1 / 11

Software Security Problem: Common Pitfalls and Effective Approaches

This course aims to raise awareness about common security pitfalls in software development and provide insights into effective approaches, including static analysis, defensive programming, security features, and improving software quality. Learn how to detect vulnerable code and classify different types of vulnerabilities. Uncover the 2009 CWE/SANS Top 25 and understand the risks associated with insecure component interaction, improper input validation, SQL injection, cross-site scripting, and more.

sain
Download Presentation

Software Security Problem: Common Pitfalls and Effective Approaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Software Security Problem Chapter 1

  2. Goals of this course • Become aware of common pitfalls. • Static Analysis and tools

  3. Some common approaches to security • Defensive Programming • Security Features (vs secure features)‏ • Improving Software Quality

  4. Some common approaches to security • Defensive Programming • Security Features (vs secure features)‏ • Improving Software Quality (none of these approaches work!)‏

  5. So, what works?

  6. Usual Software building cycle: • Requirements and Specifications • Design • Code • Test and debug • Integration test • Deliver

  7. Best way to detect vulnerable code • Through a Static Analysis Tool. • However, hand/hard work is still necesary!

  8. Vulnerability Classification • Generic vs context-specific defects • Visible in the code vs visible only in the design • Seven pernicious kingdoms: • Input validation and representation • API abuse • Security Features • Time and State • Error Handling • Code Quality • Encapsulation • Environment

  9. Risky Resource Management Buffer overflow External control of state data External control of filename or path Untrusted search path Code injection Code download without integrity check. Improper resource shutdown or release Improper Initialization Incorrect Calculation 2009 CWE/SANS Top 25 • Insecure Component Interaction • Improper Input Validation • Improper Encoding or escaping of output • SQL injection • Cross-site scripting • OS Command Injection • Cleartext transmission of sensitive information • Cross-Site Request forgery • Race Condition • Error Message Information leak

  10. 2009 CWE/SANS Top 25 (cont)‏ • Porous Defenses • Improper Access control • Broken or risky cryptography • Hard-coded password • Insecure Permission assignment for critical resource • Use of insufficiently random values • Execution with Unnecesary priviledges • Client-side enforcement of server-side security.

More Related