CSCE 548 Building Secure Software - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

CSCE 548 Building Secure Software

Description:

... McGraw-Hill Osborne Media, July 26, 2005, ISBN-10: 0072260858, ISBN-13: 978-0072260854 ... McGraw: Chapter 1. Recommended: ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 21
Provided by: far1
Category:

less

Transcript and Presenter's Notes

Title: CSCE 548 Building Secure Software


1
CSCE 548 Building Secure Software
2
Class Info
  • Instructor Csilla Farkas
  • Office Swearingen 3A43
  • Office Hours Tuesday, Thursday 200-330 pm or
    electronically any time or by appointment
  • Telephone 576-5762
  • E-mail farkas_at_cse.sc.edu
  • Class homepage http//www.cse.sc.edu/farkas/csce
    548-2008/csce548.htm

3
Text Books
  • Software Security Building Security In by Gary
    McGraw, Publisher Addison-Wesley Professional,
    February 2, 2006, ISBN-10 0321356705 ISBN-13
    978-0321356703
  • 19 Deadly Sins of Software Security by Michael
    Howard, David LeBlanc, John Viega, Publisher
    McGraw-Hill Osborne Media, July 26, 2005,
    ISBN-10 0072260858, ISBN-13 978-0072260854

4
Assignments
  • Research project one research project related to
    software security.
  • Homework There will be 4-5 homework assignments
    during the semester.
  • Exams two closed book tests (given approximately
    at 1/3 and 2/3 of the semester) will cover the
    course material. No final exam.

5
Grading
  • Test 1 25, Test 2 25, Homework 15, Research
    project 35
  • Total score that can be achieved 100
  • Final grade 90 lt A 87ltBlt 90 80ltBlt87
    76ltClt80 66ltClt76 61ltDlt66 45ltDlt61

6
Reading
  • This lecture
  • McGraw Chapter 1
  • Recommended
  • CyberInsecurity The Cost of Monopoly,
    http//cryptome.org/cyberinsecurity.htm
  • Next lecture
  • McGraw Chapter 2

7
Why do we need software security?
  • Software is essential in most every aspect of our
    life

8
How to address software security?
  • Do not address at all
  • Ad-hoc evaluation
  • Add security features after the fact
  • Identify security vulnerabilities
  • Test security level
  • Incorporate security throughout of SDLC

9
This Course
  • Not a software engineering course
  • Understand basic security concepts and their
    impact
  • Introduce systematic security design and
    development along project management
  • Best practices

10
Security Objectives
  • Confidentiality prevent/detect/deter improper
    disclosure of information
  • Integrity prevent/detect/deter improper
    modification of information
  • Availability prevent/detect/deter improper
    denial of access to services

11
Software Security
  • NOT security software!
  • Engineering software so that it continues to
    function correctly under malicious attack
  • Functional requirements
  • Non-functional requirements (e.g., security)

12
Why Software?
  • Increased complexity of software product
  • Increased connectivity
  • Increased extensibility
  • Increased risk of security violations!

13
Security Problems
  • Defects implementation and design
    vulnerabilities
  • Bug implementation-level vulnerabilities
    (Low-level or mid-level)
  • Static analysis tool
  • Flaw subtle, not so easy to detect problems
  • Manual analysis
  • Automated tools (for some but not design level)
  • Risk probability x impact

14
Application vs. Software Security
  • Usually refers to security after the software is
    built
  • Adding more code does not make a faulty software
    correct
  • Sandboxing
  • Network-centric approach
  • Application security testing badness-ometer

Who Knows
Deep Trouble
15
Three Pillars of Software Security
  • Risk Management
  • Software Security Touchpoints
  • Knowledge

16
Risk Management
  • How much effort to invest in security
  • Consequences of security breaches
  • Acceptable-level of security
  • Tracking and mitigating risk throughout the full
    SDLC

17
Touchpoints
  • System-wide activity from design to testing and
    feedback
  • Focus on security from ground up
  • Touchpoints
  • Code review
  • Architectural risk analysis
  • Penetration testing
  • Risk-based security testing
  • Abuse cases
  • Security requiremetns
  • Security operations

18
Knowledge
  • Gathering, encapsulating, and sharing security
    knowledge
  • Knowledge catalogs principles, guidelines,
    rules, vulnerabilities, exploits, attack
    patterns, historical risks
  • Knowledge categories
  • Prescriptive knowledge
  • Diagnostic knowledge
  • Historical knowledge
  • Applied along the SDLC

19
Security Engineering
  • Reduce the need for reactive technologies (e.g.,
    intrusion detection) by safer products ?
    Understand software
  • Need for
  • Software developers
  • Operations people
  • Administrators
  • Users
  • Executives

20
Next Class
  • Risk Management
Write a Comment
User Comments (0)
About PowerShow.com