Presentation is loading. Please wait.

Presentation is loading. Please wait.

Build It Right; Build It Secure Tom Neff USAF Software Engineer & Process Improvement Specialist CERT Conference ‘99CERT Conference ‘99.

Published byDustin Harrell Modified over 9 years ago

Similar presentations

Presentation on theme: "Build It Right; Build It Secure Tom Neff USAF Software Engineer & Process Improvement Specialist CERT Conference ‘99CERT Conference ‘99."— Presentation transcript:

1 Build It Right; Build It Secure Tom Neff USAF Software Engineer & Process Improvement Specialist CERT Conference ‘99CERT Conference ‘99

2 CERT Conference ‘99 The Perfect Solution... 2

3 CERT Conference ‘99...How Secure Is It?... 3

4 CERT Conference ‘99...Absolutely Impenetrable!!!... 4

5 CERT Conference ‘99 We need to communicate with the world to do our jobs....The Problem... 5

6 CERT Conference ‘99...The Solution... 6

7 CERT Conference ‘99 …The BIGGER Problem... 7

8 CERT Conference ‘99...The REAL Solution. 8

9 CERT Conference ‘99 Let’s Cover... A quick review of a typical product development lifecycle Where are folks CURRENTLY implementing security procedures? Where SHOULD you implement security? What can you do to decrease your cost for IT security? How can you make your IT security program more effective? 9

10 CERT Conference ‘99 Typical Product Development Explore a concept Determine what the requirements are Turn the requirements into a valid design Convert the design into a viable product Put the product to daily use Perform maintenance as needed 10

11 CERT Conference ‘99 Where does security get implemented? Concept Exploration? Requirements? Design? Development? Operations? Maintenance? 11

12 CERT Conference ‘99 Maintenance Where currently MOST security is executed. Closing the door after the cows left. Many COTS products Cost 100x 12

13 CERT Conference ‘99 Operations (1/2) Where currently most security problems are identified. Found by... trial and error intrusion corrupt data problems 13

14 CERT Conference ‘99 Operations (2/2) Where currently most security problems are identified. Attacks occur here Problems trigger search for resolution Some attempt to be proactive Help from CERT/CC Cost 90x 14

15 CERT Conference ‘99 Development A good start Product inspections: invite security folks Consider Ada; advantages… Cost 50x 15

16 CERT Conference ‘99 Design A better start Design security INTO the product Have security folks assist with design Keep it flexible Cost 10x 16

17 CERT Conference ‘99 Requirements An even BETTER start Include security features in the requirements Defer any feature that may cause security problems Cost 2x 17

18 CERT Conference ‘99 Concept Exploration Best Place to Start Looking at Security!!! Think security from the very beginning Involve security in the whole process Cheapest cost to implement security: 1x 18

19 CERT Conference ‘99 *PC Computing’s Helpful Hints Operations: Hack your own site Use a port scanner to see what doors are open Download Rhino9’s Ogre 0.9b at www.hackers.com/files/portscanners/ogre.zip *PC Computing magazine Sep 99 issue. 19

20 CERT Conference ‘99 *PC Computing’s Helpful Hints Development: Encrypt everything that leaves your control. If using Windows, will need 3rd party product. PC Computing recommends Network Associates’ McAfee PGP Personal Privacy 6.5.1. Others include WinMagic’s SecureDoc and RSA Data Security’s SecurPC. Courtesy PC Computing magazine Sep 99 issue. (www.pccomputing.com) 20

21 CERT Conference ‘99 *PC Computing’s Helpful Hints Design: “You need to get up to speed on... security issues now.” Useful sites: –www.microsoft.com/ security –www.ntbugtraq.com 21 –www.ntsecurity.net –www.cert.org –www.hackers.com –www.icsa.net

22 CERT Conference ‘99 +Software Development’s Helpful Hints Requirements: Be aware of all vulnerabilities of your hardware, software, and comm. Useful tools: www.smartcardforum.org E-commerce: www.visualcommerce.com Linux: www.unify.com Mobile code: www.security7.com 22 +Software Development Magazine, Aug 99 issue Dynamic passwords: www.cryptocard.com Black box: www.bardon.com Net scanner: www.iss.net SW Dongle : www.softlocx.com

23 CERT Conference ‘99 Tom Neff’s Helpful Hints Concept Exploration: Attend CERT Conf ‘00 www.omaha.com/cert www.omaha.org/spin cert@omaha.com www.sdmagazine.com www.pccomputing.com/getnow 23

24 CERT Conference ‘99 Tom Neff’s Helpful Hints Process is EVERYTHING! Climb the process improvement ladder Form a CERT & Red Team Register with CERT/CC Info Cons Remember superchicken 24

25 CERT Conference ‘99 Tom Neff’s Helpful Hints You can’t control what you can’t control Outsourcing is a double-edged sword –Gives you flexibility and possible savings –Gives others intimate access to your system (Gardner Group: Y2K) 25

26 CERT Conference ‘99 tomneff@cyberdude.com 24 Final thoughts: READ (you can get a free subscription to almost any magazine. Use the web Think like a hacker, act like a CEO

Download ppt "Build It Right; Build It Secure Tom Neff USAF Software Engineer & Process Improvement Specialist CERT Conference ‘99CERT Conference ‘99."

Similar presentations

Penetration Testing Biometric System

Penetration Testing Biometric System
Project Connect Online Affordable, Secure and Easy to Use Collaboration for Project Teams 01/21/2009.

Project Connect Online Affordable, Secure and Easy to Use Collaboration for Project Teams 01/21/2009.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
TEMPLATE DESIGN © 2008 www.PosterPresentations.com Bluetooth Login Key RIT Computer Engineering Senior Design Project Tim Wesley, Dan Chen Spring 2009.

TEMPLATE DESIGN © Bluetooth Login Key RIT Computer Engineering Senior Design Project Tim Wesley, Dan Chen Spring 2009.
LogMeIn.com By: Casey Davidson. What is it? Free Web-based VNC Client Remotely control any PC or Mac from anywhere in the world No network configuring.

LogMeIn.com By: Casey Davidson. What is it? Free Web-based VNC Client Remotely control any PC or Mac from anywhere in the world No network configuring.
Chapter 4 Hackers: How they get into Computers. Synopsis (I) What is a hacker? What is a cracker and what is the difference? Who are the crackers? What.

Chapter 4 Hackers: How they get into Computers. Synopsis (I) What is a hacker? What is a cracker and what is the difference? Who are the crackers? What.
Free Software Alternatives: Avast! Anti-virus

Free Software Alternatives: Avast! Anti-virus
C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.

C HAPTER 4 W EB H OSTING. I. I NTRODUCTION To make your Web site visible to the world, it has to be hosted on a Web server. In this tutorial we will teach.
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
1 Computer Security: Protect your PC and Protect Yourself.

1 Computer Security: Protect your PC and Protect Yourself.
Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.

Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.

Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.
Final Presentation 4/21/2010 By Guofu Xiong, Yuli Deng.

Final Presentation 4/21/2010 By Guofu Xiong, Yuli Deng.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Stuart Cunningham - Computer Platforms - 2003 COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.

Stuart Cunningham - Computer Platforms COMPUTER PLATFORMS Computer & Network Security & User Support & Training Week 11.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
ECE 578: COMPUTER NETWORK AND SECURITY

ECE 578: COMPUTER NETWORK AND SECURITY
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Similar presentations

Ads by Google