Introduction to Software Security

1
Introduction to Software Security

• Jared
• 2004/03/17

2
Introduction to Software Security

• Computer Security is an important topic
• E-commerce blossoms
• Internet works its way every nook
• All lies a common enemy bad software

3
Its All about the Software

• Software no longer supports offices and home
  entertainment
• The biggest problem in computer security
• It is the software! You may have the worlds best
  firewall, but
• Malicious hackers not create security holes, they
  exploit them

4
Hackers, Crackers, and Attackers

• Hackers
• Originally positive meaning
• Sprang from MIT during the late 1960s
• People solving tricky problems through
  programming
• Software engineer MacGyver
• Most people
• Locksmiths are burglars?

5
Hackers, Crackers, and Attackers

• Cracker
• In the mid 1980s, hacker coined the term cracker
• A cracker is someone who breaks software for
  nefarious ends

6
Hackers, Crackers, and Attackers

• Attacker
• Hacker, fuzzy feelings
• Malicious hacker, attacker, or bad guy

7
Who is the Bad Guy?

• What hackers do?
• If break into, they should notify the author of
  the software
• Bay guy
• Little or no programming ability
• Downloading, building and running programs
• Hackers call it script kiddie
• Who wrote the programs
• Hacker
• malicious intent
• full disclosure

8
Dealing with Widespread Security Failures

• Popular sources for vulnerability information
• Bugtraq
• CERT advisories
• RISKS Digest

9
Dealing with Widespread Security Failures

• Sources for vulnerability information
• Bugtraq
• administered by securityfocus.com
• An e-mail discussion list
• SNR on Bugtraq is low
• Full disclosure
• Encourage vendors to fix problems more quickly

10
(No Transcript)
11
Dealing with Widespread Security Failures

• Sources for vulnerability information
• CERT Advisories
• a federally funded research and development
  center
• Studies Internet security vulnerabilities
• Provides incident response services
• Publishes a variety of security alerts
• Not publicizing an attack until patched
  availabilities
• Only release advisories for significant problems

12
Dealing with Widespread Security Failures

• Sources for vulnerability information
• RISKS Digest
• A mailing list
• Most Java security attacks first appeared here
• comp.risks

13
Technical Trends Affecting Software Security

• Computer networks becoming ubiquitous
• more systems to attack, more attacks, and greater
  risks from poor software security practice
• the size and complexity of information systems
  and their corresponding programs
• C or C not protect against buffer overflow
• improper configuration

14
Technical Trends Affecting Software Security

• systems becoming extensible
• hard to prevent malicious code from slipping in
• the plug-in architecture of Web browsers
• Word processors
• E-mail clients
• Spreadsheets

15
The ilities

• What Is Security?
• To enforcing a policy that describes rules for
  accessing resources
• Well-defined policy

16
The ilities

• Isnt That Just Reliability?
• Comparing reliability with security
• Reliability problems considered DoS problems

17
Penetrate and Patch Is Bad

• Vendors paid little attention to security
• Problems to the penetrate-and-patch approach
• Developers can only patch problems that they know
  about. Attackers may find problems that they
  never report to developers.
• Patches are rushed out as a result of market
  pressures on vendors, and often introduce new
  problems of their own to a system.
• Patches often only fix the symptom of a problem,
  and do nothing to address the underlying cause.
• Patches often go unapplied, as system
  administrators tend to be overworked, and often
  do not wish to make changes to a system that
  works. As we discussed above, system
  administrators are generally not security
  professionals.

18
Penetrate and Patch Is Bad
19
On Art and Engineering

• Software engineering goes through
• Internet time phenomenon
• These days, Internet years rival dog years in
  shortness of duration.
• Specification poorly written
• An implementation problem or a specification
  problem?

20
Security Goals

• Prevention
• Traceability and Auditing
• Monitoring
• Privacy and Confidentiality
• Multilevel Security
• Anonymity
• Authentication
• Integrity

21
Security Goals

• Prevention
• An ounce of prevention worth a pound of
  punishment
• Internet time
• the enemy of software security
• Affects the propagation of attacks
• Zero day
• Prevention more important than ever

22
Zero day
23
Security Goals

• Traceability and Auditing
• No 100 security
• The keys to recovering
• For forensics
• Detect, dissect, and demonstrate an attack
• Monitoring
• Real-time auditing
• IDS
• Tripwires

24
Security Goals

• Privacy and Confidentiality
• They are deeply intertwined
• Three groups individuals, business, and
  government
• Lots of reasons for software to keep secrets and
  to ensure privacy
• A program is running can pry out secret a piece
  of software may be trying to hide

25
Security Goals

• Multilevel Security
• From unclassified -gt Top Secret
• Employees, business partners and others
• Anonymity
• A double-edge sword
• cookies

26
Security Goals

• Privacy and Confidentiality
• Three groups individuals, business, and
  government
• Lots of reasons for software to keep secrets and
  to ensure privacy
• A program is running can pry out secret a piece
  of software may be trying to hide

27
Security Goals

• Authentication
• Big three security goals
• Who, when, and how
• Nowadays, physical presence not enough
• Authentication on the Web
• SSL to whom are you connected?

28
Security Goals

• Integrity
• Staying the same?
• Stock prices as a example

29
Software Project Goals

• Functionality
• To solve a problem
• Usability
• Affects reliability
• Efficiency
• Security comes with significant overhead
• Time-to-market
• Internet time happens
• Simplicity
• Good for both software and security

30
Conclusion

• Computer security is a vast topic
• The root of most security problems is software