Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.

Slides:



Advertisements
Similar presentations
Configuration Management
Advertisements

Test process essentials Riitta Viitamäki,
Extreme Programming Alexander Kanavin Lappeenranta University of Technology.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION DEBUGGING Autumn 2011 Bug-Date: Sept 9, 1947.
Testing and Quality Assurance
Why Use Test Driven Development (TDD)?.  Why the need to change to TDD.  Talk about what TDD is.  Talk about the expectations of TDD.
Chapter 4 Quality Assurance in Context
Software Engineering Session 14 INFM 603. Software Software represents an aspect of reality –Input and output represent the state of the world –Software.
The Joel Test: 12 Steps to Better Code By Tim Denton.
Developer Testing and Debugging. Resources Code Complete by Steve McConnell Code Complete by Steve McConnell Safari Books Online Safari Books Online Google.
Architecture Support for Security Peter Chapman Michael Maass.
Debugging CPSC 315 – Programming Studio Fall 2008.
RIT Software Engineering
SE 450 Software Processes & Product Metrics 1 Defect Removal.
CS350/550 Software Engineering Lecture 1. Class Work The main part of the class is a practical software engineering project, in teams of 3-5 people There.
CSC 395 – Software Engineering Lecture 9: Testing -or- How I Stopped Worrying and Learned to Love the Bug.
1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.
Implementation. We we came from… Planning Analysis Design Implementation Identify Problem/Value. Feasibility Analysis. Project Management. Understand.
Maintaining and Updating Windows Server 2008
CODING Research Data Management. Research Data Management Coding When writing software or analytical code it is important that others and your future.
Chapter 13: Defect Prevention & Process Improvement
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Estimation Wrap-up CSE 403, Spring 2008, Alverson Spolsky.
Software Engineering Week 12 INFM 603. The System Life Cycle Systems analysis –How do we know what kind of system to build? User-centered design –How.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
Abstraction IS 101Y/CMSC 101 Computational Thinking and Design Tuesday, September 17, 2013 Carolyn Seaman University of Maryland, Baltimore County.
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
@benday #vslive Automated Build, Test & Deploy with TFS, ASP.NET, and SQL Server Benjamin
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
Designing For Testability. Incorporate design features that facilitate testing Include features to: –Support test automation at all levels (unit, integration,
Chapter 8 – Software Testing Lecture 1 1Chapter 8 Software testing The bearing of a child takes nine months, no matter how many women are assigned. Many.
ICAPRG301A Week 4Buggy Programming ICAPRG301A Apply introductory programming techniques Program Bugs US Navy Admiral Grace Hopper is often credited with.
Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)
SOFTWARE REUSE 28 March 2013 William W. McMillan.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
1 SEG4912 University of Ottawa by Jason Kealey Software Engineering Capstone Project Tools and Technologies.
Abstraction IS 101Y/CMSC 101 Computational Thinking and Design Tuesday, September 17, 2013 Marie desJardins University of Maryland, Baltimore County.
1 3. Computing System Fundamentals 3.1 Language Translators.
Dr. Tom WayCSC Testing and Test-Driven Development CSC 4700 Software Engineering Based on Sommerville slides.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
System Implementation System Implementation - Mr. Ahmad Al-Ghoul System Analysis and Design.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 Ch. 1: Software Development (Read) 5 Phases of Software Life Cycle: Problem Analysis and Specification Design Implementation (Coding) Testing, Execution.
Software Defects.
Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Making knowledge work harder Process Improvement.
CS 5150 Software Engineering Lecture 22 Reliability 3.
Northwest Arkansas.Net User Group Jay Smith Tyson Foods, Inc. Unit Testing nUnit, nUnitAsp, nUnitForms.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Software Development. The Software Life Cycle Encompasses all activities from initial analysis until obsolescence Analysis of problem or request Analysis.
Secure Programming Dr. X
Configuration Management
Types for Programs and Proofs
Secure Programming Dr. X
CS4311 Spring 2011 Process Improvement Dr
Some Important Techniques For Regression Testing That You Must Know.
DevOps CSCI 577b.
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet
Applied Software Project Management
Case Study 1 By : Shweta Agarwal Nikhil Walecha Amit Goyal
Overview Activities from additional UP disciplines are needed to bring a system into being Implementation Testing Deployment Configuration and change management.
Albeado - Enabling Smart Energy
Presentation transcript:

