290 likes | 318 Views
Lecture topics. Computer security Ethics in SE SE as a profession. Privacy and security. Two kinds of security Security within a software organization Security standards must be met by software products produced by the organization Security is a fundamentally human issue
E N D
Lecture topics • Computer security • Ethics in SE • SE as a profession
Privacy and security • Two kinds of security • Security within a software organization • Security standards must be met by software products produced by the organization • Security is a fundamentally human issue • Keep things secret, trust the insiders • Keep system open but rely on technical means of ensuring security • The field is increasingly aware of the need for security • E.g. Java has a built-in security model • Privacy - the right to be left alone • Confidentiality: existence of a communication between two parties must not be known to a third party • Anonymity: an individual’s right to conceal their identity • Data protection: restricting the use of personal data
Security --- that’s where the money is these days, right? • Spending on security technology grew by 28% in 2001 (compared to 2000) [UBS Warburg] • $6bln in 2001 • Projected $13bln in 2005 • 24% of firms had increased their technology budget in 2002, but 73% increased spending on security [Meta group] • Most companies spend 3% of their technology budgets on security; technology budgets are typically 3% of the revenues [Meta group] • The number of unfilled [computer] security jobs in the US is 75,000 [Symantec]
Viruses • The costs of computer viruses worldwide are $13.2bln [Computer Economics, a consultancy firm] • The figure is probably too high • Hard to quantify the cost of detection and clean-up • Following Code Red and Nimda, sales of anti-virus products at Symantec were 53% higher than the previous year
Intrusion • Reliable figures are hard to come by • Many attacks go unnoticed or unreported • Survey by CSI/FBI: • 503 large companies and government agencies surveyed • 40% detected system intrusions in 2001 • 70% of these reported website vandalism • 20% reported theft of proprietary information • 85% reported virus problems • 90% have anti-virus software installed • 89% have firewalls installed • 63% have intrusion detection software installed
Intrusion detection systems • Based on monitoring patterns of network behavior and reporting deviations • Monitoring network traffic • Monitoring access to individual machines and software components • Rate of false positives is high • What should response to an attack be? • Repair the damage as soon as possible • The attacker may be alerted • Trace the attacker • The attacker has more time to do damage
But what is the root cause? • Intrusion in computer systems from the outside is not supposed to be possible, so how does it become possible • Short answer: bugs in applications • Code Red exploited a coding error in the way Microsoft web server software handles non-Roman characters • Most security holes exploit buffer overflows • Programs get “confused” into executing code supplied by the attacker • In this light, security-related hype put out by companies is laughable • Sun: “We make the net secure” • Oracle: “Unbreakable database software”
Human factors • Consumers are not educated about security and privacy • Consumers demand features • “Given the choice between dancing pigs and security, users will pick dancing pigs every time”, Ed Felten • Developers’ attitude • “Not my job --- I’m designing this thing to run as fast as possible!” • Fixation on security from the network standpoint • “If we encrypt all traffic, we have nothing to worry about, right?” • Fixation on technology • Companies started to re-evaluate the trade-off between security and functionality • Microsoft’s web server software has most features turned off by default • Customers have to configure them in site-specific way • Some customers asked for a button “to turn everything on”
What is the best way to make people aware of security holes? • Open Source advocates: security vulnerabilities should be published on the Web • True, potential attackers get their hands on this information • But this should force companies react quickly and post patches • In the real world, this may pose problems • Big websites get attacked ~40 minutes after the publication of a new vulnerability • The patch may not be available for some time • Patches are usually rushed out • Often introduce new problems • Patches often fix symptoms, not underlying problems • The majority of customers don’t apply patches
Number of intrusions for a security hole over time Intrusions Disclosure Patch released Scripting Time
Types of attacks on security of a system Generally, a flaw in the design or implementation of a system is exploited by these attacks • Eavesdropping • Encrypting transmissions may fail to defeat attacks • Tampering with data • Malicious modification of transmissions • Spoofing • Generating phony transmissions • Hijacking • Replacing a legitimate transmission with a malicious one • Capture/replay • Capture a transmission and later replay it
Security goals from system development standpoint No real-world system is 100% secure • Prevention • An ounce of prevention is better than a pound of punishment • Traceability and auditing • Forensic evidence • Monitoring • Real-time auditing • Privacy and confidentiality • Multi-level security • Different levels of protection for different levels of information • Anonymity • Authentication • Integrity • Primarily integrity of data
The role of security personnel of the development team • Developers often see security concerns as secondary to the system functionality • Often, a security team is set up to address security concerns during system development • Members of this team have to be trained in both development and security • Different security concerns on different stages of development
Guiding principles for software security (Viega, McGraw) • Secure the weakest link • The whole system is as secure as it’s weakest part • Practice defense in depth • Have a series of defenses • Fail securely • Follow the principle of least privilege • Compartmentalize • If one part of the system is compromised, the others won’t be • Keep it simple • Simple design makes security problems less likely • Promote privacy • Remember that hiding secrets is hard • Be reluctant to trust • Especially be reluctant to trust your employees (and employers) • Use your community resources
The weakest link of computer security • PentaSafe Security Technologies survey of a number of companies (2002): • 86% reported abuse of Internet access by insiders • 66% reported laptop theft • 50% reported unauthorized access by insiders • 40% reported unauthorized access by outsiders • 2/3 of commuters in Victoria Station (London) revealed their computer password in return for a ballpoint pen • Almost half of British office workers used their own name or the name of a family member or a pet as their password • Meta Group: The most common way to gain access to a system is to call internal tech support and pose as an employee who forgot their password • CSI/FBI survey (using a small sample size): • Average external attack cost $57,000 • Average attack by an insider cost $2.7m
