Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Published byMarcus Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security."— Presentation transcript:

1 Software Security Course Course Outline 2-27-09

2 Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security Engineering How To - Secure Design How To - Secure Implementation How To - Security Testing How To - Secure Deployment Compliance and Regulatory Standards Special Topics Additional Resources

3 Introduction to Software Security

4 Definition and Context Why Security Matters Myths and Urban Legends Threats and Examples Case Studies Concepts and Definitions

5 Definition and Context Software security as part of the larger problem of developing robust, reliable code Describe the relationship between software security and: – Corporate information security policies – Corporate risk strategies Explain the differences between software and network security – Areas of overlap – Areas of divergence – Pros and cons of each area of investment

6 Definition and Context CIA as a way to think about security STRIDE as a way to assess impact of a threat DREAD as a way to categorize the severity of a threat

7 Why Security Matters Customers care – now more than ever Patching is expensive Regulatory compliance Security failures == business risk Competitive advantage Critical part of TCO The threat environment is bad and getting worse Attackers have the advantage

8 Myths and Urban Legends Security is only required in the OS – 15% are OS vulns I only need a good patch strategy – Mean time to attack: 330 days -> 2 weeks I have a firewall, AV and IDS – 92% of vulns are software, not network Functional testing finds security defects – Good practices from design->deploy are required I use Java (or.NET) – Only helps with some classes of problem I use cryptography – Helps with some threats, but just one tool in the toolbox

9 Threats and Examples

10

11 Case Studies Show real world impact, examine past mistakes – Love Virus – Saphire Worm – TJX – Heartland

12 Concepts and Definitions Asset Attack Control Countermeasure or mitigation Guideline Information Security Insider Threat Policy Privacy Risk Risk Analysis Risk Assessment Security Engineering Security Requirement Threat Vulnerability

13 Common Attacks and Vulnerabilities

14 Types of Attackers Attacker Motivation Attacker Origin Anatomy of an Attack Attacker Tools OWASP Top 10 CWE/SAN Top 25

15 Types of Attackers Script Kiddies Amateur Experts Crack Experts Professionals

16 Attacker Motivation White Hat Black Hat Grey Hat

17 Attacker Origin Internal attackers – the insider threat External attackers

18 Anatomy of an Attack Targeting Probing Attempting penetration Securing hold Cleanup and propagation

19 Attacker Tools Whitebox Greybox Blackbox

20 OWASP Top 10 Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL access

21 CWE/SANS 25 Most Dangerous CWE and SANS put together a list of the 25 most dangerous coding errors – Insecure interaction between components – Risky resource management – Porous defenses http://www.sans.org/top25errors/

22 Overview of Security Engineering

23 Overview of Security Enginering How it Fits Key Activities

24 How it Fits

25 Key Activities Threat Modeling Security Design Best Practices Security Design Review Security Coding Best Practices Security Code Review Penetration Test Security Deployment Review

26 How To - Secure Design

27 How To – Secure Design Design Principles Design Patterns

28 Design Principles Simplify the design Least privilege Defense in depth Fail secure Secure by default Compartmentalize Attack Surface Reduction …

29 Design Patterns Trusted Subsystem Brokered Authentication …

30 How To - Secure Implementation

31 How To – Secure Implementation Coding Principles OS Fundamentals Common Errors Common Web Errors

32 Coding Principles Validate all user input Auditing and logging Limit resource consumption …

33 OS Fundamentals Access controls.NET code access security Java sandbox Cryptography …

34 Common Errors Integer overflows Failure to validate input Failure to protect sensitive data Failure to understand and protect across trust boundaries Insecure error messages Buffer overflows and other errors that occur only in compiled languages such as C/C++ …

35 Common Web Errors Trusting client-side validation Failure to validate input and encode output Failure to protect the session Failure to protect against zero and one-click attacks Disclosing too much information …

36 How To - Security Testing

37 How To – Security Testing Security Testing is Different Think Like an Attacker Categories of Attack How to Test the Top 10

38 Security Testing is Different Intended Behavior Actual Behavior Traditional Bugs Most Security Bugs

39 Think Like an Attacker Security bugs: – Are much harder to spot…they often have no visible (to the human eye) behavior…we need better tools – Require us to think about side effects and what sensitive data might be exposed – Require us to “think backwards”…that is, instead of thinking what should happen, we need to think about what shouldn’t happen

40 Categories of Attack External dependencies Unanticipated user input Vulnerable design Vulnerable implementation

41 How to Test the Top 10 Cross Site Scripting Injection Flaws Malicious File Execution Insecure Direct Object Reference Cross Site Request Forgery Information Leakage and Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL access

42 How To - Secure Deployment

43 How To – Secure Deployment Deployment Principles Deployment Patterns

44 Deployment Principles The importance of configuration How physical deployment impacts security How software design can make it easier to manage security and detect attacks post- deployment

45 Deployment Patterns Understand the common application types: – Mobile Client – Rich Client – Rich Internet Application – Service Interfaces (SAAS, S+S) – Web Application Understand the common deployment patterns: – Single server, non-distributed – Multiple server, distributed Understand the impact: – Impersonation and delegation – Layer interfaces – Trust boundaries

46 Compliance and Regulatory Standards

47 Regulatory Standards Overview of the regulation: – PCI – HIPPA Cover what these mean from a developer point of view – http://msdn.microsoft.com/en- us/library/aa480484.aspx

48 Special Topics

49 Additonal Topics to Consider Privacy Issues Digital Rights Management (DRM) Social Engineering Attacks

50 Additional Resources

51 Resource List On the Web: – OWASP – CWE – SANS – SDL – BugTraq, NTBugTraq – patterns & practices security guides Books: – Writing Secure Code – Hacking Exposed Series – How to Break Software Security – The Security Development Lifecycle – Hunting Security Bugs

Download ppt "Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security."

Similar presentations

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.

Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Internet of Things Security Architecture

Internet of Things Security Architecture
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Barracuda Web Application Firewall

Barracuda Web Application Firewall
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Web Application Security

Web Application Security

Similar presentations

Ads by Google