Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 548 Building Secure Software. CSCE 727 - Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,

Published bySharlene Burns Modified over 9 years ago

Similar presentations

Presentation on theme: "CSCE 548 Building Secure Software. CSCE 727 - Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,"— Presentation transcript:

1 CSCE 548 Building Secure Software

2 CSCE 727 - Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly, http://cryptome.org/cyberinsecurity.htm http://cryptome.org/cyberinsecurity.htm Next lecture: – McGraw: Chapter 2

3 CSCE 727 - Farkas3 Why do we need software security? Software is essential in most every aspect of our life Current news (recommended): – Kelly Jackson Higgins, Dark Reading, SQL Injection Hack Infects 1 Million Web Pages, InformationWeek, January 5, 2012, http://www.informationweek.com/news/security/attacks/232301355 http://www.informationweek.com/news/security/attacks/232301355 – Gregg Keizer, Adobe plugs 6 critical holes in Reader, Computerworld, January 11, 2012, http://www.computerworld.com/s/article/9223344/Adobe_plugs_6_critical_holes_i n_Reader http://www.computerworld.com/s/article/9223344/Adobe_plugs_6_critical_holes_i n_Reader – Gregg Keizer, Microsoft patches critical Windows drive-by bug, Computerworld, January 10, 2012, http://www.computerworld.com/s/article/9223326/Microsoft_patches_critical_Win dows_drive_by_bug http://www.computerworld.com/s/article/9223326/Microsoft_patches_critical_Win dows_drive_by_bug

4 CSCE 727 - Farkas4 How to address software security? Do not address at all Ad-hoc evaluation Add security features after the fact Identify security vulnerabilities Test security level Incorporate security throughout of SDLC

5 CSCE 727 - Farkas5 This Course Not a software engineering course Understand basic security concepts and their impact Introduce systematic security design and development along project management Best practices

6 CSCE 727 - Farkas6 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services Which objective SW security addresses?

7 CSCE 727 - Farkas7 Software Security NOT security software! Engineering software so that it continues to function correctly under malicious attack – Functional requirements – Non-functional requirements (e.g., security)

8 CSCE 727 - Farkas8 Why Software? Increased complexity of software product Increased connectivity Increased extensibility Increased risk of security violations!

9 CSCE 727 - Farkas9 Security Problems Defects: implementation and design vulnerabilities Bug: implementation-level vulnerabilities (Low- level or mid-level) – Static analysis tool Flaw: subtle, not so easy to detect problems – Manual analysis – Automated tools (for some but not design level) Risk: probability x impact

10 CSCE 727 - Farkas10 Application vs. Software Security Usually refers to security after the software is built – Adding more code does not make a faulty software correct – Sandboxing – Network-centric approach Application security testing: badness-ometer Deep Trouble Who Knows

11 CSCE 727 - Farkas11 Three Pillars of Software Security Risk Management Software Security Touchpoints Knowledge

12 CSCE 727 - Farkas12 Risk Management How much effort to invest in security Consequences of security breaches Acceptable-level of security Tracking and mitigating risk throughout the full SDLC

13 CSCE 727 - Farkas13 Touchpoints System-wide activity: from design to testing and feedback Focus on security from ground up Touchpoints: 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requiremetns 7. Security operations

14 CSCE 727 - Farkas14 Knowledge Gathering, encapsulating, and sharing security knowledge Knowledge catalogs: principles, guidelines, rules, vulnerabilities, exploits, attack patterns, historical risks Knowledge categories: – Prescriptive knowledge – Diagnostic knowledge – Historical knowledge Applied along the SDLC

15 CSCE 727 - Farkas15 Security Engineering Reduce the need for reactive technologies (e.g., intrusion detection) by safer products  Understand software Need for: – Software developers – Operations people – Administrators – Users – Executives

16 Start with Software Developers! CSCE 727 - Farkas16

17 CSCE 727 - Farkas17 Next Class Risk Management

Download ppt "CSCE 548 Building Secure Software. CSCE 727 - Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,"

Similar presentations

Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.

Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.

Copyright Justin C. Klein Keane InfoSec Training Introduction to Information Security Concepts.
SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.

SOFTWARE SECURITY TESTING IS IMPORTANT, DIFFERENT AND DIFFICULT Review by Rayna Burgess 4/21/2011.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.

TEST CASE DESIGN Prepared by: Fatih Kızkun. OUTLINE Introduction –Importance of Test –Essential Test Case Development A Variety of Test Methods –Risk.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.

Software Quality Assurance Lecture #8 By: Faraz Ahmed.
Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.

Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications

Similar presentations

Ads by Google