May 2, 2007St. Cloud State University Software Security.

Slides:



Advertisements
Similar presentations
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Advertisements

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
OWASP Mobile Top 10 Why They Matter and What We Can Do
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Software Security.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
PHP Security.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
CSCE 548 Secure Software Development Risk-Based Security Testing.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University.
A Security Review Process for Existing Software Applications
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
August 1, The Software Security Problem August 1, 2006.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
CSCE 522 Secure Software Development Best Practices.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Web Applications Testing By Jamie Rougvie Supported by.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Module: Software Engineering of Web Applications
CSCE 548 Secure Software Development Risk-Based Security Testing
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
Software Security Testing
Software Security ITGD 2202 Supervision:- Assistant Professor
A Security Review Process for Existing Software Applications
Cross Sight scripting: Type-2
James Walden Northern Kentucky University
CS5123 Software Validation and Quality Assurance
Presentation transcript:

May 2, 2007St. Cloud State University Software Security

May 2, 2007St. Cloud State University Traditional Security is Reactive Perimeter defense (firewalls) Intrusion detection Over-reliance on cryptography Penetrate and patch Penetration testing

May 2, 2007St. Cloud State University The Problem is Software “75 percent of hacks happen at the application.” Theresa Lanowitz, Gartner Inc.

May 2, 2007St. Cloud State University Hackers “Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.” John Viega & Gary McGraw

May 2, 2007St. Cloud State University Developers Aren’t Ready “64% of developers are not confident in their ability to write secure applications” Bill Gates, RSA 2005

May 2, 2007St. Cloud State University Penetrate and Patch Discover flaws after deployment. Often by attackers. Users may not deploy patches. Patches may have security flaws (15%?) Patches are maps to vulnerabilities. Attackers reverse engineer to create attacks.

May 2, 2007St. Cloud State University A Growing Problem

May 2, 2007St. Cloud State University CVE Top 5 Vulnerabilities 1.Cross-site Scripting 2.SQL Injection 3.PHP Includes 4.Buffer Overflows 5.Path Traversal

May 2, 2007St. Cloud State University CVE #1: Cross-site Scripting Attacker causes a legitimate web server to send user executable content (Javascript, ActionScript) of attacker’s choosing. Typical Goal: obtain user auth cookies for –Bank site (transfer money to attacker) –Shopping site (buy goods for attacker)

May 2, 2007St. Cloud State University Anatomy of an XSS Attack 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil Site saves cookie. 8. Attacker uses stolen cookie to hijack user session. 6. Page with injected code.

May 2, 2007St. Cloud State University CVE #2: SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

May 2, 2007St. Cloud State University CVE #3: PHP Includes A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php // index.php include('config.php'); include('include.php'); // Script body ?> <?php //config.php $server_root = '/my/path'; ?> <?php //include.php include($server_root. '/someotherfile.php'); ?> GET /include.php?server_root=

May 2, 2007St. Cloud State University CVE #4: Buffer Overflows A program accepts too much input and stores it in a fixed length buffer that’s too small. char A[8]; short B; AAAAAAAABB AAAAAAAABB overflows0 gets(A);

May 2, 2007St. Cloud State University CVE #5: Directory Traversal The software, when constructing file or directory names from input, does not properly cleanse special character sequences that resolve to a file or directory name that is outside of a restricted directory. $filename = “/usr/local/www/template/$usertemp”; open TEMP, $filename; while ( ) { print; } GET /vulnerable?usertemp=../../../../etc/passwd

May 2, 2007St. Cloud State University Essential Facts Software Security ≠ Security Features –Cryptography will not make you secure. –Application firewalls will not make you secure. 50/50 Architecture/Implementation Problems. An Emergent Property of Software –Like Usability or Reliability –Not a Feature

May 2, 2007St. Cloud State University Security Problems SECURITY BUGS 50% Buffer overflow Command injection Cross-site scripting Integer overflow Race condition ARCHITECTURAL FLAWS 50% Cryptography misuse Lack of compartmentalization More privilege than necessary Relying on secret algorithms Usability problems

May 2, 2007St. Cloud State University Security as Risk Management Helps communicate security need to customer. –Cost of security vs. amount of potential losses. No system is 100% secure. –Some risks aren’t cost effective to mitigate. –Humans make mistakes. –New types of vulnerabilities are discovered.

