engineering secure software
play

Engineering Secure Software The Basics of Software Security - PowerPoint PPT Presentation

Mar 19, 2023 •719 likes •1.54k views

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

  1. Engineering Secure Software

  2. The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to the software Attack : an attempt to damage or gain access to the system Exploit : a successful attack Trust Boundary : where the level of trust changes for data or code 2

  3. The Basics of Software Security The Superbowl Example • You are preparing for the Superbowl • Who is your opponent? App Security Football − The Over-the-Hill Gang − Script Kiddies − The Walking Wounded − Hacktivists − Last Year's Team − The Criminal Element − Next Year's Team − A Disgruntled Employee − The Best Thing Ever − Corporate Spy − Black Hat Warrior 3

  4. The Basics of Software Security Attackers • Attackers can be anywhere • And they may or may not know they are attackers salon.com • The number one cause of data breaches is "employee error" • But the malicious or criminally motivated elite hacker is still the focus • AKA: A Threat Agent So what is the percentage? 4

  5. The Basics of Software Security The Superbowl Example • What are the threats to your team? Football App Security − The Long Bomb − Spoofing − Three Yards and a Cloud of Dust − Tampering − Run and Gun − Repudiation − T-Option − Information Disclosure − The Nickel Defense − Denial of Service − Elevation of Privilege 5

  6. The Basics of Software Security STRIDE Model • The STRIDE Model defines 6 general threat types – Spoofing – Tampering – Repudiation – Information Disclosure – Denial of Service – Elevation of Privilege Give an example of each? 6

  7. The Basics of Software Security Threats • Threats represent a potential danger to the security of one or more assets or components – Threats could be malicious, accidental, due to a natural event, an insider, an outsider, … – A single software choice can result in many threats. – Threats exist even if there are no vulnerabilities • No relaxing • Threats change with system changes How can a change in software result in either or fewer threats? 7

  8. The Basics of Software Security Types of Threats • Social threats: people are the primary attack vector • Operational threats: failures of policy and procedure • Technological threats: technical issues with the system • Environmental threats: from natural or physical facility factors • The threats themselves are the same, but this is a different view – Threats have certain sources (Social, Operational, Technical, Environments) Which of these is likely to have – And certain security impacts (STRIDE) the biggest impact on your development? Most likely to result in vulnerabilities? Hardest to contain? 8

  9. The Basics of Software Security Social Threats • Intentional or accidental (carelessness or ignorance) • Failure to restrict information and systems to the minimal set of people • Failure to have adequate staff for security services • Failure to adequately vet personnel with sensitive positions • Malicious behavior Would anyone like to offer an example? 9

  10. The Basics of Software Security Operational Threats • Inadequate or improper policies, procedures or internal controls • Inadequate change management or application monitoring • Inadequate business continuity plans • Failure to comply with legal or regulatory requirements or contractual agreements Why is it a threat to not meet compliance requirements? Why is this stuff in a secure coding course ? 10

  11. The Basics of Software Security Technology Threats • Implementation failures • Design failures • Interoperability issues • Hardware and software compatibility • Deployment failures 11

  12. The Basics of Software Security Environmental Threats • Backups, data recovery and disaster recovery must be given sufficient attention • The physical location of the systems and data must be secured • Access to physical spaces must be limited and monitored 12

  13. The Basics of Software Security The Superbowl Example • What are your vulnerabilities? Football App Security − Sore-armed quarterback − Injection weakness − Injured secondary − Security Misconfiguration − Poor pass defense − Insecure logs − Inaccurate kicker − Weak Access Control − Open Redirect 13

  14. The Basics of Software Security Vulnerability • A defect in software or the surrounding processes that could result in the compromise of system assets • Vulnerabilities can be classified as: – Design vulnerability – Implementation vulnerability – Testing vulnerability – Deployment vulnerability – Patch and update vulnerability – Maintenance vulnerability – Environmental vulnerability 14

  15. The Basics of Software Security The Superbowl Example • What type of attacks can you expect? Football App Security − Sideline buttonhook route − SQL injection − Crossing route − Phishing against customer − Fullback off-tackle − Forceful browsing − Bootleg right − Parameter Tampering − Safety blitz − Facility break-in − Seven-man front − SYN Flood − Missed field goals 15

  16. The Basics of Software Security Attacks • Attacks – An attempt by someone, known as the attacker, to realize a threat against a system – The attacker can determine the various threats that exist for a system • And select different attacks and attack vectors to try – Successful attackers are generally clever and knowledgeable – There are many ways to implement attacks – An Attack Vector is a specific method of implementing an attack • Modifying data in a form field to issue an SQL Injection attack • Tampering with data in a POST request to issue a Cross-site Scripting attack How does an attacker • Entering a very long input to see what happens know the Attack Surface? 16

