Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,"— Presentation transcript:

1 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu Software Engineering Lifecycle Authors: Jan G. Hogle, Susan Gerhart This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No. 0113627 Distributed July 2002 Embry-Riddle Aeronautical University Prescott, Arizona USA

2 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu Software Engineering Lifecycle Click on the diagram sections to view a slide

3 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu Academia produces students who: Aren't tuned into the dangers of buffer overflows Can't recognize a buffer overflow vulnerability when they see it, so they make the mistake in coding Are careless in their coding as well as inspection and testing tasks Are not made aware of buffer overflows by instructors or textbooks

4 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu Managers, Developers and QA specialists iterate through cycles of detailed design and coding but... Employ poor coding and quality skills learned in school Are often forced to use low-level languages like C Use established programming techniques that are highly error-prone Fail to incorporate inspection and design techniques known to prevent and discover buffer overflow Run levels of code they can't control but which are riddled with buffer overflows

5 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu Buffer Overflow Vulnerabilities not detected during development and QA get into products Vulnerable code slips through tests and inspection New products expose buffer overflows in old code from libraries and other vendors Proper use of products to avoid buffer overflows isn't known or documented

6 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu An End User may find a Buffer Overflow unintentionally or may search for it An ordinary user may observe unusual activity or symptoms of buffer overflow Security shops like Eeye and university groups search for vulnerabilities by playing the role of attackers on new and old products

7 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu An Attacker finds a way to force a buffer overflow to meet their purposes Attackers know common vulnerabilities of vendors and their products Attackers learn from the web and from each other how to make buffer overflows occur Attackers acquire ways to make buffer overflows lead to hijacking a system or planting seeds for future attacks

8 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu When product users find a buffer overflow and alert authorities, a flurry of patching occurs: An alert goes to the vendor and official sites like cert.org A confirmation, analysis, and explanation goes out to vendors and users as an advisory

9 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu The developer reaction team, security shop, and authorities issue a patch: Users of the product must install the patch to protect themselves and others Vendors issue multiple patches, often daily

10 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu The development organization responds to the buffer overflow vulnerability by: Fixing the underlying code problem in its later versions Replacing patches with corrected code Improving develpment processes and tools to avoid similar buffer overflows

11 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu There is no feedback to academia. If there were, it could: Make the pipeline of students more sensitive to buffer overflows Improve education and training materials - books, exercises, tools Encourage authors and instructors to raise the visibility of the buffer overflow problem Incorporate economic lessons of publicity and cost analyses from journalists and industry analysts

12 Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. http://sfsecurity.pr.erau.edu About this Project This presentation is part of a larger package of materials on buffer overflow vulnerabilities, defenses, and software practices. For more information, go to: http://nsfsecurity.pr.erau.eduhttp://nsfsecurity.pr.erau.edu Also available are: –Demonstrations of how buffer overflows occur (Java applets) –PowerPoint lecture-style presentations on an introduction to buffer overflows, preventing buffer overflows (for C programmers), and a case study of Code Red –Checklists and Points to Remember for C Programmers –An interactive module and quiz set with alternative paths for journalists/analysts and IT managers as well as programmers and testers –A scavenger hunt on implications of the buffer overflow vulnerability Please complete a feedback form at http://nsfsecurity.pr.erau.edu/feedback.html to tell us how you used this material and to offer suggestions for improvements.http://nsfsecurity.pr.erau.edu/feedback.html

Download ppt "Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,"

Similar presentations

Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)

Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.

Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
1 SOFTWARE TESTING Przygotował: Marcin Lubawski. 2 Testing Process AnalyseDesignMaintainBuildTestInstal Software testing strategies Verification Validation.

1 SOFTWARE TESTING Przygotował: Marcin Lubawski. 2 Testing Process AnalyseDesignMaintainBuildTestInstal Software testing strategies Verification Validation.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
System Construction and Implementation Objectives:

System Construction and Implementation Objectives:
Chapter 5: Common Support Problems

Chapter 5: Common Support Problems
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
Chapter 10 Systems Operation, Support, and Security

Chapter 10 Systems Operation, Support, and Security
Discovering Computers Fundamentals, 2011 Edition Living in a Digital World.

Discovering Computers Fundamentals, 2011 Edition Living in a Digital World.
Web Usability by Scott Grissom1 Web Usability Scott Grissom Computer Science & Information Systems.

Web Usability by Scott Grissom1 Web Usability Scott Grissom Computer Science & Information Systems.
Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.

Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.
 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.

 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.
C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.

C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.
Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.
Systems Analysis and Design: The Big Picture

Systems Analysis and Design: The Big Picture
System Implementation. System Implementation and Seven major activities Coding Testing Installation Documentation Training Support Purpose To convert.

System Implementation. System Implementation and Seven major activities Coding Testing Installation Documentation Training Support Purpose To convert.
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Software Testing Life Cycle

Software Testing Life Cycle
By Anthony W. Hill & Course Technology1 Common End User Problems.

By Anthony W. Hill & Course Technology1 Common End User Problems.

Similar presentations

Ads by Google