Introduction to Software Security - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Introduction to Software Security

Description:

Introduction to Software Security Jared 2004/03/17 – PowerPoint PPT presentation

Number of Views:147
Avg rating:3.0/5.0
Slides: 31
Provided by: Jare48
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Software Security


1
Introduction to Software Security
  • Jared
  • 2004/03/17

2
Introduction to Software Security
  • Computer Security is an important topic
  • E-commerce blossoms
  • Internet works its way every nook
  • All lies a common enemy bad software

3
Its All about the Software
  • Software no longer supports offices and home
    entertainment
  • The biggest problem in computer security
  • It is the software! You may have the worlds best
    firewall, but
  • Malicious hackers not create security holes, they
    exploit them

4
Hackers, Crackers, and Attackers
  • Hackers
  • Originally positive meaning
  • Sprang from MIT during the late 1960s
  • People solving tricky problems through
    programming
  • Software engineer MacGyver
  • Most people
  • Locksmiths are burglars?

5
Hackers, Crackers, and Attackers
  • Cracker
  • In the mid 1980s, hacker coined the term cracker
  • A cracker is someone who breaks software for
    nefarious ends

6
Hackers, Crackers, and Attackers
  • Attacker
  • Hacker, fuzzy feelings
  • Malicious hacker, attacker, or bad guy

7
Who is the Bad Guy?
  • What hackers do?
  • If break into, they should notify the author of
    the software
  • Bay guy
  • Little or no programming ability
  • Downloading, building and running programs
  • Hackers call it script kiddie
  • Who wrote the programs
  • Hacker
  • malicious intent
  • full disclosure

8
Dealing with Widespread Security Failures
  • Popular sources for vulnerability information
  • Bugtraq
  • CERT advisories
  • RISKS Digest

9
Dealing with Widespread Security Failures
  • Sources for vulnerability information
  • Bugtraq
  • administered by securityfocus.com
  • An e-mail discussion list
  • SNR on Bugtraq is low
  • Full disclosure
  • Encourage vendors to fix problems more quickly

10
(No Transcript)
11
Dealing with Widespread Security Failures
  • Sources for vulnerability information
  • CERT Advisories
  • a federally funded research and development
    center
  • Studies Internet security vulnerabilities
  • Provides incident response services
  • Publishes a variety of security alerts
  • Not publicizing an attack until patched
    availabilities
  • Only release advisories for significant problems

12
Dealing with Widespread Security Failures
  • Sources for vulnerability information
  • RISKS Digest
  • A mailing list
  • Most Java security attacks first appeared here
  • comp.risks

13
Technical Trends Affecting Software Security
  • Computer networks becoming ubiquitous
  • more systems to attack, more attacks, and greater
    risks from poor software security practice
  • the size and complexity of information systems
    and their corresponding programs
  • C or C not protect against buffer overflow
  • improper configuration

14
Technical Trends Affecting Software Security
  • systems becoming extensible
  • hard to prevent malicious code from slipping in
  • the plug-in architecture of Web browsers
  • Word processors
  • E-mail clients
  • Spreadsheets

15
The ilities
  • What Is Security?
  • To enforcing a policy that describes rules for
    accessing resources
  • Well-defined policy

16
The ilities
  • Isnt That Just Reliability?
  • Comparing reliability with security
  • Reliability problems considered DoS problems

17
Penetrate and Patch Is Bad
  • Vendors paid little attention to security
  • Problems to the penetrate-and-patch approach
  • Developers can only patch problems that they know
    about. Attackers may find problems that they
    never report to developers.
  • Patches are rushed out as a result of market
    pressures on vendors, and often introduce new
    problems of their own to a system.
  • Patches often only fix the symptom of a problem,
    and do nothing to address the underlying cause.
  • Patches often go unapplied, as system
    administrators tend to be overworked, and often
    do not wish to make changes to a system that
    works. As we discussed above, system
    administrators are generally not security
    professionals.

18
Penetrate and Patch Is Bad
19
On Art and Engineering
  • Software engineering goes through
  • Internet time phenomenon
  • These days, Internet years rival dog years in
    shortness of duration.
  • Specification poorly written
  • An implementation problem or a specification
    problem?

20
Security Goals
  • Prevention
  • Traceability and Auditing
  • Monitoring
  • Privacy and Confidentiality
  • Multilevel Security
  • Anonymity
  • Authentication
  • Integrity

21
Security Goals
  • Prevention
  • An ounce of prevention worth a pound of
    punishment
  • Internet time
  • the enemy of software security
  • Affects the propagation of attacks
  • Zero day
  • Prevention more important than ever

22
Zero day
23
Security Goals
  • Traceability and Auditing
  • No 100 security
  • The keys to recovering
  • For forensics
  • Detect, dissect, and demonstrate an attack
  • Monitoring
  • Real-time auditing
  • IDS
  • Tripwires

24
Security Goals
  • Privacy and Confidentiality
  • They are deeply intertwined
  • Three groups individuals, business, and
    government
  • Lots of reasons for software to keep secrets and
    to ensure privacy
  • A program is running can pry out secret a piece
    of software may be trying to hide

25
Security Goals
  • Multilevel Security
  • From unclassified -gt Top Secret
  • Employees, business partners and others
  • Anonymity
  • A double-edge sword
  • cookies

26
Security Goals
  • Privacy and Confidentiality
  • Three groups individuals, business, and
    government
  • Lots of reasons for software to keep secrets and
    to ensure privacy
  • A program is running can pry out secret a piece
    of software may be trying to hide

27
Security Goals
  • Authentication
  • Big three security goals
  • Who, when, and how
  • Nowadays, physical presence not enough
  • Authentication on the Web
  • SSL to whom are you connected?

28
Security Goals
  • Integrity
  • Staying the same?
  • Stock prices as a example

29
Software Project Goals
  • Functionality
  • To solve a problem
  • Usability
  • Affects reliability
  • Efficiency
  • Security comes with significant overhead
  • Time-to-market
  • Internet time happens
  • Simplicity
  • Good for both software and security

30
Conclusion
  • Computer security is a vast topic
  • The root of most security problems is software
Write a Comment
User Comments (0)
About PowerShow.com