  17. The Basics of Software Security Some Common Attack Vectors • Malware: malicious software introduced into the system • Denial of Service: hindering the proper functioning of the system • Injection: forcing attacker code into the execution stream of the application • Buffer Overflow: overwriting memory areas to create unexpected conditions • Forceful Browsing: accessing areas of the code that should not be exposed to the user • Parameter Tampering: modifying data during communication 17

  18. The Basics of Software Security The Attack Surface • All of the threats impinging on a system are called the Attack Surface. • As an architect or developer, you seek to minimize the Attack Surface by developing securely Default Passwords Injection 18

  19. The Basics of Software Security Exploits • When the attacker succeeds in an attack and can harm your system • The exploit is a series of steps that attackers can use to do damage and in some cases, cover their tracks • Once known, easily communicated through the Internet • Zero-day attack exploit – An exploit against a previous unknown vulnerability that cannot be addressed quickly enough to prevent damage • Breach: an exploit, especially one that involves the exposure of data 19

  20. The Basics of Software Security Risk • The potential cost of a threat • Risk = Prob(Exploit) x Expected Cost • Direct and indirect damages, reputation loss, etc. • The exploit causes some or all of those costs to be realized, but the potential cost is there because of the threat • You don’t have to wait for the exploit to know what the cost might be, and you shouldn't What would be the reputation damage to your company from an exploit that results in the exposure of data? 20

  21. The Basics of Software Security DREAD Model 𝑆𝑗𝑡𝑙 = (D + R + E + A + D)/5 • Where each of the following are evaluated 1 (low) - 5 – D = Damage Potential – R = Reproducibility – E = Exploitability – A = Affected Users – D = Discoverability 21

  22. The Basics of Software Security The Superbowl Example • Evaluate the risk of each attack Football App Security − Sideline buttonhook route (3.5) − SQL injection (3.5) − Crossing route (3.2) − Phishing against customer (2.2) − Fullback off-tackle (2.1) − Forceful browsing (2.0) − Bootleg right (4.1) − Parameter Tampering (3.6) − Safety blitz (4.4) − Facility break-in (0.6) − Seven-man front (1.6) − SYN Flood (1.1) − Missed field goals (4.8) 22

  23. The Basics of Software Security Apply Countermeasures • Do Nothing; accept the risk • Outsource the risk; transfer it to someone else • Eliminate the asset • Reduce the risk – Mitigate the vulnerability – Remove the threat 23

  24. The Basics of Software Security The Superbowl Example • Reduce the attack surface Football App Security − Activate a new kicker − Use Secure Design methods − Go with the no-huddle offense − Penetration Testing − Use a 3-4 defense − Use Code Reviews − Quick kick on third down − Centralized input processing − Fake field goal − Use secure communication 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

Course Overview Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S. Meyers 1 In-Person Procedures When you enter/leave the classroom: Grab a towel and wipe down your work station

299 views • 10 slides
Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering

Usability Engineering Secure Software Last Revised: October 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Quote: Taher El-Gamal, Inventor of SSL Security professionals always struggle with the general public because

753 views • 30 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering

Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering

Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Lottery Story At a lottery agency, a manager was able to turn losing tickets into winners He would buy

309 views • 19 slides
Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020

Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020

Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Networks, Cryptography, and You Most application developers Dont implement networking

333 views • 30 slides
VOTD: XSS & CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS & CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331:

VOTD: XSS & CSRF Engineering Secure Software Last Revised: September 8, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is XSS? XSS: Cross Site Scripting Injecting malicious scripts into a web page CWE-79

772 views • 12 slides
Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020

Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020

Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Last Time... Always code defensively Validating input Principles

476 views • 19 slides
Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020

Deployment & Distribution Engineering Secure Software Last Revised: November 6, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 SE Doesnt End at Release Deployment counts too Despite our best efforts to produce

487 views • 20 slides
Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331:

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331:

Man in the Middle Attacks Engineering Secure Software Last Revised: September 1, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 High Level View Allows the hacker to sit in between all communication between client and

398 views • 15 slides
VOTD: SQL Injection Engineering Secure Software Last Revised: September 3, 2020 SWEN-331:

VOTD: SQL Injection Engineering Secure Software Last Revised: September 3, 2020 SWEN-331:

VOTD: SQL Injection Engineering Secure Software Last Revised: September 3, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is SQL Injection? Manipulating query strings to execute code Injecting SQL commands into

379 views • 9 slides
Networking & Network Attacks Engineering Secure Software Last Revised: August 28, 2020

Networking & Network Attacks Engineering Secure Software Last Revised: August 28, 2020

Networking & Network Attacks Engineering Secure Software Last Revised: August 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Why Do We Study Networks? Networks scans are the most prevalent method of understanding

