Engineering Secure Software

Slides:



Advertisements
Similar presentations
Security Presented by: Mark Davis & Shahein Moussavi.
Advertisements

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
OWASP Mobile Top 10 Why They Matter and What We Can Do
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Information Security What is Information Security?
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Computer Security By Duncan Hall.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.
Definition s a set of actions taken to prevent or minimize adverse consequences to assets an entity of importance a weakness in the security system to.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Understanding and breaking the cyber kill chain
Chapter 40 Internet Security.
Seminar On Ethical Hacking Submitted To: Submitted By:
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
CSCE 548 Secure Software Development Risk-Based Security Testing
Design for Security Pepper.
Engineering Secure Software
Software Security Testing
Managing Secure Network Systems
Systems Security Keywords Protecting Systems
Software Security ITGD 2202 Supervision:- Assistant Professor
Evaluating Existing Systems
Choosing Technologies
Network security threats
Evaluating Existing Systems
Operating system Security
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
The Security Problem Security must consider external environment of the system, and protect it from: unauthorized access. malicious modification or destruction.
Answer the questions to reveal the blocks and guess the picture.
Tool Server Workstation Router Universal
Teaching Computing to GCSE
Security in Networking
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Call AVG Antivirus Support | Fix Your PC
Unit 1.6 Systems security Lesson 3
I have many checklists: how do I get started with cyber security?
Advanced Services Cyber Security 101 © ABB February, | Slide 1.
Intrusion Detection & Prevention
Unit 1.6 Systems security Lesson 4
Engineering Secure Software
Faculty of Science IT Department By Raz Dara MA.
Networking for Home and Small Businesses – Chapter 8
Network Security Ola Flygt Växjö University
Engineering Secure Software
Engineering Secure Software
Engineering Secure Software
Networking for Home and Small Businesses – Chapter 8
Networking for Home and Small Businesses – Chapter 8
CSE 542: Operating Systems
Test 3 review FTP & Cybersecurity
White Box testing & Inspections
Engineering Secure Software
Presentation transcript:

Engineering Secure Software What is secure?

Software Security And You. Find two other people near you Introduce yourself What is your favorite software development technology? (language, tool, library, etc.) Have you ever written software where security mattered? Did you do anything about it then?

How do you know? With those two people, discuss this: How do you know that you have delivered secure software? Try to think of examples What are your indicators? How will you convince others that your software is secure?

Discussion Takeaways Security is not black-and-white Security is “until proven insecure” Security “Theater” Feeling safer vs. Being safer People act on their perception of reality, not necessarily on reality Protection can be costly E.g. personal liberty and privacy Eliminating a Threat vs. Protection Vulnerability vs. Exploit vs. Threat

An Engineer’s Concern In SE we teach you how to build software …but not as much breaking software How do you know that you have built a system that cannot be broken into? What evidence do you look for? How do you know you’re done? How do you prioritize security against everything else drawing upon your time? SE is a zero-sum game “If I need to focus more energy on security, what should we take away?”

Vulnerability Informally, a bug with security consequences A design flaw or poor coding that may allow an attacker to exploit software for a malicious purpose Non-software equivalent to “lack of shoe-examining at the airport” E.g. allowing easily-guessed passwords (poor coding) E.g. complete lack of passwords when needed (design flaw) McGraw: 50% are coding mistakes, 50% are design flaws Alternative definition: “an instance of a fault that violates an [implicit or explicit] security policy”

Exploit and Threat Exploit: a piece of software, a chunk of data, or a sequence of commands that takes advantage of a vulnerability in an effort to cause unintended or unanticipated behavior i.e. maliciously using a vulnerability Can manual or automated Viruses are merely automated exploits Many different ways to exploit just one vulnerability Threat – two usages of the word (a) An actor or agent that is a source of danger, capable of violating confidentiality, availability, or integrity of information assets and security policy e.g. black-hat hackers (b) A class of exploits e.g. spoofing

[Exploit|Threat|Vulnerability] Protection Protect against exploits? Anti-virus, intrusion detection, firewalls, etc. Protect against threats? Use forensics to find & eliminate Policy, incentives, deterrents, etc. Protect against vulnerabilities? Engineer secure software!

Software Security is… NOT a myth but a reality Insecure software causes immeasurable harm Sony, NSA, Android, Browsers… just read the news

Software Security is… NOT an arcane black art Much of it seems arcane Finding a severe vulnerability w/o source code Crafting the exploit Endless clever ways to break software But, you have much more knowledge than the attackers do Don’t just leave it to the experts, take responsibility for knowing security

Software Security is… NOT a dire apocalyptic future Fear-mongering will not be tolerated here Risk management dictates that we deal in the probable more than the possible

Software Security is… NOT a set of features Secure software > Security software Although tools and experts are helpful, You can’t just deploy a magical tool and expect all vulnerabilities to disappear You can’t outsource all of your security knowledge Even if you are using a security library, know how to use it properly

Software Security is… NOT a problem for just mathematicians Cryptography Is important and needed Cannot solve all of your security problems Pick-proof lock vs. open window Proofs, access control rules, and verification are helpful, but inherently incomplete

Software Security is… NOT a problem for just networking and operating systems Software had security problems long before we had the internet If you left a window open in your house, would you try to fix the roads?

Software Security is… A reality that everyone must face Not just developers, all stakeholders A learnable mindset for software engineers The ability to prevent unintended functionality At all layers of the stack In all parts of your system

Student Security Maturity Denial I don’t have to think about this. Let me just code. Leave it to the experts. I could never understand this anyway. Irrational fear, superstition EVERYTHING IS POSSIBLE NOW!!! EVERY MITIGATION IS NECESSARY!!! ENCRYPT EVERYTHING!!! Bag of Tricks Let’s just try these tricks that worked in the past We’ve done these 10 things. That’s a lot. Close enough, right? Reasoned, Balanced, Defensive Mindset If we do X, we mitigate Y, which is worthwhile because of Z.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.