Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Slides:



Advertisements
Similar presentations
Program Transformations to Remove Integer-Handling Vulnerabilities in C Programs Zack Coker, Munawar Hafiz
Advertisements

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Concrete Vulnerability Demonstrations for Software Engineering Undergraduates Andy Meneely and Samuel Lucidi Department of Software Engineering Rochester.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Review of EIA Quality A formal step in the EIA process Purpose is to establish if the information in the EIA report is sufficient for decision –making.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Software Engineering for Secure Systems Individual Research Project Hiram Garcia.
© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service.
AOIT Introduction to Programming Unit 4, Lesson 11 Documenting Bugs and Fixes Copyright © 2009–2012 National Academy Foundation. All rights reserved.
Computer Security and Penetration Testing
Security Development Lifecycle: Changing the Software Development Process to build in Security from the start Eric Bidstrup Ellen Cram Kowalczyk Security.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
CSCE 548 Secure Software Development Final Exam – Review.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dropbox security glitch CASE STUDY Lewis Scaife SYSM 6309 Advanced Requirements Engineering Summer 2013 Professor – Dr. Lawrence Chung.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
Security measures across the software development process Dr. Holger Peine Slide 1 Security vulnerabilities are clearly.
1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
CS526: Information Security Chris Clifton November 4, 2003 Assurance.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
6/14/20161 System Administration 1-Introduction to System Administration.
CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Introduction to Database Programming with Python Gary Stewart
Software Security Q: What does it mean to say that a program is secure? A: There is a sufficient amount of trust that the program maintains _____________,
EN Lecture Notes Spring 2016 ASSURANCE AND EVALUATION.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Content Coverity Static Analysis Use cases of Coverity Examples
Security Testing Methods
Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation
Theodore Lawson CSCE548 Student Presentation, Topic #2
CSCE 548 Secure Software Development Final Exam – Review 2016
Secure Coding Initiative
Secure Software Development: Theory and Practice
Lessons From The Defensive Security Podcast
Chapter 19: Building Systems with Assurance
Mid Term II Review.
Security at the Source.
Introduction to Static Analyzer
Exploring Complexity Metrics as Indicators of Software Vulnerability
Code vulnerabilities Vulnerabilities are mistakes, errors or weaknesses in a piece of software’s source code that can be directly used by a hacker to perform.
Presentation transcript:

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 State of Things Today Many vulnerabilities in commercial software Typical vendors release dozens of fixes annually No indication this is improving

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Kinds of Vulnerabilities Design Flaws Implementation Flaws

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Design Flaws Occur when software is planned and specified without proper consideration of security requirements and principles Examples: –Cleartext passwords –Weak or proprietary cryptography

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Design Flaws Why do Design Flaws happen? –Rushed engineers –Ignorance of security requirements or principles Fortunately, software designs are improving!

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Design Flaws As Design Flaws are found, they are fixed in future releases But... These can be deeply ingrained, architectural issues Industry is moving in the right direction Design Flaws are a minority of the security bugs we see

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Implementation Flaws Occur when software developers make a mistake when coding software (Just like other bugs, but some have serious security implications!) Implementation Flaws are independent of design

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Implementation Flaws Examples: –Buffer overflows –Integer over/underflows –SQL Injection –Format string

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Implementation Flaws Why do Implementation Flaws happen? Human error We cannot eliminate human error, but we can do more to minimize it Most serious security bugs are due to these careless mistakes

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 How Can We Improve? Education –Not every developer can be a security expert –Every developer must understand security fundamentals At Oracle, we have had success with a web- based, on-demand secure coding training class

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 How Can We Improve? Individual accountability –Education makes people accountable! –Hold developers accountable for writing quality code. Automated tools Power of the consumer

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 The End Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.