Why is Commercial Software So Vulnerable - PowerPoint PPT Presentation

About This Presentation
Title:

Why is Commercial Software So Vulnerable

Description:

Why is Commercial Software So Vulnerable (and How Can We Fix It)? State of Things Today Many vulnerabilities in commercial software Typical vendors release dozens of ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 13
Provided by: AdamJ156
Category:

less

Transcript and Presenter's Notes

Title: Why is Commercial Software So Vulnerable


1
Why is Commercial Software So Vulnerable
  • (and How Can We Fix It)?

2
State of Things Today
  • Many vulnerabilities in commercial software
  • Typical vendors release dozens of fixes annually
  • No indication this is improving

3
Kinds of Vulnerabilities
  • Design Flaws
  • Implementation Flaws

4
Design Flaws
  • Occur when software is planned and specified
    without proper consideration of security
    requirements and principles
  • Examples
  • Cleartext passwords
  • Weak or proprietary cryptography

5
Design Flaws
  • Why do Design Flaws happen?
  • Rushed engineers
  • Ignorance of security requirements or principles
  • Fortunately, software designs are improving!

6
Design Flaws
  • As Design Flaws are found, they are fixed in
    future releases
  • But . . .
  • These can be deeply ingrained, architectural
    issues
  • Industry is moving in the right direction
  • Design Flaws are a minority of the security bugs
    we see

7
Implementation Flaws
  • Occur when software developers make a mistake
    when coding software
  • (Just like other bugs, but some have serious
    security implications!)
  • Implementation Flaws are independent of design

8
Implementation Flaws
  • Examples
  • Buffer overflows
  • Integer over/underflows
  • SQL Injection
  • Format string

9
Implementation Flaws
  • Why do Implementation Flaws happen?
  • Human error
  • We cannot eliminate human error, but we can do
    more to minimize it
  • Most serious security bugs are due to these
    careless mistakes

10
How Can We Improve?
  • Education
  • Not every developer can be a security expert
  • Every developer must understand security
    fundamentals
  • At Oracle, we have had success with a web-based,
    on-demand secure coding training class

11
How Can We Improve?
  • Individual accountability
  • Education makes people accountable!
  • Hold developers accountable for writing quality
    code.
  • Automated tools
  • Power of the consumer

12
The End
  • Any questions?
Write a Comment
User Comments (0)
About PowerShow.com