Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17

2 Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Computer Security is an important topic  E-commerce blossoms  Internet works its way every nook All lies a common enemy — bad software

3 Information Networking Security and Assurance Lab National Chung Cheng University It’s All about the Software Software no longer supports offices and home entertainment The biggest problem in computer security  It is the software! You may have the world’s best firewall, but… Malicious hackers not create security holes, they exploit them

4 Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Hackers  Originally positive meaning  Sprang from MIT during the late 1960s  People solving tricky problems through programming  Software engineer — MacGyver  Most people  Locksmiths are burglars?

5 Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Cracker  In the mid 1980s, hacker coined the term cracker  A cracker is someone who breaks software for nefarious ends

6 Information Networking Security and Assurance Lab National Chung Cheng University Hackers, Crackers, and Attackers Attacker  Hacker, fuzzy feelings  Malicious hacker, attacker, or bad guy

7 Information Networking Security and Assurance Lab National Chung Cheng University Who is the Bad Guy? What hackers do?  If break into, they should notify the author of the software Bay guy  Little or no programming ability  Downloading, building and running programs  Hackers call it script kiddie  Who wrote the programs Hacker malicious intent full disclosure

8 Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Popular sources for vulnerability information  Bugtraq  CERT advisories  RISKS Digest

9 Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information  Bugtraq administered by securityfocus.com An e-mail discussion list SNR on Bugtraq is low Full disclosure Encourage vendors to fix problems more quickly

10 Information Networking Security and Assurance Lab National Chung Cheng University

11 Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information  CERT Advisories a federally funded research and development center Studies Internet security vulnerabilities Provides incident response services Publishes a variety of security alerts Not publicizing an attack until patched availabilities Only release advisories for significant problems

12 Information Networking Security and Assurance Lab National Chung Cheng University Dealing with Widespread Security Failures Sources for vulnerability information  RISKS Digest A mailing list Most Java security attacks first appeared here comp.risks

13 Information Networking Security and Assurance Lab National Chung Cheng University Technical Trends Affecting Software Security Computer networks becoming ubiquitous  more systems to attack, more attacks, and greater risks from poor software security practice the size and complexity of information systems and their corresponding programs  C or C++ not protect against buffer overflow  improper configuration

14 Information Networking Security and Assurance Lab National Chung Cheng University Technical Trends Affecting Software Security systems becoming extensible  hard to prevent malicious code from slipping in the plug-in architecture of Web browsers Word processors E-mail clients Spreadsheets

15 Information Networking Security and Assurance Lab National Chung Cheng University The ‘ilities What Is Security?  To enforcing a policy that describes rules for accessing resources  Well-defined policy

16 Information Networking Security and Assurance Lab National Chung Cheng University The ‘ilities Isn’t That Just Reliability?  Comparing reliability with security  Reliability problems considered DoS problems

17 Information Networking Security and Assurance Lab National Chung Cheng University Penetrate and Patch Is Bad Vendors paid little attention to security Problems to the penetrate-and-patch approach  Developers can only patch problems that they know about. Attackers may find problems that they never report to developers.  Patches are rushed out as a result of market pressures on vendors, and often introduce new problems of their own to a system.  Patches often only fix the symptom of a problem, and do nothing to address the underlying cause.  Patches often go unapplied, as system administrators tend to be overworked, and often do not wish to make changes to a system that “works”. As we discussed above, system administrators are generally not security professionals.

18 Information Networking Security and Assurance Lab National Chung Cheng University Penetrate and Patch Is Bad

19 Information Networking Security and Assurance Lab National Chung Cheng University On Art and Engineering Software engineering goes through … “Internet time phenomenon”  These days, Internet years rival dog years in shortness of duration.  Specification poorly written An implementation problem or a specification problem?

20 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Prevention Traceability and Auditing Monitoring Privacy and Confidentiality Multilevel Security Anonymity Authentication Integrity

21 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Prevention  An ounce of prevention worth a pound of punishment  Internet time: the enemy of software security Affects the propagation of attacks Zero day  Prevention more important than ever

22 Information Networking Security and Assurance Lab National Chung Cheng University Zero day

23 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Traceability and Auditing  No 100% security  The keys to recovering  For forensics  Detect, dissect, and demonstrate an attack Monitoring  Real-time auditing  IDS  Tripwires

24 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Privacy and Confidentiality  They are deeply intertwined  Three groups: individuals, business, and government  Lots of reasons for software to keep secrets and to ensure privacy  A program is running can pry out secret a piece of software may be trying to hide

25 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Multilevel Security  From unclassified -> Top Secret  Employees, business partners and others Anonymity  A double-edge sword  cookies

26 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Privacy and Confidentiality  Three groups: individuals, business, and government  Lots of reasons for software to keep secrets and to ensure privacy  A program is running can pry out secret a piece of software may be trying to hide

27 Information Networking Security and Assurance Lab National Chung Cheng University Authentication  Big three security goals  Who, when, and how  Nowadays, physical presence not enough  Authentication on the Web  SSL — to whom are you connected? Security Goals

28 Information Networking Security and Assurance Lab National Chung Cheng University Security Goals Integrity  Staying the same?  Stock prices as a example

29 Information Networking Security and Assurance Lab National Chung Cheng University Software Project Goals Functionality  To solve a problem Usability  Affects reliability Efficiency  Security comes with significant overhead Time-to-market  Internet time happens Simplicity  Good for both software and security

30 Information Networking Security and Assurance Lab National Chung Cheng University Conclusion Computer security is a vast topic The root of most security problems is software

Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
CS5038 The Electronic Society

CS5038 The Electronic Society
Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 

Chapter 1  Introduction 1 Introduction Chapter 1  Introduction 2 The Cast of Characters  Alice and Bob are the good guys  Trudy is the bad guy 
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.

Fundamentals of Information Systems, Second Edition 1 Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
Bruce Schneier Lanette Dowell November 25, 2009. Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.

Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
Introducing Computer and Network Security

Introducing Computer and Network Security
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.

Privacy & Security By Martin Perez. Introduction  Information system - People : meaning use, the people who use computers. - Procedures : Guidelines.
CSC 569 Building Secure Software By Viega/McGraw Addison Wesley.

CSC 569 Building Secure Software By Viega/McGraw Addison Wesley.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Similar presentations

Ads by Google