Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security Initiative James Walden Northern Kentucky University.

Published byAldous Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Security Initiative James Walden Northern Kentucky University."— Presentation transcript:

1 Software Security Initiative James Walden Northern Kentucky University

2 CSC 666: Secure Software Engineering Topics 1.Security Operations 2.Web Application Firewalls 3.Build Security In Maturity Model

3 CSC 666: Secure Software Engineering Software Security Practices 1.Code Reviews 2.Risk Analysis 3.Penetration Testing Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing 4.Security Testing 5.Abuse Cases 6.Security Operations

4 CSC 666: Secure Software Engineering Security Operations User security notes Software should be secure by default. Enabling certain features/configs may have risks. User needs to be informed of security risks. Incident response What happens when a vulnerability is reported? How do you communicate with users? How do you send updates to users?

5 CSC 666: Secure Software Engineering Code Deployment Manage deployment process  Change management process.  Scrub debug/test code from software.  Use automated tools for deployment. Maintain three sets of servers  Development  Staging  Production

6 CSC 666: Secure Software Engineering Web Application Firewalls Analyze + filter HTTP traffic  Intrusion Detection  Intrusion Prevent Open Source WAFs  AQTronix WebKnight  Breach ModSecurity Commercial WAFs  Armorlogic Profense  Breach WebDefend  Citrix Application Firewall  Fortify Defender

7 CSC 666: Secure Software Engineering Modes of Operation  Bridge: transparent bridging firewall.  Router: install at single point of entry.  Reverse Proxy: traffic redirected to flow through WAF by DNS or routing.  Embedded: server plugin; no need to configure network but only works with some web servers.

8 CSC 666: Secure Software Engineering Modes of Operation Bridge or Router Embedded Reverse Proxy

9 CSC 666: Secure Software Engineering SSL  Terminates SSL: Reconfigure network to move SSL operations to WAF itself. WAF to server communication can be plaintext or SSL encrypted.  Passively decrypts SSL: WAF decrypts SSL traffic using copy of server’s SSL private key. Data travels untouched to web server.  Occurs after SSL: Embedded WAFs can be posititioned to analyze traffic after server decrypts SSL data.

10 CSC 666: Secure Software Engineering Traffic Blocking  Connection Intermediation: Traffic intercepted by WAF. Attacks blocked by not forwarding packets to destination.  Connection Reset: Traffic inspected by WAF, which blocks attacks by resetting TCP connections.  3 rd Party Blocking: Traffic inspected by WAF, which notifies other devices to block.

11 CSC 666: Secure Software Engineering Traffic Blocking WAFs can block  IP addresses  TCP connections  HTTP requests  Application sessions  Application users  Too many new requests/sessions WAFs can rewrite parts of HTTP request  Request headers  Response headers  Cookies  URLs  HTTP message bodies

12 CSC 666: Secure Software Engineering Canonicalization WAFs convert data to standard form  URL-decoding  Paths (.,.., \)  Mixed case  Whitespace condensation  HTML entity decoding  Escaped cahracter decoding  Unicode standardization

13 CSC 666: Secure Software Engineering Signatures and Rules Signatures  Text strings  Regular expressions Rules  Signatures +  Operators (length, field)  Logical expressions  Control flow  Session management

14 CSC 666: Secure Software Engineering BSI Maturity Model Guide for building and improving a SSI. Based on survey of top software security programs:  Adobe  Depository Trust and Clearing Corporation  EMC  Google  Microsoft  QUALCOMM  Wells Fargo Software Security Initiative Statistics  2-10 years old (average 4)  12-100 people (average 41)  Approximate 100:1 developer:security person ratio.

15 CSC 666: Secure Software Engineering Using the Maturity Model Executive leadership  Accountability and empowerment.  Difficultieis: Grassroots and network security. Identify organization security goals.  Identify which practices fit best with organizational culture. Use all 12 practices.  Better to put some level 1 activities in each practice in place than go to level 3 in one.  Not necessary to do all practices in level 1 before moving to level 2.

16 CSC 666: Secure Software Engineering Software Security Framework Governance: Practices that help manage and measure a software security program. Intelligence: Practices producing collection sof corporate knowledge used in swsec. SSDL Touchpoints: Practices associated with analysis and assurance of particular software development artifacts & processes. Deployment: Practices interfacing with network security and software configuration abd maintenance organizations.

17 CSC 666: Secure Software Engineering Software Security Framework

18 CSC 666: Secure Software Engineering Practices and Business Goals

19 CSC 666: Secure Software Engineering Strategy and Metrics

20 CSC 666: Secure Software Engineering Compliance and Policy

21 CSC 666: Secure Software Engineering Training

22 CSC 666: Secure Software Engineering Attack Models

23 CSC 666: Secure Software Engineering Security Features and Design

24 CSC 666: Secure Software Engineering Standards and Requirements

25 CSC 666: Secure Software Engineering Architecture Analysis

26 CSC 666: Secure Software Engineering Code Review

27 CSC 666: Secure Software Engineering Security Testing

28 CSC 666: Secure Software Engineering Penetration Testing

29 CSC 666: Secure Software Engineering Software Environment

30 CSC 666: Secure Software Engineering Configuration Management

31 CSC 666: Secure Software Engineering Ten Core Activities Everyone Does

32 CSC 666: Secure Software Engineering References 1.Brian Chess, Gary McGraw, Sammy Migues, Building Security In—Maturity Model, http://www.bsi-mm.com/ 2.CLASP, OWASP CLASP Project, http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, 2008. http://www.owasp.org/index.php/Category:OWASP_CLASP_Project 3.Noopur Davis et. al., Processes for Producing Secure Software. IEEE Security & Privacy, May 2004. 4.Karen Goertzel, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008.Enhancing the Development Life Cycle to Produce Secure Software 5.Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. 6.Gary McGraw, Software Security, Addison-Wesley, 2006. 7.Ivan Ristic, Apache Security, O’Reilly, 2005. 8.Ofer Shezaf, ModSecurity “The Core Rule Set”: Generation detection of application layer attacksModSecurity "The Core Rule Set": Generic detection of application layer attacks, 6th OWASP AppSec Conference, 2007. 9.Web Application Security Consortium, “WAFEC, or how to choose WAF technology,” http://www.webappsec.org/projects/wafec/, 2006.http://www.webappsec.org/projects/wafec/

Download ppt "Software Security Initiative James Walden Northern Kentucky University."

Similar presentations

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Chapter 12 Network Security.

Chapter 12 Network Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google