Introduction to Building Secure Software - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Introduction to Building Secure Software

Description:

... Software How to Avoid Security Problems the Right Way http://www.amazon.com ... www.securesoftware.com/CLASP ... Picture from Amazon.com. 16. Thank you! ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 17
Provided by: nantanati
Category:

less

Transcript and Presenter's Notes

Title: Introduction to Building Secure Software


1
Introduction to Building Secure Software
  • Nantana Tinroongroj
  • CSCI577b Spring 2005

2
Outline
  • Why building secure software is hard?
  • What can ease the pain?
  • SDP and CLASP
  • Quiz

3
Why is it hard?
  • There are a lot of bad guys out there!
  • Traditional software development lifecycle does
    not deal with security issue.
  • It is NOT a feature that is easy to demonstrate.
  • Authors of secure software do everything they
    can to prevent accidental mistakes from ever
    happening. Authors of insecure software just
    fixes the accidental mistakes.
    http//www.irccrew.org/cras/security/securesoftwa
    re.html

Hacker
White hat
cracker
Black hat
Script kiddie
4
What can we do?
  • Extend the development process so that it can
    deal with security issue.

5
SDP
  • Secure Development Process
  • An iterative development methodology whose
    constituents bear some resemblance to activities
    and artifacts found in Rational Unified Process
    (RUP) and Agile processes.
  • Gunnar Peterson Information Security Bulletin,
    June 2004 Vol.9, p 165.

6
SDP Processes
  • Analysis Phase problem definition, requirements
    gathering and analysis
  • Design phase iterating through designs, proof
    of concept work, and refining requirements
  • Development phase programming and testing
  • Deployment phase production operation
  • based on waterfall approach

7
SDP Activities and Artifacts
8
Misuse Case
  • Misuse Case is the inverse of a use case, i.e. A
    function that the system should not allow
  • Mis-actor is the inverse of an actor, i.e., an
    actor that one does not want the system to
    support, an actor who initiates misuse cases.
  • Guttorm Sindre and Andreas Opdahl, Templates for
    Misuse Case Description http//www.ifi.uib.no/conf
    /refsq2001/papers/p25.pdf

9
Unit Hacking
  • Unit Hacking applies a white hat approach to
    unit testing code.
  • Security-centric unit test that executes specific
    security test cases
  • Not to test functional behavior, but security
    properties

10
CLASP
  • Comprehensive, Lightweight Application Security
    Process
  • provides a well-organized and structured approach
    to moving security concerns into the early stages
    of the software development lifecycle, whenever
    possible
  • both a stand-alone process and a plug-in to the
    RUP environment (Rational RUP)
  • An activity-centric approach new 30 Activities
    about security issues
  • John Viega CTO, Secure Software, 15 Oct 2004

11
Examples of core activities
12
Implementation Guide
  • To help the project manager determine whether or
    not to adopt particular activities by providing
    the following information for each activity
  • Information on activity applicability
  • A discussion of the risks associated with not
    performing the activity.
  • An indication of implementation cost in terms of
    frequency of activity, calendar time, and
    man-hours per iteration.
  • A discussion of dependencies between the various
    process pieces.

13
Supporting artifacts
  • Security resources
  • Root-cause database
  • Code inspection worksheet
  • Additional artifacts e.g.
  • A detailed list of common security requirements
    and a checklist of security concerns
  • A guide to building supplementary specifications
    surrounding security
  • Security testing checklist, covering all common
    security testing approaches.

14
Conclusion
  • To build secure software, one solution is to deal
    with security issue since the early stage of
    development process.

15
References
  • Collaboration in a Secure Development Process
    Article (part 1,2, 3) http//www.arctecgroup.net/
    articles.htm
  • Buiding Secure Software How to Avoid Security
    Problems the Right Way http//www.amazon.com/exec/
    obidos/ASIN/020172152X/qid1113820542/sr2-1/refp
    d_bbs_b_2_1/102-1699902-1074543
  • Forums at SecurityFocus.com http//www.securityfoc
    us.com
  • Security in the software development lifecycle
    Article http//www-106.ibm.com/developerworks/rati
    onal/library/content/RationalEdge/oct04/viega/
  • CLASP http//www.securesoftware.com/CLASP
  • Presentations at Cigital.com http//www.cigital.c
    om/presentations/
  • Secure Software Article http//www.irccrew.org/cr
    as/security/securesoftware.html

16
Thank you!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Introduction to Building Secure Software" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!