Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.

Slides:

Advertisements

Similar presentations

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

Advertisements

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

1 Telstra in Confidence Managing Security for our Mobile Technology.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Introducing Computer and Network Security

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Summary of Lecture 1 Security attack types: either by function or by the property being compromised Security mechanism – prevention, detection and reaction.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Introduction to Network Defense

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Who Should be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments Terrence August Rady School of Management,

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.

Microsoft Security Development Lifecycle

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Basic Security Networking for Home and Small Businesses – Chapter 8.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

1 ISO 9001:2000 ISO 9001 is the creation of the International Organisation for Standardisation (ISO), a Swiss-based federation of national standards bodies.ISO.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

Small Business Security Keith Slagle April 24, 2007.

Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.

Security Development Life Cycle Baking Security into Development September 2010.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Chap1: Is there a Security Problem in Computing?.

CSCE 548 Secure Software Development Security Operations.

CSCE 201 Secure Software Development Best Practices.

Security fundamentals Topic 1 Addressing security threats and vulnerabilities.

The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

Understand Malware LESSON Security Fundamentals.

Copyright © EWA IIT, Inc. June 17, 2002 © 2002  IIT, Inc. EWA Information & Infrastructure Technologies, Inc. 3 FOR OFFICIAL USE ONLY June 17, 2002 ©

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

CompTIA Security+ Study Guide (SY0-401) Chapter 9: Malware, Vulnerabilities, and Threats.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Information Systems Security

CSCE 548 Secure Software Development Security Operations

Operating System Security

Critical Security Controls

Security Testing Methods

Compliance with hardening standards

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Cyber Protections: First Step, Risk Assessment

Cybersecurity EXERCISE (CE) ATD Scenario intro

Microsoft’s Security Strategy

Risk Assessment Richard Newman

Cyber defense management

Home Internet Vulnerabilities

Cybersecurity ATD Scenario conclusion

Networking for Home and Small Businesses – Chapter 8

Networking for Home and Small Businesses – Chapter 8

Networking for Home and Small Businesses – Chapter 8

Operating System Concepts

Albeado - Enabling Smart Energy

Presentation transcript:

Software Assurance Session 15 INFM 603

Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by testing for expected behaviour Users report, workaround bugs Maximum damage is normally loss of functionality Security vulnerabilities are someone smart making your system doing something unanticipated Difficult to test for in routine way Valuable knowledge to others; may not be reported! Maximum damage: ???

Strategic Thinking Decide what to protect Analyze vulnerabilities Adopt layered defenses

Risks Denial of service Malicious code Trojan horse Virus Spyware Botnet Impersonation Interception Man-in-the-middle attack Physical compromise Insider threat

Risk Assessment Likelihood Preconditions Event Severity Direct Costs Reputation Compliance

Scenarios Your bank account VA laptop Zero-day exploit

Mitigation Develop knowledge of possible types of security vulnerability (buffer overflow, SQL injection, etc.) Brainstorm possible vulnerabilities Act as or employ white-hat hacker (“red team”) Monitor security updates for packages you use Reduce attack surface area Learn from the mistakes of others!

Models for software quality assurance Models and standards developed for software assurance, after pattern of other quality assurance standards (e.g. ISO 9000) Models don't tell you how to write good software … and they don't tell you what process to use to build good software They provide a yardstick for measuring the quality of your process management They measure whether you can measure your process

CMMI Maturity Levels CMMI has five levels of process maturity (with process areas to verify at each level): 1.Initial 2.Managed (e.g. Measurement and Analysis) 3.Defined (e.g. Organizational Process Focus) 4.Quantitatively Managed (e.g. Quantitative Project Management) 5.Optimizing (e.g. Causal Analysis and Resolution)

ISO ISO has six capability levels (each practice develops through these levels): 1. Not performed 2. Performed informally 3. Planned and tracked 4. Well-defined 5. Quantitatively controlled 6. Continuously improved

Qualitative, Quantitative, Improved Both CMMI and ISO embed the same sequence: 1.Qualitative management (e.g. process for code reviews, testing, etc.) 2.Quantitative management (metrics of performance) 3.Improvement (change process, check with metrics that improvement in quality results)

Example: MS SDL process Process: Security Development Lifecycle (SDL) Metric: Bug count (critical and serious, within year of release), on product versions before and after adoption of SDL. Result: ProductPre-SDLPost-SDL Windows 2000/ SQL Server Exchange Server