Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service.

Published byRoland Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service."— Presentation transcript:

1 A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service

2 Software security pre-history

3 In the beginning, things were OK Defenders had the advantage Computers were rare, code was impenetrable Few people understood how to break software Computers were isolated Not accessible to outside attackers Physically secured Software was written by professionals Purpose-built applications No Web to worry about Software security pre-history

4

5 Source: Wikipedia

6 Bugs were kind of cute Seen as problems to be solved Bugs were studied as oddities, artifacts of the development process Defects rather than vulnerabilities Developers learned actual lessons from mistakes Information was shared Mostly unreachable by attackers Needed local access, intimate knowledge of the software Writing exploits was really hard Software security pre-history

7 And then this happened

8 Microsoft ruled the world Windows was ubiquitous Software monoculture that gave attackers an advantage Write once, hit many Vulnerabilities abounded Buffer overflows Memory corruption Security was an afterthought at best The game changed completely

9

10 The Trustworthy Computing era Focus on security over features Development of SDLC process Becomes a model for the industry and financial services companies Pain begets change

11 Microsoft’s SDLC Source: Microsoft

12 The emergence of BSIMM Comprehensive maturity model for software security programs Developed through study of dozens of organizations’ programs Describes 109 discrete activities across four domains Software security matures

13 13 Intel + eleven unnamed firms

14 A framework for success Source: BSIMM

15 Case study: Adobe

16 Adobe was the new Microsoft Huge installed base of vulnerable users Old development practices with no rigorous approach to threat modeling or code quality Common set of vulnerabilities and weaknesses across applications Starting from zero (day)

17 Pain begets change FIGURE. Adobe Reader exploits by month in 2008, indexed to the monthly average for 2H08 July through December 2008

18 The importance of the SDL Reader 9 was developed without the current SDL or security as a priority Reader 9 was the target of a high volume of malware Helped spur a company wide change in practices and priorities Reader 9 vs. Reader X

19 The importance of the SDL Adobe implemented a rigorous software security program beginning in early 2009 Included training and threat modeling and lessons learned from Microsoft’s SDL experience Reader X developed with SDL in place, implementation of a sandbox and anti-exploit technologies Reader 9 vs. Reader X

20 Results Reader 9 had nine publicly disclosed zero day vulnerabilities Reader X has NO zero days to date Attackers have largely moved on to other products as main targets Reader 9 vs. Reader X

21 Better software through science Software security is gradually becoming a priority Mature, formalized programs are having a measurable effect on defects and attacks Internal development organizations can watch and learn from successes of vendors Conclusions

22 Questions? dennis@threatpost.com

Download ppt "A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service."

Similar presentations

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.

USING EMET TO DEFEND AGAINST TARGETED ATTACKS PRESENTED BY ROBERT HENSING – SENIOR CONSULTANT – MICROSOFT CORPORATION MICHAEL MATTES – SENIOR CONSULTANT.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Thirty Years Later: Lessons from the Multics Security Evaluation Paul A. Karger & Roger R. Schell Presented by: Sulaiman Alkhezi.

Thirty Years Later: Lessons from the Multics Security Evaluation Paul A. Karger & Roger R. Schell Presented by: Sulaiman Alkhezi.
How we build Redfin.com Matt Goyer Lead Product Manager.

How we build Redfin.com Matt Goyer Lead Product Manager.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
A First Course in Information Security

A First Course in Information Security
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
(Using Clip Art to Help Argue That) Certifying Software Professionals (is the Wave of the Future) Brian Demers February 24, 2000 CS 99 Prof. Kotz.

(Using Clip Art to Help Argue That) Certifying Software Professionals (is the Wave of the Future) Brian Demers February 24, 2000 CS 99 Prof. Kotz.
By Anthony W. Hill & Course Technology 1 Product Evaluation Strategies and Support Standards Beisse.

By Anthony W. Hill & Course Technology 1 Product Evaluation Strategies and Support Standards Beisse.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.

 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.

Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.

Similar presentations

Ads by Google