Uploaded bygealehegn
PPT, PDF28 views

csce201 - software - sec Basic Security.ppt

This document discusses best practices for secure software development. It outlines three pillars of software security: risk management, software security touchpoints throughout the development lifecycle, and building knowledge. It describes how to incorporate security through activities like risk analysis, code reviews, testing, and addressing abuse cases. The goal is to develop software that can withstand malicious attacks by anticipating vulnerabilities and non-normative behavior.

Embed presentation

Download to read offline
CSCE 201 Secure Software Development Best Practices
2 Reading  This lecture:  G. McGraw, Software [In]security: Software Security Zombies, 07/2011, http://www.cigital.com/resources/papers/
3 How to address software security?  Do not address at all  Ad-hoc evaluation  Add security features after the fact  Identify security vulnerabilities  Test security level  Incorporate security throughout of SDLC
4 Checking for Known Vulnerabilities  Need tool  Possible attacks and attack types  How the software behaves if something goes WRONG  What motivates an attacker?
5 Three Pillars of Software Security  Risk Management – Business case  Software Security Touchpoints – Best practices  Knowledge – Tools
6 Risk Management  How much effort to invest in security  Consequences of security breaches  Acceptable-level of security  Tracking and mitigating risk throughout the full SDLC
7 Knowledge  Gathering, encapsulating, and sharing security knowledge  Knowledge categories: – Prescriptive knowledge – Diagnostic knowledge – Historical knowledge  Applied along the SDLC
8 Touchpoints  System-wide activity: from design to testing and feedback  Touchpoints: 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requirements 7. Security operations
9 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
10 Misuse Cases  Software development: making software do something – Describe features and functions – Everything goes right  Need: security, performance, reliability – Service level agreement – legal binding  How to model non-normative behavior in use cases? – Think like a bad guy
11 Misuse Cases  Analyze system design and requirements – Assumptions – Failure of assumptions – Attack patterns  Software that is used also going to be attacked  What can a bad guy do and how to react to malicious use
12 Misuse Case Development  Team work – software developers and security experts  Identifying and documenting threats  Creating anti-requirements: how the system can be abused  Creating attack model – Select attack pattern relevant to the system – Include anyone who can gain access to the system
13 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
14 Software Testing  Application fulfills functional requirements  Dynamic, functional tests late in the SDLC  Contextual information
15 Security Testing  Test: finding flaws in software can be exploited by attackers  Quality, reliability and security are tightly coupled  Software behavior testing – Need: risk-based approach using system architecture information and attacker’s model
16 Security Testing  Look for unexpected but intentional misuse of the system  Must test for all potential misuse types using – Architectural risk analysis results – Abuse cases  Verify that – All intended security features work (white hat) – Intentional attacks cannot compromise the system (black hat)
17 Penetration Testing  Testing for negative – what must not exist in the system  Difficult – how to prove “non-existence”  If penetration testing does not find errors than – Can conclude that under the given circumstances no security faults occurred – Little assurance that application is immune to attacks  Feel-good exercise
18 Success of Penetration Testing  Depends on skill, knowledge, and experience of the tester  Important! Result interpretation  Disadvantages of penetration testing: – Often used as an excuse to declare victory and go home – Everyone looks good after negative testing results
19 Behavior in the Presence of Malicious Attack  What happens when the software fails? – Safety critical systems  Track risk over time  Security relative to – Information and services protected – Skills and resources of adversaries – Cost of protection  System vulnerabilities
20 Malicious Input  Software: takes input  Trust input? – Malformed or malicious input may lead to security compromise – What is the input?  Data vs. control  Attacker toolkit
21 Traditional Software Development  No information security consideration  Highly distributed among business units  Lack of understanding of technical security risks
22 Don’t stand so close to me  Best Practices – Manageable number of simple activities – Should be applied throughout the software development process  Problem: – Software developers: lack of security domain knowledge  limited to functional security – Information security professionals: lack of understanding software  limited to reactive security techniques
23 Vulnerability Monitoring  Identify security weaknesses  Methods: – Automated tools – Human walk-through – Surveillance – Audit – Background checks
24 Red Team  Organized group of people attempting to penetrate the security safeguards of the system.  Assess the security of the system  future improvement  Requested or permitted by the owner to perform the assessment  Wide coverage: computer systems, physical resources, programming languages, operational practices, etc.
25 Next Class  Midterm exam

