Software Security - Intro
Email this Mix
Tags: Software Engineering
Slide 1 - Software Security: Intro
- Emerson Murphy-Hill
- Open Web Application Security Project (OWASP)
- The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
Slide 2 - Vulnerabilities/Attacks
- Vulnerability - An instance of a [fault] in the specification, development, or configuration of software such that its execution can violate an [implicit or explicit] security policy .
- Attack - The inability of a system to perform functions without violating an [implicit or explicit] security policy.
- Krsul I., "Software Vulnerability Analysis," PhD Thesis in Computer Science at Purdue University, West Lafayette 1998.
Slide 3 - Software Security
- The idea of engineering software so that it continues to function correctly under malicious attack
- Not firewalling vulnerabilities
- Not reacting through “penetrate and patch”
- Most software riddled with design flaws (50-60%) and implementation bugs (40-50%)
- Need to understand and manage software-induced security risks
Slide 4 - Cost of Change Curve
- “penetrate and patch”
- Functionality first; security some other point
Slide 5 - Security Testing: Testing for What It’s NOT supposed to do
- Thompson, Herbert, *, IEEE Security and Privacy, July/Aug 2003, pp. 83-86.
Slide 6 - Trends in Software Security
Slide 7 - Input Validation Vulnerabilities
- Input validation vulnerabilities (IVVs) are vulnerabilities that are caused by insufficient input validation.
- According to the National Vulnerability Database (NVD)2, the number of reported input validation vulnerabilities has increased from 25 (2%) in 2004 to 498 (10%) in 2013.
- “Using unvalidated input as part of a directive or command to a subsystem can introduce vulnerability.”1
- SQL Injection
- Cross Site Scripting
- Buffer Overflow
- 1“Build Security In” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/guidelines/342.html
- 2 CVE and CCE Statistics Query: http://web.nvd.nist.gov/view/vuln/statistics