Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Slides:



Advertisements
Similar presentations
Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Internet of Things Security Architecture
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Barracuda Web Application Firewall
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Advanced Security Center Overview Northern Illinois University.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Computer Security and Penetration Testing
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Web Application Security
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Architecting secure software systems
Security Management prepared by Dean Hipwell, CISSP
A Framework for Automated Web Application Security Evaluation
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
A Security Review Process for Existing Software Applications
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
Building Secure Web Applications With ASP.Net MVC.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
CS457 Introduction to Information Security Systems
Web Application Vulnerabilities
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Finding and Fighting the Causes of Insecure Applications
A Security Review Process for Existing Software Applications
Security Engineering.
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Software Security Course Course Outline

Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security Engineering How To - Secure Design How To - Secure Implementation How To - Security Testing How To - Secure Deployment Compliance and Regulatory Standards Special Topics Additional Resources

Introduction to Software Security

Definition and Context Why Security Matters Myths and Urban Legends Threats and Examples Case Studies Concepts and Definitions

Definition and Context Software security as part of the larger problem of developing robust, reliable code Describe the relationship between software security and: – Corporate information security policies – Corporate risk strategies Explain the differences between software and network security – Areas of overlap – Areas of divergence – Pros and cons of each area of investment

Definition and Context CIA as a way to think about security STRIDE as a way to assess impact of a threat DREAD as a way to categorize the severity of a threat

Why Security Matters Customers care – now more than ever Patching is expensive Regulatory compliance Security failures == business risk Competitive advantage Critical part of TCO The threat environment is bad and getting worse Attackers have the advantage

Myths and Urban Legends Security is only required in the OS – 15% are OS vulns I only need a good patch strategy – Mean time to attack: 330 days -> 2 weeks I have a firewall, AV and IDS – 92% of vulns are software, not network Functional testing finds security defects – Good practices from design->deploy are required I use Java (or.NET) – Only helps with some classes of problem I use cryptography – Helps with some threats, but just one tool in the toolbox

Threats and Examples

Case Studies Show real world impact, examine past mistakes – Love Virus – Saphire Worm – TJX – Heartland

Concepts and Definitions Asset Attack Control Countermeasure or mitigation Guideline Information Security Insider Threat Policy Privacy Risk Risk Analysis Risk Assessment Security Engineering Security Requirement Threat Vulnerability

Common Attacks and Vulnerabilities

Types of Attackers Attacker Motivation Attacker Origin Anatomy of an Attack Attacker Tools OWASP Top 10 CWE/SAN Top 25

Types of Attackers Script Kiddies Amateur Experts Crack Experts Professionals

Attacker Motivation White Hat Black Hat Grey Hat

Attacker Origin Internal attackers – the insider threat External attackers

Anatomy of an Attack Targeting Probing Attempting penetration Securing hold Cleanup and propagation

Attacker Tools Whitebox Greybox Blackbox

OWASP Top 10 Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL access

CWE/SANS 25 Most Dangerous CWE and SANS put together a list of the 25 most dangerous coding errors – Insecure interaction between components – Risky resource management – Porous defenses

Overview of Security Engineering

Overview of Security Enginering How it Fits Key Activities

How it Fits

Key Activities Threat Modeling Security Design Best Practices Security Design Review Security Coding Best Practices Security Code Review Penetration Test Security Deployment Review

How To - Secure Design

How To – Secure Design Design Principles Design Patterns

Design Principles Simplify the design Least privilege Defense in depth Fail secure Secure by default Compartmentalize Attack Surface Reduction …

Design Patterns Trusted Subsystem Brokered Authentication …

How To - Secure Implementation

How To – Secure Implementation Coding Principles OS Fundamentals Common Errors Common Web Errors

Coding Principles Validate all user input Auditing and logging Limit resource consumption …

OS Fundamentals Access controls.NET code access security Java sandbox Cryptography …

Common Errors Integer overflows Failure to validate input Failure to protect sensitive data Failure to understand and protect across trust boundaries Insecure error messages Buffer overflows and other errors that occur only in compiled languages such as C/C++ …

Common Web Errors Trusting client-side validation Failure to validate input and encode output Failure to protect the session Failure to protect against zero and one-click attacks Disclosing too much information …

How To - Security Testing

How To – Security Testing Security Testing is Different Think Like an Attacker Categories of Attack How to Test the Top 10

Security Testing is Different Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs

Think Like an Attacker Security bugs: – Are much harder to spot…they often have no visible (to the human eye) behavior…we need better tools – Require us to think about side effects and what sensitive data might be exposed – Require us to “think backwards”…that is, instead of thinking what should happen, we need to think about what shouldn’t happen

Categories of Attack External dependencies Unanticipated user input Vulnerable design Vulnerable implementation

How to Test the Top 10 Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL access

How To - Secure Deployment

How To – Secure Deployment Deployment Principles Deployment Patterns

Deployment Principles The importance of configuration How physical deployment impacts security How software design can make it easier to manage security and detect attacks post- deployment

Deployment Patterns Understand the common application types: – Mobile Client – Rich Client – Rich Internet Application – Service Interfaces (SAAS, S+S) – Web Application Understand the common deployment patterns: – Single server, non-distributed – Multiple server, distributed Understand the impact: – Impersonation and delegation – Layer interfaces – Trust boundaries

Compliance and Regulatory Standards

Regulatory Standards Overview of the regulation: – PCI – HIPPA Cover what these mean from a developer point of view – us/library/aa aspx

Special Topics

Additonal Topics to Consider Privacy Issues Digital Rights Management (DRM) Social Engineering Attacks

Additional Resources

Resource List On the Web: – OWASP – CWE – SANS – SDL – BugTraq, NTBugTraq – patterns & practices security guides Books: – Writing Secure Code – Hacking Exposed Series – How to Break Software Security – The Security Development Lifecycle – Hunting Security Bugs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.