May 2, 2007St. Cloud State University Risk Management 1.What assets are you trying to protect? 2.What are the risks to those assets? 3.Which risks do we need to mitigate? 4.What security measures would mitigate those risks? 5.Which of those measures is most effective, when considering cost, side effects, etc.?

May 2, 2007St. Cloud State University Software Security Practices 1.Code Reviews 2.Risk Analysis 3.Penetration Testing Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing 4.Security Testing 5.Abuse Cases 6.Security Operations

May 2, 2007St. Cloud State University Code Reviews 1.Find defects sooner in development lifecycle. (IBM finds 82% of defects before testing.) 2.Find defects with less effort than testing. (IBM—review: 3.5 hrs/bug, testing: hrs/bug.) 3.Find different defects than testing. (Can identify some design problems too.) 4.Educate developers about security bugs. (Developers frequently make the same mistakes.)

May 2, 2007St. Cloud State University Static Analysis Tools Automated assistance for code reviews Speed: review code faster than humans can Accuracy: 100s of secure coding rules False Positives Tool reports bugs in code that aren’t there. Complex control or data flow can confuse tools. False Negatives Tool fails to discover bugs that are there. Code complexity or lack of rules to check.

May 2, 2007St. Cloud State University Architectural Risk Analysis Fix design flaws, not implementation bugs. Risk analysis steps 1.Develop an architecture model. 2.Identify threats and possible vulnerabilities. 3.Develop attack scenarios. 4.Rank risks based on probability and impact. 5.Develop mitigation strategy. 6.Report findings

May 2, 2007St. Cloud State University Architecture Model Background materials –Use scenarios (use cases, user stories) –External dependencies (web server, db, libs, OS) –Security assumptions (external auth security, &c) –User security notes Determine system boundaries / trust levels –Boundaries between components. –Trust level of each component. –Sensitivity of data flows between components.

May 2, 2007St. Cloud State University Level 0 Data Flow Diagram

May 2, 2007St. Cloud State University Penetration Testing Test software in deployed environment. Allocate time at end of development to test. –Often time-boxed: test for n days. –Schedule slips often reduce testing time. –Fixing flaws is expensive late in lifecycle. Penetration testing tools –Test common vulnerability types against inputs. –Fuzzing: send random data to inputs. –Don’t understand application structure or purpose.

May 2, 2007St. Cloud State University Security Testing Intendended Functionality Actual Functionality Functional testing will find missing functionality. Injection flaws, buffer overflows, XSS, etc.

May 2, 2007St. Cloud State University Security Testing Two types of testing Functional: verify security mechanisms. Adversarial: verify resistance to attacks generated during risk analysis. Different from traditional penetration testing White box. Use risk analysis to build tests. Measure security against risk model.

May 2, 2007St. Cloud State University Abuse Cases Anti-requirements Think explicitly about what software should not do. A use case from an adversary’s point of view. Obtain Another User’s CC Data. Alter Item Price. Deny Service to Application. Developing abuse cases Informed brainstorming: attack patterns, risks.

May 2, 2007St. Cloud State University Security Operations User security notes –Software should be secure by default. –Enabling certain features/configs may have risks. –User needs to be informed of security risks. Incident response –What happens when a vulnerability is reported? –How do you communicate with users? –How do you send updates to users?

May 2, 2007St. Cloud State University Going Further Reading 1.Gary McGraw, Software Security, Addison-Wesley, Greg Hoglund and Gary McGraw, Exploiting Software, Addison- Wesley, Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, Web Sites 1.Build Security In 2.Fortify’s Vulnerability Catalog 3.Secure Programming for Linux and Unix HOWTO

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.