Software Security, Summaries of Computer Networks

2005 - University of Southern California's ... Risk management is a central software security practice. ... integrated with network security operations.

Typology: Summaries

2022/2023

Uploaded on 05/11/2023

laskhminaran
laskhminaran 🇺🇸

4.7

(6)

224 documents

1 / 121

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Software Security
By
Hunter Stevenson
Khalid Alharbi
CSCI 5828 Foundations of Software Engineering Spring 2012
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Software Security and more Summaries Computer Networks in PDF only on Docsity!

Software Security

By Hunter Stevenson Khalid Alharbi

CSCI 5828 Foundations of Software Engineering Spring 2012

What is the talk NOT about?

• Cryptography.

• Database security.

• Operating Systems security.

• Network security.

• Security software.

• Encryption, digital signatures, and

authentication protocols.

Part I:

Software Security Fundamentals and Best Practices

What is Software Security?

• Software security is the idea of engineering

software so that it continues to function correctly under malicious attack.

• Software Security aims to avoid security

vulnerabilities by addressing security from the early stages of software development life cycle.

• "Security is a risk management."

Why Software Security?

  • Most software systems today contain numerous flaws and bugs that get exploited by attackers.
  • New threats emerge everyday.
  • Convenience trumps security measures.
  • Exponential increase in vulnerabilities in software systems.
  • Software security is everybody's job.
  • Programmers have a long history of repeating the same security-related mistakes!

Recent Stories (I)

• 2012 - A security flaw in Google Wallet that

leads into full access to your Google Wallet account without extra app or rooting. o Your Google Wallet account is tied to the device itself but not to the account.

• 2011 - Oracle's MySQL.com hacked via SQL

Injection Attack!!

• 2011 - Expedia's TripAdvisor member data

stolen in possible SQL Injection Attack.

• 2010 - Hacker gained access to the Royal

Navy website using SQL injection attack.

Terminology (I)

  • Defects are implementation vulnerabilities and design vulnerabilities.
  • Bugs are implementation-level errors that can be detected and removed. o Example: Buffer overflow.
  • Flaws are problems at a deeper level. They are instantiated in the code and present or absent at design-level. o Example: Error-handling problems.
  • Failures are the inability of the software to perform its required function.

Terminology (II)

• Risks capture the probability that a flaw or

a bug will impact the purpose of the software. o Risk = probability x impact

• Vulnerabilities are errors that an attacker

can exploit. o Either flaws in the design or flaws in the implementation. o Design-level vulnerabilities are the hardest defects to handle.

Pillar I: Risk Management

• A continuous risk management process is an

essential part to software security.

• It identifies, ranks, tracks, and understands

software security risks.

• Risk management framework (RMF)

o An overall approach to risk management. o Allows a consistent and continuous expertise-driven approach to risk management. o The goal is to consistently track and handle risks.

RMF Activities (I)

1) Understand the business context.

4) Define the risk mitigation strategy.

3) Synthesize, prioritize, and rank the risks.

2) Identify the business and technical risks. Artifact Analysis

5) Carry out fixes and validate.

Business Context

Measurement and Reporting

RMF Activities (III)

2- Identify the business and technical risks, synthesize, prioritize, and rank the risks.

• Business risks impact business goals.

• Mapping technical risks to business goals.

• Developing a set of risk questionnaires.

• Interviewing the target project team.

• Analyzing the research interview data.

• Evaluating software artifacts.

RMF Activities (IV)

3- Synthesize, prioritize, and rank the risks.

  • Prioritize the risks based on the business goals.
  • Riskmetrics: o Risk likelihood. o Risk impact. o Number of risks emerging over time.
  • What shall we do first given the current risk situation?
  • What is the best allocation of resources?

RMF Activities (VI)

5- Carry out fixes and validate that they are correct.

• Implement the mitigation strategy.

• The artifacts should be rectified.

• Progress is measured in terms of

completeness against mitigation strategy.

• Use validation techniques to validate that

artifacts no longer bear unacceptable risk.

• Metrics include artifact quality metrics

and levels of risk mitigation effectiveness.

RMF Activities (VII)

  • Risk management is a central software security practice.
  • Successful use of RMF relies on continuous and consistent identification of risks.
  • Use project management tools to track risk information. o Example: Open Workbench.
  • RMF is a multilevel loop. o Identifying risks only once during the project is incorrect. o The five fundamental activities need to be applied repeatedly throughout the project.