What is Secure? Engineering Secure Software Last Revised: August - - PowerPoint PPT Presentation

what is secure
SMART_READER_LITE
LIVE PREVIEW

What is Secure? Engineering Secure Software Last Revised: August - - PowerPoint PPT Presentation

Sep 09, 2023 287 likes •510 views

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

slide-1
SLIDE 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is Secure?

Engineering Secure Software

Last Revised: August 19, 2020 1

slide-2
SLIDE 2

SWEN-331: Engineering Secure Software Benjamin S Meyers

Recent Security Incidents

  • Garmin

○ Ransomware -- $10 million ○ Sync servers down for many days

  • Jack Daniels

○ 1TB of data stolen ○ Unauthorized access detected and blocked before data could be encrypted

  • Intel

○ 20GB of Intellectual Property (IP) and internal documents leaked

2

slide-3
SLIDE 3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security and You

  • Find 2 other people near you

○ Introduce yourself ○ What is your favorite software development technology? (language, tool, library, etc.) ○ Have you ever written software where security mattered? How did you address security then?

3

slide-4
SLIDE 4

SWEN-331: Engineering Secure Software Benjamin S Meyers

Discussion

  • Increased airport security measures

○ TSA agents, full-body scanners, removing shoes, etc. ○ Are we safer because of these measures? ○ If so, it it worthwhile?

4

slide-5
SLIDE 5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Discussion Takeaways

  • Security is not black-and-white
  • Security is “until proven insecure”
  • Security “Theater”

○ Feeling safer vs. being safer ○ People act on their perception of reality, not necessarily on reality

  • Protection can be costly
  • Eliminating a Threat vs. Protection
  • Vulnerability vs. Exploit vs. Threat

5

slide-6
SLIDE 6

SWEN-331: Engineering Secure Software Benjamin S Meyers

An Engineer’s Concern

  • In SE we teach you how to build software… but not as much

about breaking software

  • How do you know that you have a built a system that cannot

be broken into?

○ What evidence do you look for? ○ How do you know you’re done? ○ How do you prioritize security against everything else that’s taking up your time?

  • SE is a zero-sum game

○ “If I need to focus more energy on security, what should we take away?”

6

slide-7
SLIDE 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is a Vulnerability?

  • Informally: a bug with security consequences
  • A design flaw or poor coding that may allow an attacker to

exploit software for a malicious purpose

○ Non-software equivalent to “lack of shoe-examining at the airport” ○ e.g. allowing easily-guessed passwords (poor coding) ○ e.g. complete lack of passwords when needed (design flaw) ○ McGraw: 50% are coding mistakes, 50% are design flaws

  • Alternative definition: “an instance of a fault that violates an

[implicit or explicit] security policy”

7

slide-8
SLIDE 8

SWEN-331: Engineering Secure Software Benjamin S Meyers

What are Exploits and Threats?

  • Exploit: a piece of software, chunk of data, or sequence of

commands that takes advantage of a vulnerability in an effort to cause unintended or unanticipated behavior

○ i.e. maliciously using a vulnerability ○ Can be manual or automated ○ Viruses are just automated exploits ○ Many different ways to exploit just one vulnerability

  • Threat -- two usages

○ An actor or agent that is a source of danger, capable of violating confidentiality, availability, or integrity of information assets and security policy -- e.g. black-hat hackers ○ A class of exploits -- e.g. spoofing (phishing, hijacking, etc.)

8

slide-9
SLIDE 9

SWEN-331: Engineering Secure Software Benjamin S Meyers

Exploit/Threat/Vulnerability Protection

  • Protection against exploits?

○ Anti-virus software, intrusion detection systems, firewalls, etc.

  • Protection against threats?

○ Use forensics to find and eliminate ○ Policy, incentives, deterrents, etc.

  • Protection against vulnerabilities?

○ Engineer secure software!

