Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona

Published byVirginia Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona"— Presentation transcript:

1 1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona Elisa.Heymann@uab.es

2 2 Key Issues for Security ›Need independent assessment ›Need an assessment process that is NOT based solely on known vulnerabilities –Such approaches will not find new types and variations of attacks

3 3 Key Issues for Security ›Automated Analysis Tools have Serious Limitations –While they help find some local errors, they MISS significant vulnerabilities (false negatives) Produce voluminous reports (false positives) ›Programmers must be security-aware –Designing for security and the use of secure practices and standards does not guarantee security

4 4 Addressing these Issues ›First Principles Vulnerability Assessment (FPVA) –A strategy that focuses on critical resources –A strategy that is not based solely on known vulnerabilities –Understand a software system to focus search for security problems –Find vulnerabilities –Make the software more secur e

5 5 First Principles Vulnerability Assessment Step 1: Architectural Analysis Step 2: Resource Identification Step 3: Trust & Privilege Analysis Step 4: Component Evaluation Step 5: Dissemination of Results

6 6 Our Experience Condor, University of Wisconsin Batch queuing workload management system SRB, SDSC Storage Resource Broker - data grid MyProxy, NCSA Credential Management System glExec, Nikhef Identity mapping service CrossBroker, Universitat Autònoma de Barcelona Resource Manager for Parallel and Interactive Applications Gratia Condor Probe, NCSA Feeds Condor Usage into Gratia Accounting System Condor Quill, University of Wisconsin

7 7 Our Experience Wireshark (in progress) Network Protocol Analyzer Condor Privilege Separation, University of Wisconsin (in progress) Restricted Identity Switching Module VOMS Admin, Instituto Nazionale di Fisica Nucleare (in progress) Virtual Organization Management Service

8 8 Vulnerability Assessment@EMI Apply FPVA to relevant EMI Middleware –Determine which pieces of SW to assess (we need input) –Assess the SW –Generate vulnerability reports A vulnerability is considered only when we produce an exploit for it.

9 9 Categories of Vulnerabilities ›Design Flaws –Problems inherent in the design –Hard to automate discovery ›Implementation Bugs –Improper use of the programming language, or of a library API –Localized in the code ›Operational vulnerabilities –Configuration or environment ›Social Engineering –Valid users tricked into attacking Occur about equally

10 10 Vulnerability Report ›One report per vulnerability ›Provide enough information for developers to reproduce and suggest mitigations ›Written so that a few sections can be removed and the abstracted report is still useful to users without revealing too much information to easily create an attack.

Download ppt "1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona"

Similar presentations

Test process essentials Riitta Viitamäki, 14.4.2004

Test process essentials Riitta Viitamäki,
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
Module 2 Segregation of Duties Case Study Individual Assignment

Module 2 Segregation of Duties Case Study Individual Assignment
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
June 21, 20031 PROOF - Parallel ROOT Facility Maarten Ballintijn, Rene Brun, Fons Rademakers, Gunter Roland Bring the KB to the PB.

June 21, PROOF - Parallel ROOT Facility Maarten Ballintijn, Rene Brun, Fons Rademakers, Gunter Roland Bring the KB to the PB.
1 Security Risks in Clouds and Grids Condor Week May 5, 2011 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin

1 Security Risks in Clouds and Grids Condor Week May 5, 2011 Barton P. Miller James A. Kupsch Computer Sciences Department University of Wisconsin
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Implementation. We we came from… Planning Analysis Design Implementation Identify Problem/Value. Feasibility Analysis. Project Management. Understand.

Implementation. We we came from… Planning Analysis Design Implementation Identify Problem/Value. Feasibility Analysis. Project Management. Understand.
 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.

 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.
Instrumentation and Measurement CSci 599 Class Presentation Shreyans Mehta.

Instrumentation and Measurement CSci 599 Class Presentation Shreyans Mehta.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.

1 Update on the Vulnerability Assessment Effort Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

Similar presentations

Ads by Google