for correctness (what it’s ___________)   test for security (what it’s ________________) Keep current with relevant attack methods

5 Software Engineering Crash Course What do we know about software engineering? There are many well defined lifecycle models. All lifecycle models have activities and processes in common. In general all of these models largely ignore security. What has been done to “build security in”? SSE-CMM Microsoft Trustworthy Computing Incremental Approach

6 SSE-CMM (ISO/IEC 21827 2008 std) Systems Security Engineering Capability Maturity Model SSE-CMM (ISO/IEC 21827 2008 std) Systems Security Engineering Capability Maturity Model buildsecurityin.us-cert.gov/bsi/articles/knowledge/sdlc/326-BSI.html Project and Organization ProcessSecurity Engineering Process  ensure quality  manage configuration  manage project risk  monitor & control technical effort  plan technical effort  define systems engineering process  manage product line evolution  manage support environment  provide ongoing knowledge  coordinate with suppliers Engineering Process  specify security needs  provide security input  monitor security posture  administer security control  coordinate security Assurance Process  verify and validate security  build assurance arguments Risk Process  assess threat  assess vulnerability  assess impact  assess risk

7 Microsoft Lifecycle Design PhaseDevelopment Phase Test Phase Maintenance Phase design complete test plans complete code complete ship ongoing activity security develop security tests security  raise awareness  find & fix vulnerabilities  eliminate bad habits security

8 Use a separate security team perform _____________ establish secure coding ________ ask security-related ________ Additional Thoughts (about the process) …and make them responsible. Secure Analysis observe secure design _________ Secure Design awareness of known attacks Secure Implementation no _____________ Secure Testing _____________tests reviews for secure design and coding principles track security bugs

Download ppt "What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting."

Similar presentations

Homework 3 Solution Lecture Packet 16 © John W. Brackett.

Homework 3 Solution Lecture Packet 16 © John W. Brackett.
ITIL: Service Transition

ITIL: Service Transition
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
The Systems Security Engineering Capability Maturity Model (ISO 21827)

The Systems Security Engineering Capability Maturity Model (ISO 21827)
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.

1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.
Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne, office K115A. –

Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne, office K115A. –
1 SOFTWARE QUALITY ASSURANCE Basic Principles. 2 Requirements System Design Detailed Design Implementation Installation & Testing Maintenance SW Quality:

1 SOFTWARE QUALITY ASSURANCE Basic Principles. 2 Requirements System Design Detailed Design Implementation Installation & Testing Maintenance SW Quality:
Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne. – Times: –See noticeboard outside.

Software Engineering For Beginners. General Information Lecturer, Patricia O’Byrne. – Times: –See noticeboard outside.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Software Process and Product Metrics

Software Process and Product Metrics
Introduction to Software Testing

Introduction to Software Testing
Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.

Instituting Controls in Systems Development Gurpreet Dhillon Virginia Commonwealth University.
IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.

IS 2620: Developing Secure Systems Jan 13, 2009 Secure Software Development Models/Methods Week 2: Lecture 1.
EOSC Generic Application Security Framework

EOSC Generic Application Security Framework
What is Software Engineering? the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software”

What is Software Engineering? the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software”
 The software systems must do what they are supposed to do. “do the right things”  They must perform these specific tasks correctly or satisfactorily.

 The software systems must do what they are supposed to do. “do the right things”  They must perform these specific tasks correctly or satisfactorily.

Similar presentations

Ads by Google