Upload
girish-sampath
View
42
Download
0
Tags:
Embed Size (px)
Citation preview
Software Security
Software security is the idea of engineering software so that it continues to function correctly under malicious attack
Need for software Security
Most successful attacks target and exploit known, non-patched software vulnerabilities and insecure software configurations. Most vulnerabilities are introduced during design and coding
Properties of a secure softwareDependability: Executes predictably and operates correctly under all conditions
Trustworthiness: Contains few vulnerabilities or weaknesses that can be intentionally exploited sabotage the software’s dependability.
Survivability : Should continue operating dependably in spite of attacks and recover as quickly as possible, and with as little damage as possible.
When can a software’s security can be threatened?
During its development: A developer may corrupt the software—intentionally or unintentionally
During its deployment (distribution and installation): If before distribution proper tamper proofing is not done or if it is transmitted over communications channels that can be intercepted easily, it is open to vulnerabilities
CONT…
During its operation: Once software has gone operational, vulnerabilities may be discovered and publicized
During its sustainment: If patches or updates are not issued in a timely manner, or because of failure to seek out and eliminate the root causes of the vulnerabilities
Why Software Security and not Application Security?
Application security means the protection of software after it’s already built.
While Software security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things
CONT..
We need to focus on Software Security because it’s easier to protect something that is defect-free than something riddled with vulnerabilities
More cost-effective than developing and releasing frequent security patches for deployed software
Types of Software security
TypesMalware protection softwareSoftware to remove adware and spywareInformation securityNetwork securityComputer security Internet security Email security
Malware protection softwareAntivirus software prevents and removes
known computer viruses.Stops incoming malware before they infect
your computer.Ex of malware: viruses, worms, trojan
horses, rootkits, spyware, adware, and other malicious and unwanted software
Adware Spyware removalAdvertisements (pop ups or download ads)Used to generate revenue for its author.HarmlessMay be integrated with a spyware
Information securityProtecting information and information
systems.From unauthorized access, use, disclosure,
disruption, modification, perusal, inspection, recording or destruction.
Information security is concerned with the confidentiality of data regardless of the form the data may take: electronic, print, or other forms.
Computer securityCorrect operation of a computer system
without concern for the information stored or processed by the computer.
Protection of property from theft and corruption while allowing information and property to remain accessible and productive to its intended users
Network securityProviding protection at the boundaries of
an organization by keeping out intruders (hackers)
One factor authenticationTwo factor authenticationThree factor authentication
Internet securityBranch of computer security specifically
related to themIts objective is to establish rules and
measures to use against attacks over the Internet.
The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing.
Email security3 step process: compose, deliver and storePGPSigning an email message to ensure its
integrity and confirm the identity of its sender.
Encrypting the body of an email message to ensure its confidentiality.
Encrypting the communications between mail servers to protect the confidentiality of both the message body and message header.
SOFTWARE SECURITY:A PRACTICAL PERSPECTIVE
1.Input data validation
2.Session management
3.PASSWORD SECURITYCombination of numbers and alphabetsCombination of upper case and lower caseA lower and upper limit on the number of
charactersSome sites even have compulsory clause
for changing passwords periodically to prevent account lock out
4.Admin information securityTo take care of “/admin” security attack
which can lead to crucial data lossTo take care of direct entry through links
5.Handling of cookies
6.Give the users only what they needDisabling of certain buttons due to security
reasonsBackForwardDouble clicksRight clicksThese are especially common in bank
websites
7.Avoiding Unhealthy coding practicesPassing secure data through a query string
via the URLPassing sensitive information via hidden
HTML form fieldsPoor exception handling and error handling
Common modes of software security breachBuffer overflowsInteger overflowsSQL injection attacksCross site scriptingThese attacks can be easily prevented by
simple coding.
Summary1.Input data validation2.Session management3.PASSWORD SECURITY4.Admin information security5.Handling of cookies6.Give the users only what they need
Building security into the software development life cycle
Reasons for poor software securityUnrealistic development schedulesInsufficient capture of security
requirementsDefective designLack of knowledge to develop secure
softwaresIndisciplined coding practices
Analysts/Researchers Opinions“75% of security breaches happen at the
application layer”- Gartner “If only 50 percent of software
vulnerabilities were removed prior to production … costs would be reduced by 75 percent” - Gartner
“Correction of security flaws at the requirement level is up to 100 times less the cost of correction of security flaws in fielded software” –Fortify
30
31
Defect Management/Costs Measurements
Process Metrics Is code validated against
security coding standards? Is design of developers trained,
using organizational security best practice technology, architecture and processes
Management Metrics
% of applications rated “business-critical” that have been security tested
% of projects that where developed with the SDL
% of security issues identified by lifecycle phase
% of issues whose risk has been accepted
% of security issues being fixed
Average time to correct vulnerabilities
Business impact of critical security incidents.
Most of my vulnerabilities are coding and design issues
But are mostly found during pen test in UAT
The cost of fixing them in UAT is 10 X during coding (unit tests)
Which Vulnerabilities Are Exploited? (WHID)
32
SOURCE: Breach Security The WHID 2009, August 2009
Security touch points
Threat analysisS-SpoofingT-TamperingR-RepudiationI-Information disclosureD-Denial of serviceE-Elevation of privilege
Threat ratingD-Damage potentialR-ReproducibilityE-ExploitabilityA-Affected usersD-Discoverability
SummaryReasons for poor software securityCost of detecting security flaws in the
requirements stage is way cheaper than when it is detected at a later stage
Building security into the software development life cycle
STRIDE and DREAD to document threats
Lessons From the Court Room
37
170 million card and ATM numbers
used sql injection and packet sniffers
ConclusionEvery new technology creates as many
problems as it solves.“Be it the real world or the virtual world risk
is a part of it and we have to accept it”
Thank you