Software Security ITGD 2202 Supervision:- Assistant Professor

Slides:



Advertisements
Similar presentations
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
Advertisements

Lecture 1: Overview modified from slides of Lawrie Brown.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.
Introducing Computer and Network Security
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Software Process and Product Metrics
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
SEC835 Database and Web application security Information Security Architecture.
CSCE 548 Secure Software Development Risk-Based Security Testing.
A Framework for Automated Web Application Security Evaluation
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
A Security Review Process for Existing Software Applications
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
May 2, 2007St. Cloud State University Software Security.
Made by: Sambit Pulak XI-IB. Reliability refers to the operation of hardware, the design of software, the accuracy of data or the correspondence of data.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Testing Workflow In the Unified Process and Agile/Scrum processes.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Information Security What is Information Security?
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.
CSCE 201 Secure Software Development Best Practices.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Presented by: Dr. Munam Ali Shah
Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.
©Ian Sommerville 2000Dependability Slide 1 Chapter 16 Dependability.
Overview of Database Security Introduction Security Problems Security Controls Designing Database Security.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Testing Integral part of the software development process.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
UC Marco Vieira University of Coimbra
Computer Security Introduction
CS457 Introduction to Information Security Systems
Software Testing Strategies for building test group
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
Appendix 2 Automated Tools for Systems Development
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
CSCE 548 Secure Software Development Risk-Based Security Testing
Integration Testing.
Security Testing Methods
Execution with Unnecessary Privileges
Chapter 1: Introduction
Software Security Testing
Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.
Software testing
Chapter 13 – Security Engineering
A Security Review Process for Existing Software Applications
Security Engineering.
Software engineering – 1
Cybersecurity EXERCISE (CE) ATD Scenario intro
James Walden Northern Kentucky University
I have many checklists: how do I get started with cyber security?
Introduction to Software Testing
INFORMATION SYSTEMS SECURITY and CONTROL
Computer Security Introduction
Engineering Secure Software
PSS0 Configuration Management,
Software Testing Strategies
Presentation transcript:

Software Security ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Student: Anwaar Ahmed Abu-AlQumboz

The Objective of "Software Security": Contents Definition The Objective of "Software Security": The Qualities of "Secure Software": Security in the Software Lifecycle:- Deploying Software Security Practices Software Security Practices:- Summary Reference

Definition A Software : The programs, routines, and symbolic languages that control the functioning of the hardware and direct its operation. Software security is the idea of engineering software so that it continues to function correctly under malicious attack.

The Objective of "Software Security": The objective of software security is to design, implement, configure, and support software systems in ways that enable them to: continue operating correctly in the presence of most attacks by either resisting the exploitation of faults or other weaknesses in the software by the attackers or tolerating the errors and failure that result from such exploits . isolate, contain, and limit the damage resulting from any failures caused by attack-triggered faults that the software was unable to resist or tolerate and recover as quickly as possible from those failures .

The Qualities of "Secure Software": The vulnerabilities in executing software originate in the process used to create that software: the decisions made by its developers, the flaws they inadvertently or intentionally include in its specification and design, and the faults and other defects they inadvertently or intentionally include in its implemented code. ـــIn addition to trustworthiness, predictable execution, and conformance, secure software must be attack-resistant or attack-tolerant, and at the whole system level it must be attack-resilient. To achieve attack-resistance or attack-tolerance, both software components and whole software systems should be able to recognize attack patterns in the input data or signals they receive from external entities (humans or processes). They should be able to either resist attack-patterned input or tolerate the failures that result from a successful attack or intentional external fault. To achieve attack-resilience (often referred to as survivability), software systems must be able to recover from any failures that result from successful attacks on the software by resuming operation at or above some predefined minimum acceptable level of service in the short term. The system must eventually recover full service at the specified level of performance.

