180 likes | 391 Views
Agenda. Security Lessons Learned in NCTU a dozen years agoWhat is Security?Top Security IssuesSecurity in Software Development LifecyclePartner Integration SecuritySecurity Issue Tracking and ResolutionPhysical SecuritySocial EngineeringSecurity of Personal ComputerAbuse IssuesHuman Facto
E N D
1. Lessons Learned in Web Security Shimin Yeh
12/25/2007
2. Agenda Security Lessons Learned in NCTU a dozen years ago
What is Security?
Top Security Issues
Security in Software Development Lifecycle
Partner Integration Security
Security Issue Tracking and Resolution
Physical Security
Social Engineering
Security of Personal Computer
Abuse Issues
Human Factor
3. Security Lessons Learned in NCTU a Dozen Years Ago Charles Pfleeger, Security in Computing, 2nd ed.
Bruce Schneier, Applied Cryptography, 1st ed.
Evi Nemeth et. al, UNIX System Administration Hankbook, 2nd ed.
Gene Spafford et. Al., UNIX and Internet Security 2nd ed.
4. Lessons Learned in my Early Years in Software Industry Netscape web server
Checkpoint firewall
panacea of securiy?
On-line stock trading system project in ‘98
Hardening
server software patch - not everyone knows this.
Security features and CIA
Confidentiality – SSL for channel integration
Integrity (and non-repudiation) – digital signature
Authentication – password for login plus public key signature for authentication
Minimal peer reviews
Competition with JPC – non-security factors prevail.
SSL = security is easier to sell.
5. What’s Security? Behaves as it supposed to do. Nothing more and nothing less.
6. Case Study Victoria’s Secret
Prozac
AOL
MySpace – Samy is my hero
Qualcomm CEO’s laptop
Defacement cases in zone-h
XSS cases in xssed.com
Eletronic voting systems in California
7. What does that mean? Brand damage: Trust is hard to gain but easy to lose.
Intenet companies live or die by their reputation.
8. Top Security Issues Input Validation Issue Buffer overflow SQL injection XSS Misconfiguration Third Party Software