More Related Content

PPT
Software security engineering
byAHM Pervej Kabir
 
PPT
Software Security Engineering
byMarco Morana
 
PPT
Software Security in the Real World
byMark Curphey
 
PPT
Software security engineering
byAHM Pervej Kabir
 
PPTX
Reduce Third Party Developer Risks
byKevo Meehan
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PPT
Software Security Testing
byankitmehta21
 
PDF
Secure Software Development: Best practice and strategies.pdf
byNexflare Dynamics
 
Software security engineering
byAHM Pervej Kabir
 
Software Security Engineering
byMarco Morana
 
Software Security in the Real World
byMark Curphey
 
Software security engineering
byAHM Pervej Kabir
 
Reduce Third Party Developer Risks
byKevo Meehan
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Software Security Testing
byankitmehta21
 
Secure Software Development: Best practice and strategies.pdf
byNexflare Dynamics
 

Similar to csce201 - software - sec Basic Security.ppt

PPTX
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
PDF
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
PPT
Software Security Initiatives
byMarco Morana
 
PPTX
Information-security and best pracrices tools for the enhanced security of s...
bySamyaGufoor
 
PPTX
Information security software security presentation.pptx
bysalutiontechnology
 
PDF
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
PDF
Software security: Security a Software Issue
byDr Sarika Jadhav
 
PPT
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
KEY
Application Security Done Right
bypvanwoud
 
PPTX
chap-1 : Vulnerabilities in Information Systems
byKashfUlHuda1
 
PDF
Secure software design
byAshis Kumar Chanda
 
PPTX
Software security testing
bynehabsairam
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PPT
software-security.ppt
byPRALHAD MAGADUM
 
PDF
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
PDF
ACS-security-2821-001 Lecture Note 13.pdf
byMostafa Taghizade
 
PDF
Beyond security testing
byCu Nguyen
 
PPT
Web Application Security Testing
byMarco Morana
 
PDF
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 
5 Ways to Reduce 3rd Party Developer Risk
bySecurity Innovation
 
Arved sandstrom - the rotwithin - atlseccon2011
byAtlantic Security Conference
 
Software Security Initiatives
byMarco Morana
 
Information-security and best pracrices tools for the enhanced security of s...
bySamyaGufoor
 
Information security software security presentation.pptx
bysalutiontechnology
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
bySecurity Ninja
 
Software security: Security a Software Issue
byDr Sarika Jadhav
 
software-security-intro-220901084730-8ed673b9.ppt
byAssadLeo1
 
Application Security Done Right
bypvanwoud
 
chap-1 : Vulnerabilities in Information Systems
byKashfUlHuda1
 
Secure software design
byAshis Kumar Chanda
 
Software security testing
bynehabsairam
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
software-security.ppt
byPRALHAD MAGADUM
 
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
byQA or the Highway
 
ACS-security-2821-001 Lecture Note 13.pdf
byMostafa Taghizade
 
Beyond security testing
byCu Nguyen
 
Web Application Security Testing
byMarco Morana
 
Matteo Meucci - Security Summit 12th March 2019
byMinded Security
 

More from gealehegn

PDF
CISSP Domain 05 Identity and Access Management (IAM).pdf
bygealehegn
 
PDF
CISSP Domain 06 Security Assessment and Testing.pdf
bygealehegn
 
PDF
CISSP Domain 08 Software Development Security.pdf
bygealehegn
 
PDF
isc2 CISSP Domain 07 Security Operations.pdf
bygealehegn
 
PPTX
CISSP Domain 03 Security Architecture and Engineering.pptx
bygealehegn
 
PPTX
CISSP Domain 02 Asset Securitycissp.pptx
bygealehegn
 
PPT
MIC_3e_Ch3Add more information to your upload.ppt
bygealehegn
 
PPT
How to Create an Effective PowerPoint.ppt
bygealehegn
 
PPT
hel29999999999999999999999999999999999999999999.ppt
bygealehegn
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
bygealehegn
 
