CSCE 548 Secure Software Development Final Exam – Review.

Slides:

Advertisements

Similar presentations

CSE594 Fall 2009 Jennifer Wong Oct. 14, 2009

Advertisements

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

GUIDELINES FOR REPORT/ DISSERTATION/THESIS WRITING Dr. W. Z. Gandhare.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Microsoft Excel 2007 Bug Mikko Heinonen

©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. COMPSCI 125 Introduction to Computer Science I.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

TERM PROJECT The Project usually consists of the following: Title

Computer Security and Penetration Testing

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

CSCE 548 Secure Software Development Risk-Based Security Testing.

© 2007 Carnegie Mellon University Secure Coding Initiative Jason A. Rafail Monday, May 14 th, 2007.

A Security Review Process for Existing Software Applications

CSCE 548 Secure Software Development Test 1 Review.

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

UDoCument: Electronic Scrapbook for the Information Era Soufiane Berouel, Undergraduate Student Supervised by Prof. Lily Liang Department of Computer Science.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

MATSEC Past Papers May 2010 Paper 1 Paper 2A. What is the difference between each of the following pairs of items? Syntax Error Caused by forgetting certain.

CSCE 201 Introduction to Information Security Fall 2010 Access Control.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.

CSCE 824 Secure and Distributed Database Management Systems FarkasCSCE 8241.

Some possible final exam questions. DISCLAIMER models only These questions are models only. Some of these questions may or may not appear in the final.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Building Secure Web Applications With ASP.Net MVC.

Security measures across the software development process Dr. Holger Peine Slide 1 Security vulnerabilities are clearly.

CSCE 548 Integer Overflows Format String Problem.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course January.

CSCE 548 Secure Software Development Information Leakage + Failing to Handle Errors.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.

Basics and Principles of Scientific Research By Ass. Prof. Dr. Majid S. Naghmash Diglah University College Department of Computer Engineering Techniques.

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

CSCE 824 Secure (and Distributed) Database Management Systems FarkasCSCE

Chapter 23: Vulnerability Analysis Dr. Wayne Summers Department of Computer Science Columbus State University

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Title Authors Introduction Text, text, text, text, text, text Background Information Text, text, text, text, text, text Observations Text, text, text,

EEL 6883 Exam I Review Spring  The exam I will cover  Lectures 1-12  Software Usability paper from Chapter 4, Vol. 1  Open book, open notes.

Writing Secure Programs. Program Security CSCE Farkas/Eastman - Fall Program Flaws Taxonomy of flaws: how (genesis) when (time) where (location)

Final Exam Summary EE 457, April 30, 2015 Dr. McCalley.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

CSCE 548 Secure Software Development Penetration Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing

Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation

Software Security Testing

CSCE 548 Secure Software Development Use Cases Misuse Cases

Theodore Lawson CSCE548 Student Presentation, Topic #2

CSCE 548 Secure Software Development Final Exam – Review 2016

COMPUTING BTEC LEVEL /17.

A Security Review Process for Existing Software Applications

Secure Software Development: Theory and Practice

CSCE 548 Secure Software Development Test 1 Review

Gregory Morton COSC380 February 16, 2011

Computers & Programming Languages

Teaching Computing to GCSE

Chapter 23: Vulnerability Analysis

Chapter 3 DataStorage Foundations of Computer Science ã Cengage Learning.

Recent from Dr. Dan Lo regarding 12/11/17 Dept Exam

Research Paper Overview.

Title Introduction: Discussion & Conclusion: Methods & Results:

Presentation transcript:

CSCE 548 Secure Software Development Final Exam – Review

Project – Final Report Project Final Report – Electronic submission: April 25, 5:00 pm – Hard copy: April 25, :30 pm CSCE Farkas2

Final Project Format Title Author Abstract What you did in this paper 1. Introduction 2. Related work 3. Background information 4. Current research/development 5. Conclusions and Future Work 6. Group members’ contributions References CSCE Farkas3

FINAL EXAM CSCE Farkas4

5 Reading McGraw: Software Security: Chapters 1 – 9, Deadly Sins: 1. Chapter 1: Buffer overruns 2. Chapter 2: Format string problems 3. Chapter 3: Integer overflows 4. Chapter 4: SQL injection 5. Chapter 6: Failure to handle errors 6. Chapter 7: Cross-site scripting 7. Chapter 13: Information leakage 8. Chapter 14: Improper file access

Non-Textbook Reading NEW: – Secure Design Patterns, Software Engineering Institute, Carnegie Mellon, OLD: – Lodderstedt et. al, SecureUML: A UML-Based Modeling Language for Model-Driven Security, softech/papers/2002/0_secuml_uml2002.pdfhttp://kisogawa.inf.ethz.ch/WebBIB/publications- softech/papers/2002/0_secuml_uml2002.pdf – B. Littlewood, P. Popov, L. Strigini, "Modelling software design diversity - a review", ACM Computing Surveys, Vol. 33, No. 2, June 2001, pp , – I. Alexander, Misuse Cases: Use Cases with Hostile Intent, IEEE Software, vol. 20, no. 1, pp , Jan./Feb – B. Schneier on Security, – P. Meunier, Classes of Vulnerabilities and Attacks, Wiley Handbook of Science and Technology for Homeland Security, CSCE Farkas6

7 Final Exam April 25, 2012, 5:30 pm – 7:30 pm Room: 2A 15 Closed book – 1 page cheat sheet

19 deadly Sins Overview of the sin Affected languages Overview of the sin -- at the level of presentations, focusing on the text book How to detect? Best practices CSCE Farkas8

Sample Questions – 19 deadly sins Explain why casting operations may lead to integer overflows. Why is it dangerous to use “gets” to read input in C/C++ code? Recommend an alternate. What is the difference between attack patterns and taxonomy of programming errors? Indirect information flow may be created by inferences. Give an example of an unauthorized inference that cannot be controlled using traditional access control. Show an example code for SQL Injection. Explain the security problem. Why does a failed Windows impersonation create a security problem if not handled properly? Show the binary representations of the decimal numbers +70 and +80. Show their addition using an 8 bits register. CSCE Farkas9

Sample Questions Explain a way how buffer overruns occur. Which languages are the most vulnerable? Define covert and overt communication channels. Explain the 2 stages of the buffer overrun attack. Why do we have binary arithmetic operations that yield results different on paper than by a computer. Give an example. What type of access control Windows support? Give a common access control mistake in Windows environment. Should stored data be protected by the operating system security or by database management system security? CSCE Farkas10