CSCE 548 Building Secure Software - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

CSCE 548 Building Secure Software

Description:

... McGraw-Hill Osborne Media, July 26, 2005, ISBN-10: 0072260858, ISBN-13: 978-0072260854 ... McGraw: Chapter 1. Recommended: ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 21
Provided by: far1
Category:

less

Transcript and Presenter's Notes

Title: CSCE 548 Building Secure Software


1
CSCE 548 Building Secure Software
2
Class Info
  • Instructor Csilla Farkas
  • Office Swearingen 3A43
  • Office Hours Tuesday, Thursday 200-330 pm or
    electronically any time or by appointment
  • Telephone 576-5762
  • E-mail farkas_at_cse.sc.edu
  • Class homepage http//www.cse.sc.edu/farkas/csce
    548-2008/csce548.htm

3
Text Books
  • Software Security Building Security In by Gary
    McGraw, Publisher Addison-Wesley Professional,
    February 2, 2006, ISBN-10 0321356705 ISBN-13
    978-0321356703
  • 19 Deadly Sins of Software Security by Michael
    Howard, David LeBlanc, John Viega, Publisher
    McGraw-Hill Osborne Media, July 26, 2005,
    ISBN-10 0072260858, ISBN-13 978-0072260854

4
Assignments
  • Research project one research project related to
    software security.
  • Homework There will be 4-5 homework assignments
    during the semester.
  • Exams two closed book tests (given approximately
    at 1/3 and 2/3 of the semester) will cover the
    course material. No final exam.

5
Grading
  • Test 1 25, Test 2 25, Homework 15, Research
    project 35
  • Total score that can be achieved 100
  • Final grade 90 lt A 87ltBlt 90 80ltBlt87
    76ltClt80 66ltClt76 61ltDlt66 45ltDlt61

6
Reading
  • This lecture
  • McGraw Chapter 1
  • Recommended
  • CyberInsecurity The Cost of Monopoly,
    http//cryptome.org/cyberinsecurity.htm
  • Next lecture
  • McGraw Chapter 2

7
Why do we need software security?
  • Software is essential in most every aspect of our
    life

8
How to address software security?
  • Do not address at all
  • Ad-hoc evaluation
  • Add security features after the fact
  • Identify security vulnerabilities
  • Test security level
  • Incorporate security throughout of SDLC

9
This Course
  • Not a software engineering course
  • Understand basic security concepts and their
    impact
  • Introduce systematic security design and
    development along project management
  • Best practices

10
Security Objectives
  • Confidentiality prevent/detect/deter improper
    disclosure of information
  • Integrity prevent/detect/deter improper
    modification of information
  • Availability prevent/detect/deter improper
    denial of access to services

11
Software Security
  • NOT security software!
  • Engineering software so that it continues to
    function correctly under malicious attack
  • Functional requirements
  • Non-functional requirements (e.g., security)

12
Why Software?
  • Increased complexity of software product
  • Increased connectivity
  • Increased extensibility
  • Increased risk of security violations!

13
Security Problems
  • Defects implementation and design
    vulnerabilities
  • Bug implementation-level vulnerabilities
    (Low-level or mid-level)
  • Static analysis tool
  • Flaw subtle, not so easy to detect problems
  • Manual analysis
  • Automated tools (for some but not design level)
  • Risk probability x impact

14
Application vs. Software Security
  • Usually refers to security after the software is
    built
  • Adding more code does not make a faulty software
    correct
  • Sandboxing
  • Network-centric approach
  • Application security testing badness-ometer

Who Knows
Deep Trouble
15
Three Pillars of Software Security
  • Risk Management
  • Software Security Touchpoints
  • Knowledge

16
Risk Management
  • How much effort to invest in security
  • Consequences of security breaches
  • Acceptable-level of security
  • Tracking and mitigating risk throughout the full
    SDLC

17
Touchpoints
  • System-wide activity from design to testing and
    feedback
  • Focus on security from ground up
  • Touchpoints
  • Code review
  • Architectural risk analysis
  • Penetration testing
  • Risk-based security testing
  • Abuse cases
  • Security requiremetns
  • Security operations

18
Knowledge
  • Gathering, encapsulating, and sharing security
    knowledge
  • Knowledge catalogs principles, guidelines,
    rules, vulnerabilities, exploits, attack
    patterns, historical risks
  • Knowledge categories
  • Prescriptive knowledge
  • Diagnostic knowledge
  • Historical knowledge
  • Applied along the SDLC

19
Security Engineering
  • Reduce the need for reactive technologies (e.g.,
    intrusion detection) by safer products ?
    Understand software
  • Need for
  • Software developers
  • Operations people
  • Administrators
  • Users
  • Executives

20
Next Class
  • Risk Management
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CSCE 548 Building Secure Software" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!