9

slide-10
SLIDE 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • NOT a myth, but a reality
  • Insecure software causes immeasurable harm
  • Examples: Sony, NSA, Equifax, Anthem/Premera, Android,

Browers, Mueller Report -- just read the news

10 10

slide-11
SLIDE 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

In the News

  • 2019-02-22: Critical Vulnerabilities Uncovered in

Password Managers

  • 2019-02-25: b0r0nt0k Ransomware Infects Linux Servers
  • 2019-02-26: New Browser Attack Lets Hackers Run Bade

Code After User Leaves a Web Page

  • 2019-03-12: Study Shows Programmers Will Take the Easy

Way Out and Not Implement Proper Password Security

  • 2019-03-23: Norsk Hydro Will Not Pay Ransom Demand

and Will Restore from Backups

  • 2019-03-22: Facebook Left Hundreds of Millions of User

Passwords Unencrypted

  • 2019-04-20: Active Windows Zero-Day Exploits
  • 2019-04-29: Security Flaw Lets Attackers Recover Private

Keys from Qualcomm Chips

11

  • 2019-04-30: The Key Lessons of the Triton Malware

Cyberattack You Need to Learn

  • 2019-05: Stolen NSA Tool Wreaks Havoc
  • 2019-07: Microsoft Confirms Windows Great Duke of Hell

Malware Attack

  • 2019-08-20: Hackers Planted Backdoor in Webmin Utility

for Linux Servers

  • 2019-09-10: Weakness in Intel Chips Lets Researchers

Steal Encrypted SSH Keystrokes

  • 2019-10-14: Teamviewer Hack Might Have Accessed

Billions of Devices

  • 2020-02-25: Exchange Stores User Credentials in Plain

Text, No Hashing

  • 2020-06-08: Vulnerabilities in Popular Open Source

Projects Doubled in 2019

11

slide-12
SLIDE 12

SWEN-331: Engineering Secure Software Benjamin S Meyers

Number of Vulnerabilities by Year

12 12

slide-13
SLIDE 13

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • NOT an arcane black art
  • Much of it seems arcane

○ Finding a severe vulnerability without access to the source code ○ Crafting an exploit ○ Endless clever ways to break software

  • But you have much more knowledge than the attackers do

○ You wrote your code

  • Don’t just leave it to the experts, take responsibility for

knowing security

13 13

slide-14
SLIDE 14

SWEN-331: Engineering Secure Software Benjamin S Meyers

Code Complexity in the Linux Kernel

14

Source: https://www.linuxcounter.net/statistics/kernel

14

slide-15
SLIDE 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

Complexity, Vulnerabilities, and Incidents

15

Source: Gary McGraw (after Dan Geer)

15

slide-16
SLIDE 16

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • NOT a dire, apocalyptic future
  • Fear-mongering will not be tolerated here
  • Risk management dictates that we deal in the probable more

than the possible

16 16

slide-17
SLIDE 17

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • NOT a set of features
  • Secure software > Security software
  • Tools and experts are helpful, but:

○ You can’t just deploy a magical tool and expect all vulnerabilities to disappear ○ You can’t outsource all of your security knowledge

  • Even if you are using a security library, you need to know how

to use it properly

17 17

slide-18
SLIDE 18

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • NOT a problem for mathematicians
  • Cryptography

○ Is important and necessary ○ Cannot solve all of your security problems ○ e.g. pick-proof lock vs. open window

  • Proofs, access control rules, and verification are helpful, but

inherently incomplete

18 18

slide-19
SLIDE 19

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • NOT a problem for just networking and operating systems
  • Software has security problems long before we had the

internet, but the internet accelerates the problems spreading

  • Holistic - if you are defending your castle, you don’t just stop

at locking the windows (drawbridge, moat, turrets, etc.)

19 19

slide-20
SLIDE 20

SWEN-331: Engineering Secure Software Benjamin S Meyers

Software Security is...

  • A reality that everyone must face

○ Not just developers, all stakeholders

  • A learnable mindset for software engineers
  • The ability to prevent unintended functionality

○ At all layers of the stack ○ In all parts of your system

20 20

slide-21
SLIDE 21

SWEN-331: Engineering Secure Software Benjamin S Meyers

Student Security Maturity

1. Denial:

  • I don’t have to think about

this, just let me code

  • Leave it to the experts
  • I could never understand

this anyway

2. Irrational fear, superstition:

  • EVERYTHING IS POSSIBLE

NOW!!!

  • EVERY MITIGATION IS

NECESSARY!!!

  • ENCRYPT EVERYTHING!!!

21

3. Bag of tricks:

  • Let’s just try these tricks

that worked in the past

  • We’ve done these 10

things… that’s a lot… close enough, right?

4. Reasoned, balanced, defensive mindset:

  • If we do X, we mitigate Y,

which is worthwhile because of Z

21