Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security at the Source.

Published byIra Dawson Modified over 6 years ago

Similar presentations

Presentation on theme: "Security at the Source."— Presentation transcript:

1 Security at the Source

2

3

4

5 Fundamental Security Issues
Poor Design Poor Configuration Software Coding Errors Human Error

6 Software Vulnerabilities
Cross Site Scripting SQL Injection Buffer Overflow Unintentional / Intentional Functionality Complexity

7 Advisories Dec 15, 2004 (MS04-043) Buffer Over In HyperTerminal,
Nov 23, 2004 Winamp IN_CDDA Buffer Overflow Nov 23, 2004 SecureCRT - Remote Command Execution Oct 14, 2004 (MS04-033) Buffer Over In Microsoft Excel Oct 14, 2004 (MS04-032) SetWindowLong() Shatter Attacks Jul 14, 2004 (MS04-022) CHM File Heap Overflow Jul 14, 2004 (MS ) Utility Manager Loads Winhlp32 As SYSTEM Nov 11, 2003 (MS03-051) FrontPage Extensions Remote Command Execution Oct 15, 2003 (MS03-045) Listbox and ComboBox Overflow Advisory Jul 16, 2003 (MS03-028) ISA Server XSS Advisory Jun 25, 2003 (MS03-022) Windows Media Services Overflow #2 Advisory May 30, 2003 (MS03-019) Windows Media Services Overflow #1 Advisory

8 The Cost and Impact Software bugs cost the U.S. economy an estimated $59.5 billion annually. More than a third of those costs, $22.2 billion, could be eliminated with improved testing and earlier identification of errors. “Software vendors need automated tools that look for bugs in their code, but it may be a decade before many of those tools are mature and widely used”, Amit Yoran, former director of cybersecurity for the U.S. Department of Homeland Security.

9 Some Issues Coding Securely Education Copying Code Open Source
Bespoke Development

10 Current Protections Application Attack and Penetration
Automated Attack Tools Configuration Analysis Vulnerability Analysis and Management Code Reviews Inspections Architecture Reviews Peer Reviews

11 What’s the need? Developers: Include security testing in the development life cycle Auditors: Improved Quality and Reduced Time of Source Code Analysis and Inspection Quality Assurance: Measure quality of code from development or outsourcers Change Control: Retest code in every release rather than on first development

12 Security at the Source ™
Design Security In Keep up to date with security weaknesses Automate / Reduce the Cost of the Process Build Better Systems

13 CodeScan Testing Internet application source code for security weaknesses Approach Start with most widely used languages (Microsoft .ASP vbscript, PHP) Start with common coding problems Evolve the product over time to meet ongoing customer requirements

14 Features Client Based automation of Web Source Code inspection
Automated variable tracking Rating of vulnerabilities General and Language Specific testing Includes ers Cross Site Scripting SQL Injection User Input Filtering Extensive Reporting and “fix” information Code “Healing”

15 Outcomes Demonstrable duty of care Reduced development costs
Security within the Project Lifecycle Improved Security in end products Third party code inspections at affordable prices

16 Product Direction Developer Versions (ASP, PHP) Language Directions
Microsoft .NET .JSP / Java Higher Level Languages Versions Developer (Mass Market) Consultant (Pay Per Application) Enterprise (Client / Server) Comparative Analysis Enhanced Reporting Web Sales and Support

17 Demonstration

Download ppt "Security at the Source."

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington.

Copyright © 2002 Dennis Groves, Bill Pennington & Jeremiah Grossman Taking Aim at Web Applications Dennis Groves Bill Pennington.
Module 1: Introduction to SQL Server Reporting Services.

Module 1: Introduction to SQL Server Reporting Services.
State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
IT Project Management, Third Edition Appendix A1 Appendix A: Guide to Using Microsoft Project 2002.

IT Project Management, Third Edition Appendix A1 Appendix A: Guide to Using Microsoft Project 2002.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
1 Classic ASP vs. ASP.NET Technical Information and Market Adoption Lance Welker University of San Diego Dr. Rebman MSIT 526 December 20, 2005.

1 Classic ASP vs. ASP.NET Technical Information and Market Adoption Lance Welker University of San Diego Dr. Rebman MSIT 526 December 20, 2005.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Configuring PHP on IIS7 Making your application rock on IIS7 Taking advantage of the Windows platform Q&A at Open Space.

Configuring PHP on IIS7 Making your application rock on IIS7 Taking advantage of the Windows platform Q&A at Open Space.
Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University
Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:

Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google