Security in the Software Lifecycle:- Protection against intentional subversion or forced failure. Preservation of the three subordinate properties that make up security—availability, integrity, and confidentiality. Security manifests as the ability of the system to protect itself from external faults that may be accidental or deliberate (attacks). According to Bruce Schneier in Beyond Fear “Security is about preventing adverse consequences from the intentional and unwarranted actions of others.”

Deploying Software Security Practices The main goals of deploying software security practices include the following: Exploitable faults and other weaknesses are avoided by well-intentioned developers. The likelihood is greatly reduced or eliminated that malicious developers can intentionally implant exploitable faults and weaknesses or malicious logic into the software. The software is attack-resistant, attack-tolerant, and attack- resilient.

Software Security Practices:-

Architectural risk analysis. Software Security Practices:- Code reviews Architectural risk analysis. Penetration testing Security testing. Abuse cases Security operations.

Software Security Practices:- Code Reviews:- -Fix implementation bugs, not design flaws. -Benefits of code reviews:- 1-Find defects sooner in the lifecycle. 2-Find defects with less effort than testing. 3-Find different defects than testing. 4-Educate developers about security flaws. Static Analysis Tools:- Automated assistance for code reviews -Speed: review code faster than humans can -Accuracy: 100s of secure coding rules False Positive:- -Tool reports bugs in code that aren’t there. -Complex control or data flow can confuse tools. False Negatives:- -Tool fails to discover bugs that are there. -Code complexity or lack of rules to check.

Software Security Practices:- Architectural Risk Analysis:- ــFix design flaws, not implementation bugs. Risk analysis steps:- 1)-Develop an architecture model. 2)-Identify threats and possible vulnerabilities. 3)-Develop attack scenarios. 4)-Rank risks based on probability and impact. 5)-Develop mitigation strategy. 6)-Report findings. Risk Analysis:- -Attack Analysis: Historical attacks and vulnerabilities. Attack patterns:- -Command Delimiters -Multiple Parsers and Double Escapes Attack trees. -Ambiguity Analysis Compare understandings of architects. -External Weakness Analysis

Software Security Practices:- Penetration Testing:- -Test software in deployed environment. -Allocate time at end of development to test:- -Often time-boxed: test for n days. -Schedule slips often reduce testing time. -Fixing flaws is expensive late in lifecycle. -Penetration Testing Tools:- -Test common vulnerability types against inputs. -Fuzzing: send random data to inputs. -Don’t understand application structure or purpose. -WebScarab -Paros Proxy -Burp Suite -Vulnerability Scanners -Nikto -Nessus

Software Security Practices:- Security Testing:- Two types of testing:- -Functional: verify security mechanisms. -Adversarial: verify resistance to attacks generated during risk analysis. Different from traditional penetration testing:- -White box. -Use risk analysis to build tests. -Measure security against risk model.

Software Security Practices:- Abuse Cases:- -Anti-requirements -Think explicitly about what software should not do. -A use case from an adversary’s point of view. -Obtain Another User’s CC Data. -Alter Item Price. -Deny Service to Application. -Developing abuse cases Informed brainstorming: attack patterns, risks. Security Operations:- -User security notes:- -Software should be secure by default. -Enabling certain features/configs may have risks. -User needs to be informed of security risks. -Incident response -What happens when a vulnerability is reported? -How do you communicate with users? -How do you send updates to users?

Summary The information needs to be secure because of what it is and how it is acted upon by other entities. Software needs to be secure because of what it does, including how it acts upon other entities. The main objective of information security and the systems that store and transmit information is to protect information from unauthorized disclosure, modification, or deletion. The main objective of software security is to produce software that will not be vulnerable to unauthorized modification or denial of service during its execution.

Reference https://buildsecurityin.us-cert.gov/daisy/bsi/547-BSI.html http://www.nku.edu/~waldenj1/talks/XPCincinnati2006/SwSec.ppt

Thank a lot For You IT..Student.. Anwaar Abu-AlQumboz