The Software Security Problem - PowerPoint PPT Presentation

About This Presentation
Title:

The Software Security Problem

Description:

Best way to detect vulnerable code. Through a Static Analysis Tool. ... Seven pernicious kingdoms: Input validation and representation. API abuse. Security Features ... – PowerPoint PPT presentation

Number of Views:176
Avg rating:3.0/5.0
Slides: 12
Provided by: csK4
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: The Software Security Problem


1
Chapter 1
  • The Software Security Problem

2
Goals of this course
  • Become aware of common pitfalls.
  • Static Analysis and tools

3
Some common approaches to security
  • Defensive Programming
  • Security Features (vs secure features)?
  • Improving Software Quality

4
Some common approaches to security
  • Defensive Programming
  • Security Features (vs secure features)?
  • Improving Software Quality
    (none of these approaches work!)?

5
So, what works?
6
Usual Software building cycle
  • Requirements and Specifications
  • Design
  • Code
  • Test and debug
  • Integration test
  • Deliver

7
Best way to detect vulnerable code
  • Through a Static Analysis Tool.
  • However, hand/hard work is still necesary!

8
Vulnerability Classification
  • Generic vs context-specific defects
  • Visible in the code vs visible only in the design
  • Seven pernicious kingdoms
  • Input validation and representation
  • API abuse
  • Security Features
  • Time and State
  • Error Handling
  • Code Quality
  • Encapsulation
  • Environment

9
(No Transcript)
10
2009 CWE/SANS Top 25
  • Insecure Component Interaction
  • Improper Input Validation
  • Improper Encoding or escaping of output
  • SQL injection
  • Cross-site scripting
  • OS Command Injection
  • Cleartext transmission of sensitive information
  • Cross-Site Request forgery
  • Race Condition
  • Error Message Information leak
  • Risky Resource Management
  • Buffer overflow
  • External control of state data
  • External control of filename or path
  • Untrusted search path
  • Code injection
  • Code download without integrity check.
  • Improper resource shutdown or release
  • Improper Initialization
  • Incorrect Calculation

11
2009 CWE/SANS Top 25 (cont)?
  • Porous Defenses
  • Improper Access control
  • Broken or risky cryptography
  • Hard-coded password
  • Insecure Permission assignment for critical
    resource
  • Use of insufficiently random values
  • Execution with Unnecesary priviledges
  • Client-side enforcement of server-side security.
Write a Comment
User Comments (0)
About PowerShow.com