PPT
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
bygealehegn
 
PPT
PCI_Security_Awareness12345678904321.ppt
bygealehegn
 
PPT
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
bygealehegn
 
PPT
pci-comp pci requirements and controls.ppt
bygealehegn
 
PPTX
SecurityDevelopmentLifecycle 202512.pptx
bygealehegn
 
PPTX
Educause+PCI+briefing+4-19-20162345.pptx
bygealehegn
 
PDF
PCI DSS Training compliance training for companies
bygealehegn
 
CISSP Domain 05 Identity and Access Management (IAM).pdf
bygealehegn
 
CISSP Domain 06 Security Assessment and Testing.pdf
bygealehegn
 
CISSP Domain 08 Software Development Security.pdf
bygealehegn
 
isc2 CISSP Domain 07 Security Operations.pdf
bygealehegn
 
CISSP Domain 03 Security Architecture and Engineering.pptx
bygealehegn
 
CISSP Domain 02 Asset Securitycissp.pptx
bygealehegn
 
MIC_3e_Ch3Add more information to your upload.ppt
bygealehegn
 
How to Create an Effective PowerPoint.ppt
bygealehegn
 
hel29999999999999999999999999999999999999999999.ppt
bygealehegn
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
bygealehegn
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
bygealehegn
 
PCI_Security_Awareness12345678904321.ppt
bygealehegn
 
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
bygealehegn
 
pci-comp pci requirements and controls.ppt
bygealehegn
 
SecurityDevelopmentLifecycle 202512.pptx
bygealehegn
 
Educause+PCI+briefing+4-19-20162345.pptx
bygealehegn
 
PCI DSS Training compliance training for companies
bygealehegn
 

Recently uploaded

PDF
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
PDF
ASRB NET 2025 Paper GENETICS AND PLANT BREEDING ARS, SMS & STODiscussion | Co...
bySatyam Sharma
 
PDF
AI and ICT for Teaching and Learning, Induction-cum-Training Programme, 5th 8...
byProf. Vinod Kumar Kanvaria
 
PPTX
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
PPTX
Time Series Analysis - Meaning, Definition, Components and Application
bySundar B N
 
PPTX
Physical education notes class ncert 12th
byjatinrg2009
 
PPTX
Finals - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
PDF
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
PPTX
SEMESTER 5 UNIT- 1 Difference of Children and adults.pptx
bysachin7989
 
PDF
Risk Management and Regulatory Compliance - by Ms. Oceana Wong
byagenticroom
 
PPTX
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
PDF
*Unit-II A (Elements of Communication & Communication Style Matrix)
bySayyadTarannum
 
PDF
Comparative Research Report of Legal Frameworks for General Asylum and the Pr...
byScalabrini Institute for Human Mobility in Africa
 
PDF
45 ĐỀ LUYỆN THI IOE LỚP 8 THEO CHƯƠNG TRÌNH MỚI - NĂM HỌC 2024-2025 (CÓ LINK ...
byNguyen Thanh Tu Collection
 
PPTX
LYMPHATIC SYSTEM.pptx it includes lymph, lymph nodes, bone marrow, spleen
byReena Yadav
 
PDF
Agentic AI and AI Agents 20251121.pdf - by Ms. Oceana Wong
byagenticroom
 
PDF
Multimodal and Multimedia AI - by Ms. Oceana Wong
byagenticroom
 
PPTX
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
PPTX
A Presentation of PMES 2025-2028 with Salient features.pptx
byRoyPintor2
 
PPTX
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
ASRB NET 2025 Paper GENETICS AND PLANT BREEDING ARS, SMS & STODiscussion | Co...
bySatyam Sharma
 
AI and ICT for Teaching and Learning, Induction-cum-Training Programme, 5th 8...
byProf. Vinod Kumar Kanvaria
 
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
Time Series Analysis - Meaning, Definition, Components and Application
bySundar B N
 
Physical education notes class ncert 12th
byjatinrg2009
 
Finals - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
SEMESTER 5 UNIT- 1 Difference of Children and adults.pptx
bysachin7989
 
Risk Management and Regulatory Compliance - by Ms. Oceana Wong
byagenticroom
 
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
*Unit-II A (Elements of Communication & Communication Style Matrix)
bySayyadTarannum
 
Comparative Research Report of Legal Frameworks for General Asylum and the Pr...
byScalabrini Institute for Human Mobility in Africa
 
45 ĐỀ LUYỆN THI IOE LỚP 8 THEO CHƯƠNG TRÌNH MỚI - NĂM HỌC 2024-2025 (CÓ LINK ...
byNguyen Thanh Tu Collection
 
LYMPHATIC SYSTEM.pptx it includes lymph, lymph nodes, bone marrow, spleen
byReena Yadav
 
Agentic AI and AI Agents 20251121.pdf - by Ms. Oceana Wong
byagenticroom
 
Multimodal and Multimedia AI - by Ms. Oceana Wong
byagenticroom
 
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
A Presentation of PMES 2025-2028 with Salient features.pptx
byRoyPintor2
 