Software Assurance Session 13 INFM 603

Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security Bad (buggy, insecure software) comes not from discrete, unpredictable, uncontrollable human errors, but from bad processes. We can't control human fallibility, but we can control processes

Today: from hands-on to meta- process Today's session: Hands-on vulnerability detection and correction (bug- hunting) Methods and processes for preventing, correcting, and managing bugs and vulnerabilities Models for measuring and improving processes

Bug-hunting in a simple web-app Webapp allows users to log in and record their SSN (see separate code, running site) Written (directly) in PHP, backed by MySQL database Find the vulnerabilities! (switch to browser)

Testing Manual vs. automated testing What are their pros and cons? How can you design to facilitate automation? Unit, integration, and system testing Test: components separately; integrated subsystems; then full system for implementation of requirements How to design for this model of testing? Regression testing, and test-driven development Keep bugs fixed; keep non-bugs absent; test, then code (jump to example)

Coding practice Coding standards Layout: readable code easier to debug Practice: avoid common pitfalls, build code in expected manner Code review Computers don't criticize; other coders do! Formalized in pair programming Code less Bugs per 100 lines surprisingly invariant Maximise re-use of code, yours and others

Design, proof, etc. Care in design of product Bad design leads t o messy workarounds; messy workarounds lead to bugs and vulnerabilities Formal and semi-formal proofs of correctness and code checkers Use appropriate libraries, levels of abstraction Catch mistakes early! The later in the development process you find bugs, the more difficult and expensive they are to fix.

Debugging is harder than coding! “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it” – Brian W. Kernighan and P. J. Plauger, The Elements of Programming

Bug hunting and vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by testing for expected behaviour Users report, workaround bugs Maximum damage is normally loss of functionality Security vulnerabilities are someone smart making your system doing something unanticipated Difficult to test for in routine way Valuable knowledge to others; may not be reported! Maximum damage: ???

Security requires experience Develop knowledge of possible types of security vulnerability (buffer overflow, SQL injection, etc.) Brainstorm possible vulnerabilities Act as or employ white-hat hacker Monitor security updates for packages you use Reduce attack surface area Learn from the mistakes of others! (switch to CERT)

Managing bugs and vulnerabilities Even with good processes, (alleged) bugs will still turn up in system-level products, both in development and in deployment Tools for managing, tracking, performing statistics on such bugs and vulnerabilities essential, particularly on large projects. A core tool is the bug tracker (jump to Bugzilla)

Developing and measuring process Heroic age of software development: small teams of programming demigods wrestle with many-limbed chaos to bring project to success, or die in the attempt. Kind of fun for programmers... … not so fun for project stakeholders Current age of managed development:design controllable, measurable, repeatable processes for managing software development.

Models for software quality assurance Models and standards developed for software assurance, after pattern of other quality assurance standards (e.g. ISO 9000) Models don't tell you how to write good software … and they don't tell you what process to use to build good software They provide a yardstick for measuring the quality of your process management They measure whether you can measure your process

CMMI Maturity Levels CMMI has five levels of process maturity (with process areas to verify at each level): 1.Initial 2.Managed (e.g. Measurement and Analysis) 3.Defined (e.g. Organizational Process Focus) 4.Quantitatively Managed (e.g. Quantitative Project Management) 5.Optimizing (e.g. Causal Analysis and Resolution)

ISO ISO has six capability levels (each practice develops through these levels): 1. Not performed 2. Performed informally 3. Planned and tracked 4. Well-defined 5. Quantitatively controlled 6. Continuously improved

Qualitative, Quantitative, Improved Both CMMI and ISO embed the same sequence: 1.Qualitative management (e.g. process for code reviews, testing, etc.) 2.Quantitative management (metrics of performance) 3.Improvement (change process, check with metrics that improvement in quality results)

Example: MS SDL process Process: Security Development Lifecycle (SDL) Metric: Bug count (critical and serious, within year of release), on product versions before and after adoption of SDL. Result: ProductPre-SDLPost-SDL Windows 2000/ SQL Server Exchange Server

Applying Bug Count (jump to Bugzilla) How good a metric of software quality is “number of oustanding bugs”? Are there other reasons you (as a manager) might want to introduce it as a metric? What would you expect to be the most immediate effect if you introduced it as a metric (and tied programmer appraisal to it)?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.