Software Security

Software security is the idea of engineering software so that it continues to function correctly under malicious attack

Need for software Security

Most successful attacks target and exploit known, non-patched software vulnerabilities and insecure software configurations. Most vulnerabilities are introduced during design and coding

Properties of a secure softwareDependability: Executes predictably and operates correctly under all conditions

Trustworthiness: Contains few vulnerabilities or weaknesses that can be intentionally exploited sabotage the software’s dependability.

Survivability : Should continue operating dependably in spite of attacks and recover as quickly as possible, and with as little damage as possible.

When can a software’s security can be threatened?

During its development: A developer may corrupt the software—intentionally or unintentionally

During its deployment (distribution and installation): If before distribution proper tamper proofing is not done or if it is transmitted over communications channels that can be intercepted easily, it is open to vulnerabilities

CONT…

During its operation: Once software has gone operational, vulnerabilities may be discovered and publicized

During its sustainment: If patches or updates are not issued in a timely manner, or because of failure to seek out and eliminate the root causes of the vulnerabilities

Why Software Security and not Application Security?

Application security means the protection of software after it’s already built.

While Software security is about building secure software: designing software to be secure, making sure that software is secure, and educating software developers, architects, and users about how to build secure things

CONT..

We need to focus on Software Security because it’s easier to protect something that is defect-free than something riddled with vulnerabilities

More cost-effective than developing and releasing frequent security patches for deployed software

Types of Software security

TypesMalware protection softwareSoftware to remove adware and spywareInformation securityNetwork securityComputer security Internet security Email security

Malware protection softwareAntivirus software prevents and removes

known computer viruses.Stops incoming malware before they infect

your computer.Ex of malware: viruses, worms, trojan

horses, rootkits, spyware, adware, and other malicious and unwanted software

Adware Spyware removalAdvertisements (pop ups or download ads)Used to generate revenue for its author.HarmlessMay be integrated with a spyware

Information securityProtecting information and information

systems.From unauthorized access, use, disclosure,

disruption, modification, perusal, inspection, recording or destruction.

Information security is concerned with the confidentiality of data regardless of the form the data may take: electronic, print, or other forms.

Computer securityCorrect operation of a computer system

without concern for the information stored or processed by the computer.

Protection of property from theft and corruption while allowing information and property to remain accessible and productive to its intended users

Network securityProviding protection at the boundaries of

an organization by keeping out intruders (hackers)

One factor authenticationTwo factor authenticationThree factor authentication

Internet securityBranch of computer security specifically

related to themIts objective is to establish rules and

measures to use against attacks over the Internet.

The Internet represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing.

Email security3 step process: compose, deliver and storePGPSigning an email message to ensure its

integrity and confirm the identity of its sender.

Encrypting the body of an email message to ensure its confidentiality.

Encrypting the communications between mail servers to protect the confidentiality of both the message body and message header.

SOFTWARE SECURITY:A PRACTICAL PERSPECTIVE

1.Input data validation

2.Session management

3.PASSWORD SECURITYCombination of numbers and alphabetsCombination of upper case and lower caseA lower and upper limit on the number of

charactersSome sites even have compulsory clause

for changing passwords periodically to prevent account lock out

4.Admin information securityTo take care of “/admin” security attack

which can lead to crucial data lossTo take care of direct entry through links

5.Handling of cookies

6.Give the users only what they needDisabling of certain buttons due to security

reasonsBackForwardDouble clicksRight clicksThese are especially common in bank

websites

7.Avoiding Unhealthy coding practicesPassing secure data through a query string

via the URLPassing sensitive information via hidden

HTML form fieldsPoor exception handling and error handling

Common modes of software security breachBuffer overflowsInteger overflowsSQL injection attacksCross site scriptingThese attacks can be easily prevented by

simple coding.

Summary1.Input data validation2.Session management3.PASSWORD SECURITY4.Admin information security5.Handling of cookies6.Give the users only what they need

Building security into the software development life cycle

Reasons for poor software securityUnrealistic development schedulesInsufficient capture of security

requirementsDefective designLack of knowledge to develop secure

softwaresIndisciplined coding practices

Analysts/Researchers Opinions“75% of security breaches happen at the

application layer”- Gartner “If only 50 percent of software

vulnerabilities were removed prior to production … costs would be reduced by 75 percent” - Gartner

“Correction of security flaws at the requirement level is up to 100 times less the cost of correction of security flaws in fielded software” –Fortify

30

31

Defect Management/Costs Measurements

Process Metrics Is code validated against

security coding standards? Is design of developers trained,

using organizational security best practice technology, architecture and processes

Management Metrics

% of applications rated “business-critical” that have been security tested

% of projects that where developed with the SDL

% of security issues identified by lifecycle phase

% of issues whose risk has been accepted

% of security issues being fixed

Average time to correct vulnerabilities

Business impact of critical security incidents.

Most of my vulnerabilities are coding and design issues

But are mostly found during pen test in UAT

The cost of fixing them in UAT is 10 X during coding (unit tests)

Which Vulnerabilities Are Exploited? (WHID)

32

SOURCE: Breach Security The WHID 2009, August 2009

Security touch points

Threat analysisS-SpoofingT-TamperingR-RepudiationI-Information disclosureD-Denial of serviceE-Elevation of privilege

Threat ratingD-Damage potentialR-ReproducibilityE-ExploitabilityA-Affected usersD-Discoverability

SummaryReasons for poor software securityCost of detecting security flaws in the

requirements stage is way cheaper than when it is detected at a later stage

Building security into the software development life cycle

STRIDE and DREAD to document threats

Lessons From the Court Room

37

170 million card and ATM numbers

used sql injection and packet sniffers

ConclusionEvery new technology creates as many

problems as it solves.“Be it the real world or the virtual world risk

is a part of it and we have to accept it”

Thank you