Security is not an absolute measure • In practice, providing very high levels of security is very costly • A security risk is just like any other business or software development risk • Predicted, managed, mitigated • Credit card companies could provide much tighter security to combat fraud • Consumers would be unhappy • Too expensive, it’s easier to absorb the cost of fraud • Companies can be “security insurance” that pays damages if their systems are breached • In future, this could mean that security companies impose restrictions on what equipment and business/development processes the company can use
Is “electronic Pearl Harbor” a real danger? • Lamar Smith, congressman, in a report to a judiciary committee, Feb 2002: “Until we secure our cyber-infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives… A mouse can be just as dangerous as a bullet or a bomb!” • US Naval War College / Gartner group simulations, August 2002: • An “electronic Pearl Harbor” attack on the US would cause serious disruption, but • Would need five years of preparation • Would need $200m in funding
Issues in people management relevant to software development - memory • Developers need to remember a lot of things about the project • Memory organization • Short-term memory • Limited capacity, fast-access (you just “know” it) • Receives input from sensors • Similar to registers • Miller (1957) found that the short-term memory can store about 7 informational items • A larger capacity working area memory • Information is obtained from the short-term memory • Similar to RAM • Long-term memory • Slow access time • Unreliable retrieval mechanisms • Similar to disk memory
Issues in people management relevant to software development - types of knowledge • Semantic knowledge • Knowledge of concepts • E.g. how a binary search algorithm operates • Acquired through experience and learning • Retained in representation-independent fashion • Syntactic knowledge • Detailed representation knowledge • E.g. how to write an object description in UML • The knowledge is retained in an unprocessed form • The knowledge is acquired by memorization • The difference between these two types of knowledge is evident in how an experienced programmer learns a new language
Issues in people management relevant to software development - motivation • What motivates people (Maslow 1954) • Physiological needs • Safety needs • Social needs • Esteem needs • Self-realization needs • Three types of professionals (Bass and Dunteman 1963) • Task-oriented • Motivated by the intellectual challenge of their work • Self-oriented • Motivated by personal success and recognition • Interaction-oriented • Motivated by the presence and actions of co-workers
Social, ethical, and professional issues: the ACM code of ethics and professional conduct • General moral imperatives • Contribute to society and human well-being • … • Honor confidentiality • Specific professional responsibilities • Strive to achieve the highest quality, effectiveness, and dignity in both the process and products of professional work • … • Access computing and communication resources only when authorized to do so
Social, ethical, and professional issues: the ACM code of ethics and professional conduct • Organizational leadership imperatives • Articulate social responsibilities of members of an organizational unit and encourage full acceptance of these responsibilities • … • Create opportunities for members of the organization to learn the principles and limitations of computer systems
Real life: specific examples of ethical choices • You are contracted to build a software system. To save money, the customer opted for a level of built-in security that you think is not sufficient to prevent the system from being compromised in the future. Do you build the system anyway or refuse to do it? • Your customer is an employment agency that needs a software system that matches job applicants to job description. When an agency official describes the system requirements to you, he mentions that if several people match the same position, all male applicants should be listed before all female applicants. What do you do? • You are a CEO of a start-up that just produced the initial version of a new generation tax preparation software. The first company to market this kind of software stands to rip huge profits. However, you are aware that the software has a number of bugs that can result in incorrectly prepared tax documents. Is it OK to market the system anyway, including a disclaimer of responsibility for errors? • China offers you a contract to build software for Internet censorship. Do you take it? • Amnesty International recently accused Microsoft, Sun, Nortel, and Cisco of helping China implement its internet censorship
Scary stories: the Ariane-5 crash • On June 4 1996, 50 seconds into the maiden flight of the Ariane 5 launcher it self-destructed • An independent inquiry board carried out an investigation • Technical cause • An operand overflow as a result of data conversion from 64-bit floating point to 16-bit signed integer value in the Inertial Reference System • Main reason for the technical error • Reuse of code from Ariane 4 that had different trajectory and acceleration parameters • Methodological cause • Insufficient quality assurance measures • No comprehensive system integration test • No external review
Scary stories: Therac-25 disaster • Between June 1985 and January 1987, radiation therapy machine Therac-25 massively overdosed six people • Cause of failures • A data race condition occurring during data entry • If data is entered very fast, calibration does not happen correctly • Overflow condition for a byte-long unsigned counter variable • When the value is 0, no beam repositioning • Methodological problems • Code reuse from Therac-20 which had hardware safety overrides • Horrible documentation • Unfriendly user interface • Tardy response to bug reports
Should software engineers be licensed? • Is software engineering a profession? • IEEE-ACM joint committee for the establishment of software engineering as a profession • Professionals tend to be licensed • Certifies sufficient knowledge to practice the profession • Indicates agreement to comply with ethics, rules, and regulations of the profession • Some states that license engineers restrict the use of term “engineer” • Already started • UK • Texas
Should software engineers be licensed? • Concerns • Is software engineering an engineering discipline? • Can software be developed reliably? • Can software be certified? • What application domains are relevant? • What educational/professional experience is necessary?
Do we need better SE practices or a better application of the existing practices? • Probably both • The problem is the lack of empirical information about new (and some old) techniques • The state of software practice is likely to improve even if only the existing techniques are used rigorously