Software Security - Intro

Software Engineering
1.0x

Software Security - Intro

Created 3 years ago

Duration 0:04:50
lesson view count 416
Select the file type you wish to download
Slide Content
  1. Software Security: Intro

    Slide 1 - Software Security: Intro

    • Emerson Murphy-Hill
    • Open Web Application Security Project (OWASP)
    • http://www.cgisecurity.com/owasp/html/
    • The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software.
  2. Vulnerabilities/Attacks

    Slide 2 - Vulnerabilities/Attacks

    • Vulnerability - An instance of a [fault] in the specification, development, or configuration of software such that its execution can violate an [implicit or explicit] security policy .
    • Attack - The inability of a system to perform functions without violating an [implicit or explicit] security policy.
    • Krsul I., "Software Vulnerability Analysis," PhD Thesis in Computer Science at Purdue University, West Lafayette 1998.
  3. Software Security

    Slide 3 - Software Security

    • The idea of engineering software so that it continues to function correctly under malicious attack
    • Not firewalling vulnerabilities
    • Not reacting through “penetrate and patch”
    • Most software riddled with design flaws (50-60%) and implementation bugs (40-50%)
    • Need to understand and manage software-induced security risks
  4. Cost of Change Curve

    Slide 4 - Cost of Change Curve

    • 4
    • http://swc.scipy.org/lec/img/dev01/boehm_curve.png
    • “penetrate and patch”
    • Functionality first; security some other point
  5. Security Testing:  Testing for What It’s NOT supposed to do

    Slide 5 - Security Testing: Testing for What It’s NOT supposed to do

    • Thompson, Herbert, *, IEEE Security and Privacy, July/Aug 2003, pp. 83-86.
  6. Trends in Software Security

    Slide 6 - Trends in Software Security

    • http://www-958.ibm.com/software/data/cognos/manyeyes/visualizations/vulerabilities-per-year
  7. Input Validation Vulnerabilities

    Slide 7 - Input Validation Vulnerabilities

    • Input validation vulnerabilities (IVVs) are vulnerabilities that are caused by insufficient input validation.
    • According to the National Vulnerability Database (NVD)2, the number of reported input validation vulnerabilities has increased from 25 (2%) in 2004 to 498 (10%) in 2013.
    • “Using unvalidated input as part of a directive or command to a subsystem can introduce vulnerability.”1 
    • SQL Injection
    • Cross Site Scripting
    • Buffer Overflow
    • 1“Build Security In” https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/guidelines/342.html
    • 2 CVE and CCE Statistics Query: http://web.nvd.nist.gov/view/vuln/statistics