670 likes | 684 Views
Cairo University, Faculty of Computers and Information. SE611 – 2018/2019 2 nd Term Secure Software Development Lecture 1: Welcome and Introduction. By Dr. Mohamed El-Ramly http://www.acadox.com/class/56820. I am ……. Mohammad El-Ramly Assistant Professor of Computer Sciences
E N D
Cairo University, Faculty of Computers and Information SE611 – 2018/2019 2nd TermSecure Software DevelopmentLecture 1: Welcome and Introduction By Dr. Mohamed El-Ramly http://www.acadox.com/class/56820
I am …… • Mohammad El-Ramly • Assistant Professor of Computer Sciences • Specialization: Software Engineering • Mastermind behind JMSE • B.Sc. of Computer Engineering, Ain Shams University, Cairo. • M.Sc. of Operations Research, Cairo Uni. • Ph.D. of Computer Science, University of Alberta, Canada.
Lecture Outline • Introduction • Required background • Tell me about your background • Introduction to Secure Software Development • Course Objectives and Content • Course Administration • Course Resources • Assignment 1
جدد النية • من سلك طريقا يلتمس فيه علما سهل الله له طريقا إلى الجنة • العلم يرفع بيتاً لا عماد لــه .... والجهل يهدم بيت العز والكرم • العلم نور يضيء العقول المتخلفة ونبراس يفتح الدروب المظلمة • قصة طاعون لندن • لا تنتظر التغيير و لكن اصنعه – نجاحك مسؤوليتك • قصة صاحب مزرعة الخيول
وقفة أمريكية An Hour of Code Code.org CodeCombat.com TouchDevelop.com وقفة أمريكية / 60
US UK
High Demand for Qualified Developers & Software Engineers • Competition for software engineers continues to accelerate, with salaries being an area employers compete aggressively on to win talent.
Mohamed Gamal (2012) Google, Zurich, Switzerland Mohamed Magdi (2011) Booking.com AhmedAbdo(2009)GoogleCanada Mohamed Ahmed (2015) Orange Labs, Cairo Omar Elmohandes (2011) Amazon London Ahmed Abdelhay (2011) Game Developer, Holland Ahmed Badr & Marwan Alnaggar (2012) FB, USA Ahmed Aly (2009), Google USA, A2OJ Ahmed Abulkhair AUC, Amazon London Ahmed Mamdouh Qatar Computing Reseach Institute Amr Samir (2011)Google, Zurich, Switzerland Mostafa Saad (2008) PhD, Canada Mohamed Abdelwahab (2001) PhD Student, Australia, ACM Most Famous Coach Abdelkareem Mamdouh Huessin Hesham (2008) Valeo, Egypt Yasser Yahia (2008) Amazon, Seattle, USA
Jason Gorman(SE Recuirter) • I help clients to recruit software developers, and I know that for every role that involves programming, you may get hundreds of applicants. • Of those hundreds of applicants, perhaps a dozen will be worth interviewing. Of those dozen, perhaps just one or twowill actually be what enlightened employers consider to be good enough to let loose on their critical business systems and software products. • While there may not be a shortage of programmers, there's most definitely a chronic shortage of good software developers. That's something that didn't seem to cross anyone's mind - that there's much more to it than just programming, for a start, and that it takes years to develop the skills and knowledge needed to build good, valuable, reliable, maintanable, secure, scalable software. • http://codemanship.co.uk/parlezuml/blog/?postid=1208
Software Is Everywhere • Daily Life – social media, communications, medicine, education, mobile, weather, traffic, etc. • Industry – robots, embedded systems, computerized machines, etc. • Vehicles – cars, trains, airplanes, self-driving cars, drones, spaceships, etc. • IoT – pacemakers, wearables, shoes, clothes, coffee makers, etc.
Attacks on Infrastructure Malicious Machine Legitimate Machine Compromised DNS Server
Attacks on Software Ove Input Injection Overflow Weak Authentication 70%
Attacks on People Ove Input Injection Weak Authentication Overflow Social Engineering
Ex1: Millennium Denial of Service Attack • The week of Feb 6, 2000, hackers delivered over 1-Billion transactions concurrently to each one of these sites. • Yahoo • eBay • Buy.com • Amazon • eTrade • What do you expect to have happened? • IoT + DoS = ?
Ex2: Target Attack – Social Eng. • In Dec. 2013 over 40 million credit cards were stolen from ~2000 Target stores by accessing data on point of sale (POS) systems. • Spear Phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. • Network segmentation / segregation is enforcing rules to control communications between specific hosts and services to restrict access to sensitive information, hosts and services.
Ex3: Equifax Attack • In July 2017, Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. • Attackers accessing personal information of at least 145.5 million individuals.
