CSCE 201 Secure Software Development Best Practices.

Slides:



Advertisements
Similar presentations
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Advertisements

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Secure Software Development Security Operations Chapter 9 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
1 Software Testing and Quality Assurance Lecture 14 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)
Vulnerability Assessments
Static Code Analysis and Governance Effectively Using Source Code Scanners.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
Risk Analysis vs Security Controls. Security Controls Risk assessment is a flawed safeguard selection method. There is a tendency to confuse security.
A Security Review Process for Existing Software Applications
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
CSCE 548 Secure Software Development Test 1 Review.
CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,
Risk Management for Technology Projects Geography 463 : GIS Workshop May
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,
CSCE 522 Secure Software Development Best Practices.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
CSCE 548 Architectural Risk Analysis. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 5 Next lecture: – Secure Software Construction Jan Jürjens,
CSCE 548 Secure Software Development Security Operations.
Chapter 1: Fundamental of Testing Systems Testing & Evaluation (MNN1063)
SecSDLC Chapter 2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 1.31 RISK BASED AUDITING AN OVERVIEW BY R T I JAIPUR.
Secure Software Development Abuse Cases Chapter 8 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
Thomas L. Gilchrist Testing Basics Set 3: Testing Strategies By Tom Gilchrist Jan 2009.
Software Quality Assurance and Testing Fazal Rehman Shamil.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Secure Software Development Security Operations Chapter 9 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
What is a software? Computer Software, or just Software, is the collection of computer programs and related data that provide the instructions telling.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
CSCE 548 Secure Software Development Penetration Testing.
Information Warfare Summary. Information Security Information Assurance Information Warfare Information Dominance.
Security Development Lifecycle (SDL) Overview
CSCE 548 Secure Software Development Security Operations
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
CSCE 548 Secure Software Development Risk-Based Security Testing
Security Testing Methods
Software Security Testing
CSCE 548 Secure Software Development Use Cases Misuse Cases
Software Security ITGD 2202 Supervision:- Assistant Professor
Lecture 17 ATAM Team Expertise
Software Engineering B.Tech Ii csE Sem-II
Operating system Security
A Security Review Process for Existing Software Applications
CSCE 548 Secure Software Development Test 1 Review
Chapter 27 Security Engineering
Introducing ISTQB Agile Foundation Extending the ISTQB Program’s Support Further Presented by Rex Black, CTAL Copyright © 2014 ASTQB 1.
White Box testing & Inspections
Presentation transcript:

CSCE 201 Secure Software Development Best Practices

2 Reading This lecture: G. McGraw, Software [In]security: Software Security Zombies, 07/2011,

3 How to address software security? Do not address at all Ad-hoc evaluation Add security features after the fact Identify security vulnerabilities Test security level Incorporate security throughout of SDLC

4 Checking for Known Vulnerabilities Need tool Possible attacks and attack types How the software behaves if something goes WRONG What motivates an attacker?

5 Three Pillars of Software Security Risk Management – Business case Software Security Touchpoints – Best practices Knowledge – Tools

6 Risk Management How much effort to invest in security Consequences of security breaches Acceptable-level of security Tracking and mitigating risk throughout the full SDLC

7 Knowledge Gathering, encapsulating, and sharing security knowledge Knowledge categories: – Prescriptive knowledge – Diagnostic knowledge – Historical knowledge Applied along the SDLC

8 Touchpoints System-wide activity: from design to testing and feedback Touchpoints: 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requirements 7. Security operations

9 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

10 Misuse Cases Software development: making software do something – Describe features and functions – Everything goes right Need: security, performance, reliability – Service level agreement – legal binding How to model non-normative behavior in use cases? – Think like a bad guy

11 Misuse Cases Analyze system design and requirements – Assumptions – Failure of assumptions – Attack patterns Software that is used also going to be attacked What can a bad guy do and how to react to malicious use

12 Misuse Case Development Team work – software developers and security experts Identifying and documenting threats Creating anti-requirements: how the system can be abused Creating attack model – Select attack pattern relevant to the system – Include anyone who can gain access to the system

13 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

14 Software Testing Application fulfills functional requirements Dynamic, functional tests late in the SDLC Contextual information

15 Security Testing Test: finding flaws in software can be exploited by attackers Quality, reliability and security are tightly coupled Software behavior testing – Need: risk-based approach using system architecture information and attacker’s model

16 Security Testing Look for unexpected but intentional misuse of the system Must test for all potential misuse types using – Architectural risk analysis results – Abuse cases Verify that – All intended security features work (white hat) – Intentional attacks cannot compromise the system (black hat)

17 Penetration Testing Testing for negative – what must not exist in the system Difficult – how to prove “non-existence” If penetration testing does not find errors than – Can conclude that under the given circumstances no security faults occurred – Little assurance that application is immune to attacks Feel-good exercise

18 Success of Penetration Testing Depends on skill, knowledge, and experience of the tester Important! Result interpretation Disadvantages of penetration testing: – Often used as an excuse to declare victory and go home – Everyone looks good after negative testing results

19 Behavior in the Presence of Malicious Attack What happens when the software fails? – Safety critical systems Track risk over time Security relative to – Information and services protected – Skills and resources of adversaries – Cost of protection System vulnerabilities

20 Malicious Input Software: takes input Trust input? – Malformed or malicious input may lead to security compromise – What is the input? Data vs. control Attacker toolkit

21 Traditional Software Development No information security consideration Highly distributed among business units Lack of understanding of technical security risks

22 Don’t stand so close to me Best Practices – Manageable number of simple activities – Should be applied throughout the software development process Problem: – Software developers: lack of security domain knowledge  limited to functional security – Information security professionals: lack of understanding software  limited to reactive security techniques

23 Vulnerability Monitoring Identify security weaknesses Methods: – Automated tools – Human walk-through – Surveillance – Audit – Background checks

24 Red Team Organized group of people attempting to penetrate the security safeguards of the system. Assess the security of the system  future improvement Requested or permitted by the owner to perform the assessment Wide coverage: computer systems, physical resources, programming languages, operational practices, etc.

25 Next Class Midterm exam

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.