Embed Size (px)
Citation preview
CSCE 548 CSCE 548 Building Secure SoftwareBuilding Secure Software
CSCE 727 - Farkas 2
ReadingReading
This lecture: – McGraw: Chapter 1– Recommended:
CyberInsecurity: The Cost of Monopoly, http://cryptome.org/cyberinsecurity.htm
Next lecture:– McGraw: Chapter 2
CSCE 727 - Farkas 3
Why do we need software Why do we need software security?security?
Software is essential in most every aspect of our life Current news (recommended):
– Kelly Jackson Higgins, Dark Reading, SQL Injection Hack Infects 1 Million Web Pages, InformationWeek, January 5, 2012, http://www.informationweek.com/news/security/attacks/232301355
– Gregg Keizer, Adobe plugs 6 critical holes in Reader, Computerworld, January 11, 2012, http://www.computerworld.com/s/article/9223344/Adobe_plugs_6_critical_holes_in_Reader
– Gregg Keizer, Microsoft patches critical Windows drive-by bug, Computerworld, January 10, 2012, http://www.computerworld.com/s/article/9223326/Microsoft_patches_critical_Windows_drive_by_bug
CSCE 727 - Farkas 4
How to address software How to address software security? security?
Do not address at allAd-hoc evaluationAdd security features after the fact Identify security vulnerabilitiesTest security levelIncorporate security throughout of SDLC
CSCE 727 - Farkas 5
This CourseThis Course
Not a software engineering courseUnderstand basic security concepts and
their impactIntroduce systematic security design and
development along project managementBest practices
CSCE 727 - Farkas 6
Security ObjectivesSecurity Objectives
Confidentiality: prevent/detect/deter improper disclosure of information
Integrity: prevent/detect/deter improper modification of information
Availability: prevent/detect/deter improper denial of access to services
Which objective SW security addresses?
CSCE 727 - Farkas 7
Software Security Software Security
NOT security software!Engineering software so that it continues to
function correctly under malicious attack– Functional requirements– Non-functional requirements (e.g., security)
CSCE 727 - Farkas 8
Why Software?Why Software?
Increased complexity of software productIncreased connectivityIncreased extensibility
Increased risk of security violations!
CSCE 727 - Farkas 9
Security ProblemsSecurity Problems
Defects: implementation and design vulnerabilities
Bug: implementation-level vulnerabilities (Low-level or mid-level)– Static analysis tool
Flaw: subtle, not so easy to detect problems– Manual analysis– Automated tools (for some but not design level)
Risk: probability x impact
CSCE 727 - Farkas 10
Application vs. Software SecurityApplication vs. Software Security
Usually refers to security after the software is built– Adding more code does not
make a faulty software correct– Sandboxing – Network-centric approach
Application security testing: badness-ometer
Deep Trouble
Who Knows
CSCE 727 - Farkas 11
Three Pillars of Software SecurityThree Pillars of Software Security
Risk ManagementSoftware Security TouchpointsKnowledge
CSCE 727 - Farkas 12
Risk ManagementRisk Management
How much effort to invest in securityConsequences of security breachesAcceptable-level of security Tracking and mitigating risk throughout the
full SDLC
CSCE 727 - Farkas 13
TouchpointsTouchpoints
System-wide activity: from design to testing and feedback Focus on security from ground up Touchpoints:
1. Code review2. Architectural risk analysis3. Penetration testing4. Risk-based security testing5. Abuse cases6. Security requiremetns7. Security operations
CSCE 727 - Farkas 14
KnowledgeKnowledge
Gathering, encapsulating, and sharing security knowledge
Knowledge catalogs: principles, guidelines, rules, vulnerabilities, exploits, attack patterns, historical risks
Knowledge categories: – Prescriptive knowledge– Diagnostic knowledge– Historical knowledge
Applied along the SDLC
CSCE 727 - Farkas 15
Security EngineeringSecurity Engineering
Reduce the need for reactive technologies (e.g., intrusion detection) by safer products Understand software
Need for:– Software developers– Operations people– Administrators– Users– Executives
Start with Software Start with Software Developers!Developers!
CSCE 727 - Farkas 16
CSCE 727 - Farkas 17
Next ClassNext Class
Risk Management
