1 / 51

Software Security Course

Software Security Course. Course Outline 2-27-09. Course Overview. Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security Engineering How To - Secure Design How To - Secure Implementation How To - Security Testing How To - Secure Deployment

misha
Download Presentation

Software Security Course

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Software Security Course Course Outline 2-27-09

  2. Course Overview • Introduction to Software Security • Common Attacks and Vulnerabilities • Overview of Security Engineering • How To - Secure Design • How To - Secure Implementation • How To - Security Testing • How To - Secure Deployment • Compliance and Regulatory Standards • Special Topics • Additional Resources

  3. Introduction to Software Security

  4. Introduction to Software Security • Definition and Context • Why Security Matters • Myths and Urban Legends • Threats and Examples • Case Studies • Concepts and Definitions

  5. Definition and Context • Software security as part of the larger problem of developing robust, reliable code • Describe the relationship between software security and: • Corporate information security policies • Corporate risk strategies • Explain the differences between software and network security • Areas of overlap • Areas of divergence • Pros and cons of each area of investment

  6. Definition and Context • CIA as a way to think about security • STRIDE as a way to assess impact of a threat • DREAD as a way to categorize the severity of a threat

  7. Why Security Matters • Customers care – now more than ever • Patching is expensive • Regulatory compliance • Security failures == business risk • Competitive advantage • Critical part of TCO • The threat environment is bad and getting worse • Attackers have the advantage

  8. Myths and Urban Legends • Security is only required in the OS • 15% are OS vulns • I only need a good patch strategy • Mean time to attack: 330 days -> 2 weeks • I have a firewall, AV and IDS • 92% of vulns are software, not network • Functional testing finds security defects • Good practices from design->deploy are required • I use Java (or .NET) • Only helps with some classes of problem • I use cryptography • Helps with some threats, but just one tool in the toolbox

  9. Threats and Examples

  10. Threats and Examples

  11. Case Studies • Show real world impact, examine past mistakes • Love Virus • Saphire Worm • TJX • Heartland

  12. Concepts and Definitions • Asset • Attack • Control • Countermeasure or mitigation • Guideline • Information Security • Insider Threat • Policy • Privacy • Risk • Risk Analysis • Risk Assessment • Security Engineering • Security Requirement • Threat • Vulnerability

  13. Common Attacks and Vulnerabilities

  14. Common Attacks and Vulnerabilities • Types of Attackers • Attacker Motivation • Attacker Origin • Anatomy of an Attack • Attacker Tools • OWASP Top 10 • CWE/SAN Top 25

  15. Types of Attackers • Script Kiddies • Amateur Experts • Crack Experts • Professionals

  16. Attacker Motivation • White Hat • Black Hat • Grey Hat

  17. Attacker Origin • Internal attackers – the insider threat • External attackers

  18. Anatomy of an Attack • Targeting • Probing • Attempting penetration • Securing hold • Cleanup and propagation

  19. Attacker Tools • Whitebox • Greybox • Blackbox

  20. OWASP Top 10 • Cross Site Scripting • Injection Flaws • Malicious File Execution • Insecure Direct Object Reference • Cross Site Request Forgery • Information Leakage and Improper Error Handling • Broken Authentication and Session Management • Insecure Cryptographic Storage • Insecure Communications • Failure to restrict URL access

  21. CWE/SANS 25 Most Dangerous • CWE and SANS put together a list of the 25 most dangerous coding errors • Insecure interaction between components • Risky resource management • Porous defenses http://www.sans.org/top25errors/

  22. Overview of Security Engineering

  23. Overview of Security Enginering • How it Fits • Key Activities

  24. How it Fits

  25. Key Activities • Threat Modeling • Security Design Best Practices • Security Design Review • Security Coding Best Practices • Security Code Review • Penetration Test • Security Deployment Review

  26. How To - Secure Design

  27. How To – Secure Design • Design Principles • Design Patterns

  28. Design Principles • Simplify the design • Least privilege • Defense in depth • Fail secure • Secure by default • Compartmentalize • Attack Surface Reduction • …

  29. Design Patterns • Trusted Subsystem • Brokered Authentication • …

  30. How To - Secure Implementation

  31. How To – Secure Implementation • Coding Principles • OS Fundamentals • Common Errors • Common Web Errors

  32. Coding Principles • Validate all user input • Auditing and logging • Limit resource consumption • …

  33. OS Fundamentals • Access controls • .NET code access security • Java sandbox • Cryptography • …

  34. Common Errors • Integer overflows • Failure to validate input • Failure to protect sensitive data • Failure to understand and protect across trust boundaries • Insecure error messages • Buffer overflows and other errors that occur only in compiled languages such as C/C++ • …

  35. Common Web Errors • Trusting client-side validation • Failure to validate input and encode output • Failure to protect the session • Failure to protect against zero and one-click attacks • Disclosing too much information • …

  36. How To - Security Testing

  37. How To – Security Testing • Security Testing is Different • Think Like an Attacker • Categories of Attack • How to Test the Top 10

  38. Security Testing is Different Intended Behavior Actual Behavior Most Security Bugs Traditional Bugs

  39. Think Like an Attacker • Security bugs: • Are much harder to spot…they often have no visible (to the human eye) behavior…we need better tools • Require us to think about side effects and what sensitive data might be exposed • Require us to “think backwards”…that is, instead of thinking what should happen, we need to think about what shouldn’t happen

  40. Categories of Attack • External dependencies • Unanticipated user input • Vulnerable design • Vulnerable implementation

  41. How to Test the Top 10 • Cross Site Scripting • Injection Flaws • Malicious File Execution • Insecure Direct Object Reference • Cross Site Request Forgery • Information Leakage and Improper Error Handling • Broken Authentication and Session Management • Insecure Cryptographic Storage • Insecure Communications • Failure to restrict URL access

  42. How To - Secure Deployment

  43. How To – Secure Deployment • Deployment Principles • Deployment Patterns

  44. Deployment Principles • The importance of configuration • How physical deployment impacts security • How software design can make it easier to manage security and detect attacks post-deployment

  45. Deployment Patterns • Understand the common application types: • Mobile Client • Rich Client • Rich Internet Application • Service Interfaces (SAAS, S+S) • Web Application • Understand the common deployment patterns: • Single server, non-distributed • Multiple server, distributed • Understand the impact: • Impersonation and delegation • Layer interfaces • Trust boundaries

  46. Compliance and Regulatory Standards

  47. Regulatory Standards • Overview of the regulation: • PCI • HIPPA • Cover what these mean from a developer point of view • http://msdn.microsoft.com/en-us/library/aa480484.aspx

  48. Special Topics

  49. Additonal Topics to Consider • Privacy Issues • Digital Rights Management (DRM) • Social Engineering Attacks

  50. Additional Resources

More Related