1.3k views • 44 slides
Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Review: Principle of Least Privilege Every user, thread, process, module needs permissions to run

459 views • 29 slides
VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020

VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020

VOTD: OS Command Injection Engineering Secure Software Last Revised: September 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is OS Command Injection Executing arbitrary commands on the host OS via a vulnerable

272 views • 8 slides
Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 How Bad is Bad? Weve seen many vulnerabilities Many of them can do catastrophic

541 views • 35 slides
White Box Testing & Code Inspections Engineering Secure Software Last Revised: September 28,

White Box Testing & Code Inspections Engineering Secure Software Last Revised: September 28,

White Box Testing & Code Inspections Engineering Secure Software Last Revised: September 28, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 The Power of Source Code White box testing Testers have intimate knowledge

382 views • 15 slides
Civil Li'ga'on Ethics: From Deposi'ons to Trial and Beyond

Civil Li'ga'on Ethics: From Deposi'ons to Trial and Beyond

Civil Li'ga'on Ethics: From Deposi'ons to Trial and Beyond To participate in today s live polls please: Text PLANATL to 22333 to join. Once joined simply text A,B,C, or D to submit your

707 views • 49 slides
COLORADO EDUCATION ISSUES SURVEY April 22 nd May 9 th , 2019 2 Colorado Education Issues

COLORADO EDUCATION ISSUES SURVEY April 22 nd May 9 th , 2019 2 Colorado Education Issues

1 COLORADO EDUCATION ISSUES SURVEY April 22 nd May 9 th , 2019 2 Colorado Education Issues Survey, 731n, +/-3.54 MoE, May 2019 Methodology Magellan Strategies is pleased to present the results of a 731n of live telephone and online

906 views • 90 slides
1 Cont ntent nts Contents Section 1 Defining Financial Crime 4 Section 2 Global

1 Cont ntent nts Contents Section 1 Defining Financial Crime 4 Section 2 Global

1 Cont ntent nts Contents Section 1 Defining Financial Crime 4 Section 2 Global Financial Crime Trends 9 1 Section 3 Anti Fraud Framework 3 16 Section 4 Gaps in Anti Fraud Framework 19 Section 6 Standard to Address

709 views • 26 slides
This appeal by the assessee is directed against the order of the Commissioner of Income Tax

This appeal by the assessee is directed against the order of the Commissioner of Income Tax

IN THE INCOME TAX APPELLATE TRIBUNAL D BENCH, MUMBAI BEFORE SHRI SHAMIM YAHYA, AM AND SHRI SAKTIJIT DEY, JM I.T.A. No. 3195/Mum/2018 (Assessment Year: 2014-15) M/s. Robust Transportation Private DCIT-3(3)(1), Limited Mumbai Vs. 608,

582 views • 18 slides
Company Overview September 9. 2019 ILS Overview Services 4.8 million member lives across 30+

Company Overview September 9. 2019 ILS Overview Services 4.8 million member lives across 30+

Company Overview September 9. 2019 ILS Overview Services 4.8 million member lives across 30+ customers ILS is a technology-enabled management services In 2019, ILS expects to generate $306mm of revenue and company that optimizes the

175 views • 5 slides
DSTT State of Good Repair Program Brief November 7, 2019 Why We Are Here The Downtown

DSTT State of Good Repair Program Brief November 7, 2019 Why We Are Here The Downtown

DSTT State of Good Repair Program Brief November 7, 2019 Why We Are Here The Downtown Seattle Transit Tunnel (DSTT) is anticipated to transfer from KCM to ST in 2020 The DSTT Program will oversee a portfolio of projects that will

279 views • 7 slides
PIL BARA INF RAST RUCT URE A NE W L ANDSCAPE PIL BARA INF RAST RUCT URE A NE

PIL BARA INF RAST RUCT URE A NE W L ANDSCAPE PIL BARA INF RAST RUCT URE A NE

PIL BARA INF RAST RUCT URE A NE W L ANDSCAPE PIL BARA INF RAST RUCT URE A NE W L ANDSCAPE Inve stor Pre se nta tion Nove mbe r 2013 AJM Globa l Iron Ore & Ste e l F ore c a st Confe re nc e 11&12 Ma rc h 2014

405 views • 36 slides
Intervention 1: Removal of 20 th C. stud partition (non load-bearing). Intervention 2:

Intervention 1: Removal of 20 th C. stud partition (non load-bearing). Intervention 2:

The Mansion House Proposed Interventions to the former Caretakers Apartment for use as a Formal Guest Apartment Intervention 1: Removal of 20 th C. stud partition (non load-bearing). Intervention 2: Installation of new En Suite bathroom.

226 views • 7 slides

More recommend