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 

csce201 - software - sec Basic Security.ppt

  • 1.
    CSCE 201 Secure SoftwareDevelopment Best Practices
  • 2.
    2 Reading  This lecture: G. McGraw, Software [In]security: Software Security Zombies, 07/2011, http://www.cigital.com/resources/papers/
  • 3.
    3 How to addresssoftware security?  Do not address at all  Ad-hoc evaluation  Add security features after the fact  Identify security vulnerabilities  Test security level  Incorporate security throughout of SDLC
  • 4.
    4 Checking for Known Vulnerabilities Need tool  Possible attacks and attack types  How the software behaves if something goes WRONG  What motivates an attacker?
  • 5.
    5 Three Pillars ofSoftware Security  Risk Management – Business case  Software Security Touchpoints – Best practices  Knowledge – Tools
  • 6.
    6 Risk Management  Howmuch effort to invest in security  Consequences of security breaches  Acceptable-level of security  Tracking and mitigating risk throughout the full SDLC
  • 7.
    7 Knowledge  Gathering, encapsulating,and sharing security knowledge  Knowledge categories: – Prescriptive knowledge – Diagnostic knowledge – Historical knowledge  Applied along the SDLC
  • 8.
    8 Touchpoints  System-wide activity:from design to testing and feedback  Touchpoints: 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requirements 7. Security operations
  • 9.
    9 Application of Touchpoints Requirementand Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
  • 10.
    10 Misuse Cases  Softwaredevelopment: making software do something – Describe features and functions – Everything goes right  Need: security, performance, reliability – Service level agreement – legal binding  How to model non-normative behavior in use cases? – Think like a bad guy
  • 11.
    11 Misuse Cases  Analyzesystem design and requirements – Assumptions – Failure of assumptions – Attack patterns  Software that is used also going to be attacked  What can a bad guy do and how to react to malicious use
  • 12.
    12 Misuse Case Development Team work – software developers and security experts  Identifying and documenting threats  Creating anti-requirements: how the system can be abused  Creating attack model – Select attack pattern relevant to the system – Include anyone who can gain access to the system
  • 13.
    13 Application of Touchpoints Requirementand Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
  • 14.
    14 Software Testing  Applicationfulfills functional requirements  Dynamic, functional tests late in the SDLC  Contextual information
  • 15.
    15 Security Testing  Test:finding flaws in software can be exploited by attackers  Quality, reliability and security are tightly coupled  Software behavior testing – Need: risk-based approach using system architecture information and attacker’s model
  • 16.
    16 Security Testing  Lookfor unexpected but intentional misuse of the system  Must test for all potential misuse types using – Architectural risk analysis results – Abuse cases  Verify that – All intended security features work (white hat) – Intentional attacks cannot compromise the system (black hat)
  • 17.
    17 Penetration Testing  Testingfor negative – what must not exist in the system  Difficult – how to prove “non-existence”  If penetration testing does not find errors than – Can conclude that under the given circumstances no security faults occurred – Little assurance that application is immune to attacks  Feel-good exercise
  • 18.
    18 Success of PenetrationTesting  Depends on skill, knowledge, and experience of the tester  Important! Result interpretation  Disadvantages of penetration testing: – Often used as an excuse to declare victory and go home – Everyone looks good after negative testing results
  • 19.
    19 Behavior in thePresence of Malicious Attack  What happens when the software fails? – Safety critical systems  Track risk over time  Security relative to – Information and services protected – Skills and resources of adversaries – Cost of protection  System vulnerabilities
  • 20.
    20 Malicious Input  Software:takes input  Trust input? – Malformed or malicious input may lead to security compromise – What is the input?  Data vs. control  Attacker toolkit
  • 21.
    21 Traditional Software Development  Noinformation security consideration  Highly distributed among business units  Lack of understanding of technical security risks
  • 22.
    22 Don’t stand soclose to me  Best Practices – Manageable number of simple activities – Should be applied throughout the software development process  Problem: – Software developers: lack of security domain knowledge  limited to functional security – Information security professionals: lack of understanding software  limited to reactive security techniques
  • 23.
    23 Vulnerability Monitoring  Identifysecurity weaknesses  Methods: – Automated tools – Human walk-through – Surveillance – Audit – Background checks
  • 24.
    24 Red Team  Organizedgroup of people attempting to penetrate the security safeguards of the system.  Assess the security of the system  future improvement  Requested or permitted by the owner to perform the assessment  Wide coverage: computer systems, physical resources, programming languages, operational practices, etc.
  • 25.