Title: Introduction to Software Security
1Introduction to Software Security
2Introduction to Software Security
- Computer Security is an important topic
- E-commerce blossoms
- Internet works its way every nook
- All lies a common enemy bad software
3Its All about the Software
- Software no longer supports offices and home
entertainment - The biggest problem in computer security
- It is the software! You may have the worlds best
firewall, but - Malicious hackers not create security holes, they
exploit them
4Hackers, Crackers, and Attackers
- Hackers
- Originally positive meaning
- Sprang from MIT during the late 1960s
- People solving tricky problems through
programming - Software engineer MacGyver
- Most people
- Locksmiths are burglars?
5Hackers, Crackers, and Attackers
- Cracker
- In the mid 1980s, hacker coined the term cracker
- A cracker is someone who breaks software for
nefarious ends
6Hackers, Crackers, and Attackers
- Attacker
- Hacker, fuzzy feelings
- Malicious hacker, attacker, or bad guy
7Who is the Bad Guy?
- What hackers do?
- If break into, they should notify the author of
the software - Bay guy
- Little or no programming ability
- Downloading, building and running programs
- Hackers call it script kiddie
- Who wrote the programs
- Hacker
- malicious intent
- full disclosure
8Dealing with Widespread Security Failures
- Popular sources for vulnerability information
- Bugtraq
- CERT advisories
- RISKS Digest
9Dealing with Widespread Security Failures
- Sources for vulnerability information
- Bugtraq
- administered by securityfocus.com
- An e-mail discussion list
- SNR on Bugtraq is low
- Full disclosure
- Encourage vendors to fix problems more quickly
10(No Transcript)
11Dealing with Widespread Security Failures
- Sources for vulnerability information
- CERT Advisories
- a federally funded research and development
center - Studies Internet security vulnerabilities
- Provides incident response services
- Publishes a variety of security alerts
- Not publicizing an attack until patched
availabilities - Only release advisories for significant problems
12Dealing with Widespread Security Failures
- Sources for vulnerability information
- RISKS Digest
- A mailing list
- Most Java security attacks first appeared here
- comp.risks
13Technical Trends Affecting Software Security
- Computer networks becoming ubiquitous
- more systems to attack, more attacks, and greater
risks from poor software security practice - the size and complexity of information systems
and their corresponding programs - C or C not protect against buffer overflow
- improper configuration
14Technical Trends Affecting Software Security
- systems becoming extensible
- hard to prevent malicious code from slipping in
- the plug-in architecture of Web browsers
- Word processors
- E-mail clients
- Spreadsheets
15The ilities
- What Is Security?
- To enforcing a policy that describes rules for
accessing resources - Well-defined policy
16The ilities
- Isnt That Just Reliability?
- Comparing reliability with security
- Reliability problems considered DoS problems
17Penetrate and Patch Is Bad
- Vendors paid little attention to security
- Problems to the penetrate-and-patch approach
- Developers can only patch problems that they know
about. Attackers may find problems that they
never report to developers. - Patches are rushed out as a result of market
pressures on vendors, and often introduce new
problems of their own to a system. - Patches often only fix the symptom of a problem,
and do nothing to address the underlying cause. - Patches often go unapplied, as system
administrators tend to be overworked, and often
do not wish to make changes to a system that
works. As we discussed above, system
administrators are generally not security
professionals.
18Penetrate and Patch Is Bad
19On Art and Engineering
- Software engineering goes through
- Internet time phenomenon
- These days, Internet years rival dog years in
shortness of duration. - Specification poorly written
- An implementation problem or a specification
problem?
20Security Goals
- Prevention
- Traceability and Auditing
- Monitoring
- Privacy and Confidentiality
- Multilevel Security
- Anonymity
- Authentication
- Integrity
21Security Goals
- Prevention
- An ounce of prevention worth a pound of
punishment - Internet time
- the enemy of software security
- Affects the propagation of attacks
- Zero day
- Prevention more important than ever
22Zero day
23Security Goals
- Traceability and Auditing
- No 100 security
- The keys to recovering
- For forensics
- Detect, dissect, and demonstrate an attack
- Monitoring
- Real-time auditing
- IDS
- Tripwires
24Security Goals
- Privacy and Confidentiality
- They are deeply intertwined
- Three groups individuals, business, and
government - Lots of reasons for software to keep secrets and
to ensure privacy - A program is running can pry out secret a piece
of software may be trying to hide
25Security Goals
- Multilevel Security
- From unclassified -gt Top Secret
- Employees, business partners and others
- Anonymity
- A double-edge sword
- cookies
26Security Goals
- Privacy and Confidentiality
- Three groups individuals, business, and
government - Lots of reasons for software to keep secrets and
to ensure privacy - A program is running can pry out secret a piece
of software may be trying to hide
27Security Goals
- Authentication
- Big three security goals
- Who, when, and how
- Nowadays, physical presence not enough
- Authentication on the Web
- SSL to whom are you connected?
28Security Goals
- Integrity
- Staying the same?
- Stock prices as a example
29Software Project Goals
- Functionality
- To solve a problem
- Usability
- Affects reliability
- Efficiency
- Security comes with significant overhead
- Time-to-market
- Internet time happens
- Simplicity
- Good for both software and security
30Conclusion
- Computer security is a vast topic
- The root of most security problems is software