Ex4: QNB Attack – SQL Injection • Hackers hit Qatar National Bank (QNB) in April 2016 and the UAE InvestBank in May 2016. • "Bozkurt Hackers“ claimed responsibility for the data breach. Hackers leaked 1.4GB data, which included • customers' financial records, credit card numbers and PIN codes as well as banking details pertaining to the Al-Thani Qatar Royal Family and Al Jazeera journalists. try.cybersecurity.ieee.org/trycybsi/explore/sqlinjection
Ex4: QNB Attack – SQL Injection • SQL Injection. Through carefully crafted input, hackers were able to inject SQL queries through unchecked or sanitized input that allowed them to get into the DMBS of the bank. • Not just QNB: • BMO (Bank of Montreal) and Simplii Financial by CIBC (Canadian Imperial Bank of Commerce) • After releasing data of 2 clients, attackers threatened with releasing the data of 100,000 customers if not paid $1 million in the cryptocurrency, Ripple by 28/5/2018. • Data obtained are names, account info, passwords, security questions, occupation, SIN and balances.
Ex5: eBay Attack - XSS • In 2017, a vulnerability in item description section on eBay was exploited by criminals. The attack goes as follows: • A cross-site scripting vulnerability was identified in handling the description of the item sold. • Compromised accounts were used to enter descriptions that contain malicious scripts. • The script directed users to a fakelogin page. • A fake login page was used to steal user credentials. • Stolen credentials were used to sell fake items, collect the money and never deliver the item.
To do well on this course you need to … • Have good programming experience • The equivalent to 3 courses on programming • One of them on C / C++ • Have basic experience in web develop. • Some HTML, CSS, JS, PHP …. • Self-learner 2. Required Background
Vulnerability XSS Did you hear about … Session Hijacking DoS SQL Injection Abuse Cases Secure Code Practices SSDL GDPR DDoS Penetration Testing Threat Modeling OWASP
Introduce yourself • ………. Fill the survey form …..
3. The Goal of Software Engineering Is Producing Quality Software • Can be quite different based on your viewpoint: • Customer: • Solves problems correctly at acceptable cost (time and resource). • Secures data and resources User: - Easy to learn / Usable - Efficient to use - Get work done - Reliable / Robust Developer: - Easy to design and maintain - Successfully used and deployed Developer Manager: - Sells more and pleases customers - Costing less to develop and maintain
External Quality Characteristic ● Correctness. • The degree to which a system is free from faults in its specification, design, and implementation. ● Usability. • The ease with which users can learn and use a system. ● Efficiency. • Minimal use of system resources, including memory and execution time.
External Quality Characteristic ● Reliability • The ability of a system to perform its required functions under stated conditions whenever required—having a long mean time between failures. ● Robustness • The degree to which a system continues to function in the presence of invalid inputs or stressful environmental conditions.
External Quality Characteristic ● Security • The degree to which a system prevents unauthorized or improper access to its programs and data. ● Adaptability • The extent to which a system can be used, without modification, in applications or environments other than those for which it was specifically designed.
3. Introduction to Secure SWD • Correctness is the main quality attribute which means that the system does what it is supposed to doand meets its SRS. • Security is a quality attributes which means that a system does not do what it should not do and meets its security requirements. • It prevents undesirable behaviors under wide ranging circumstances, even when subjected to intentional attacks.
Security Properties • Three main security properties: • Confidentiality • Integrity • Availability
Security Properties • Confidentiality is protecting the privacy of the data and the system. • Integrity is protecting the data and system resources from getting corrupted or modified / used in unauthorized ways. • Tampering with system logs or DBMS • Installing spyware • Availability is ensuring that system and data available to legitimate users.
Security Vulnerabilities • A defect is a problem in the design or implementation such that the system fails to meet its requirements. • A flaw is a defect in the design • A bug is a defect in the implementation. • A vulnerability is a defect that an adversary can exploit to get the system to behave insecurely. It is a defect in security.
Ex6: Adobe Attack • RSA 2011 breach exploited a vulnerability in the implementation of Adobe Flash player. • Flash player should reject malformed input files, the defect instead allowed the attacker to provide a carefully crafted input file that could manipulate the program to run the attacker’s code. • This input file could be embedded in a Microsoft Excel spreadsheet so that flashplayer was automaticallyinvoked when the spreadsheet was opened.
Ex6: Adobe Attack • In the actual attack, • A spreadsheet was sent to an executive at the company as if from a colleague. (What is the name of this social engineering method?) • When opened, the sheet installed malware on the executive’s machine. • This lead to stealing source code and customer information.
Software Security • Software security is a branch of computer security that focuses on the design and implementation of secure software. • Secure software is software free of vulnerabilities and flaws that hackers can exploit to attack the system, • Secure software development is the set of software engineering practices that aim to produce secure software.
Software Security • It is a white box approach whose focus is producing secure code, resilient to adversary attacks, as opposed to black box approaches that tend to build defenses around the system. • Some studies suggest that 70% of attacks happen due to software vulnerabilities.
Black Box Security Measures • Firewalls blocks connections and packets from entering the network. • E.g., it may block all connections to sever except via TCP port 80, the for web servers. • Intrusion Detection System scans the contents of network packets, looking for suspicious patterns, e.g. possible exploits. • Anti-virus examines emails, files, etc. to look for malicious code.