Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Engineering for Secure Systems Individual Research Project Hiram Garcia.

Published byKerrie Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Engineering for Secure Systems Individual Research Project Hiram Garcia."— Presentation transcript:

1 Software Engineering for Secure Systems Individual Research Project Hiram Garcia

2 Security Engineering “Security engineering is about building systems that are and can remain dependable in the face of malice, error or mischance. As a discipline, security engineering focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.”

3 Requirements Engineering* A cooperative, iterative and incremental process which aims at ensuring that: 1.All relevant requirements are explicitly known and understood at the required level of detail 2.A sufficient agreement about the system requirements is achieved between the stakeholders involved 3.All requirements are documented and specified in compliance with the defined documentation/specification formats and rules *Requirements Engineering: Fundamentals, Principles & Techniques – Klaus Pohl 3

4 Why Is RE SE Important? Flawed requirements a major cause of project failure – one of top ten failures in Standish CHAOS Reports Fixing an error in later phases 10x more expensive Incorrect requirements  Incorrect system leads to wasted costs System maybe unreliable for practical use disrupting normal day-to-day operations The primary vehicle for going from “vision” to “realization” 4

5 Main Kinds of Requirements 5 Product Requirements – Capability Requirements local to system, specific system functionality – Level of Service Requirements local to system, may affect many system requirements System Interface Requirements – varies, affects groups system requirements Project Requirements – global to project, affects overall system requirements Evolutionary Requirements – varies, effects design and implementation

6 Examples of Levels of Service Dependability – Reliability – Availability Usability – Ease of learning – Ease of use Performance Maintainability Portability Inter-operability (or binary portability) Reusability Security 6

7 Top 25 Most Dangerous Software Errors in 2011 1.SQL-injection 7.Used of Hard-coded credentials 8.Missing encryption of sensitive data 9.Unrestricted upload of file with dangerous type 11.Execution with unnecessary privileges Non errors: Phishing attacks, malware

8 SQL Injection 1.Figure out how the application handles bad inputs Insert something like hacker@programmerinterview.com‘ into an email address form field then there are basically 2 possibilities: 1 - The application will first “sanitize” the input, then, the application may run the sanitized input in the database query 2 - The application will not sanitize the input first - This is what the hacker is hoping would happen 2.Run the actual SQL injection attack

9 Phishing Attack Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. - Wikipedia

10 Phishing Attack - Amazon

11 Associated Press Twitter DOW Jones Index immediately following attach. http://abcnews.go.com/GMA/video/press-twitter-hacked-white-house-explosion-obama- injury-19029118

12 Types of Defenses AttackDefense SQL-injectionParameterized Queries or Stored Procedures Used of Hard-coded credentialsAvoid hard coding Missing encryption of sensitive dataEncrypt any sensitive data Unrestricted upload of file with dangerous type Restrict dangerous file type uploads Execution with unnecessary privilegesExecute with elevated privileges only when required Phishing Challenge–response Secret questions Multi-factor authentication Malware Keep Antivirus up to date Perform scheduled scans

13 Multi Factor Authentication Requires the presentation of two or more of the three authentication factors: 1.a knowledge factor ("something the user knows“) like password or pin, 2.a possession factor ("something the user has“) like phone call, text message or email, and 3.an inherence factor ("something the user is") like a finger print or retina scan.

14 Keywords & References 14 Keywords Secure Systems, Security, Software, Cloud computing References 1.“Software Engineering for Security: a Roadmap”, Premkumar T. Devanbu, Stuart Stubblebine 2.“SECURITY IN SOFTWARE ARCHITECTURE: A CASE STUDY”, Adam Sachitano, Richard O. Chapman, Ph.D., Member, IEEE and John A. Hamilton, Jr.,Ph.D., Senior Member, IEEE 3.“Secure Software Systems Engineering: The Secure Tropos Approach”, Haralambos Mouratidis 4.“Requirements Engineering”, Nupul Kukreja, Barry Boehm 5.Evernote hack shows that passwords aren't good enough by Tony Bradley http://www.pcworld.com/article/2030052/evernote-hack-shows-that-passwords-arent-good-enough.html http://www.pcworld.com/article/2030052/evernote-hack-shows-that-passwords-arent-good-enough.html 6.Twitter 2-Factor Authentication: What It Is and Why It Would Help National Security http://abcnews.go.com/Technology/ap-twitter-hack-cited-proof-factor-authentication- desperately/story?id=19031526#.UXv727XbPHR http://abcnews.go.com/Technology/ap-twitter-hack-cited-proof-factor-authentication- desperately/story?id=19031526#.UXv727XbPHR 7.Common Weakness Enumeration http://cwe.mitre.org/top25/#Listing http://cwe.mitre.org/top25/#Listing 8.Provide an example of SQL Injection http://www.programmerinterview.com/index.php/database-sql/sql-injection-example/ http://www.programmerinterview.com/index.php/database-sql/sql-injection-example/

Download ppt "Software Engineering for Secure Systems Individual Research Project Hiram Garcia."

Similar presentations

Software Quality Seung Yang CS 525 Software Engineering II Dr. Sheldon X. Liang.

Software Quality Seung Yang CS 525 Software Engineering II Dr. Sheldon X. Liang.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
  Cyberbullying can be as simple as continuing to send e- mail or text harassing someone who has said they want no further contact with the sender.

  Cyberbullying can be as simple as continuing to send e- mail or text harassing someone who has said they want no further contact with the sender.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Evaluating Architectures Quality control: rarely fun, but always necessary

Evaluating Architectures Quality control: rarely fun, but always necessary
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.

Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Requirements Engineering

Requirements Engineering
Information Security Phishing Update CTC

Information Security Phishing Update CTC
Cyber Crime & Security Raghunath M D BSNL Mobile Services,

Cyber Crime & Security Raghunath M D BSNL Mobile Services,
ISEC0511 Programming for Information System Security

ISEC0511 Programming for Information System Security
What is Software Engineering? the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software”

What is Software Engineering? the application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software”

Similar presentations

Ads by Google