1 / 12

Why is Commercial Software So Vulnerable

Why is Commercial Software So Vulnerable. (and How Can We Fix It)?. State of Things Today. Many vulnerabilities in commercial software Typical vendors release dozens of fixes annually No indication this is improving. Kinds of Vulnerabilities. Design Flaws Implementation Flaws.

lee-snider
Download Presentation

Why is Commercial Software So Vulnerable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why is Commercial Software So Vulnerable (and How Can We Fix It)?

  2. State of Things Today • Many vulnerabilities in commercial software • Typical vendors release dozens of fixes annually • No indication this is improving

  3. Kinds of Vulnerabilities • Design Flaws • Implementation Flaws

  4. Design Flaws • Occur when software is planned and specified without proper consideration of security requirements and principles • Examples: • Cleartext passwords • Weak or proprietary cryptography

  5. Design Flaws • Why do Design Flaws happen? • Rushed engineers • Ignorance of security requirements or principles • Fortunately, software designs are improving!

  6. Design Flaws • As Design Flaws are found, they are fixed in future releases • But . . . • These can be deeply ingrained, architectural issues • Industry is moving in the right direction • Design Flaws are a minority of the security bugs we see

  7. Implementation Flaws • Occur when software developers make a mistake when coding software • (Just like other bugs, but some have serious security implications!) • Implementation Flaws are independent of design

  8. Implementation Flaws • Examples: • Buffer overflows • Integer over/underflows • SQL Injection • Format string

  9. Implementation Flaws • Why do Implementation Flaws happen? • Human error • We cannot eliminate human error, but we can do more to minimize it • Most serious security bugs are due to these careless mistakes

  10. How Can We Improve? • Education • Not every developer can be a security expert • Every developer must understand security fundamentals • At Oracle, we have had success with a web-based, on-demand secure coding training class

  11. How Can We Improve? • Individual accountability • Education makes people accountable! • Hold developers accountable for writing quality code. • Automated tools • Power of the consumer

  12. The End • Any questions?

More Related