Secure Software Development Dr. X Outline Motivation: why develop secure software? SDLC OWASP Top 10 OWASP SDLC
SANS top 25 software errors Motivation: Famous Buffer Overflow Attacks 1988 Morris worm (no CVE #)Overflow in fingerd 6,000 machines infected (10% of then Internet) 1990 Robert Tappan Morris was convicted 2008 Received tenure at MIT
2001 CodeRed CVE-2001-1134Overflow in Microsoft IIS web server 300,000 machines infected in 14 hours Author? Motivation: Famous Buffer Overflow Attacks 2002 SQL Slammer CVE-2002-0649
Overflow in Microsoft SQL server on XP and Win 2000 75,000 machines infected in 10 minutes
55 million meaningless SQL queries Estimated loss: $1.2 billion Blocking UDP port 1434 and installing Windows updates timely could have stopped Author still unknown http://malware.wikia.com/wiki/Slammer images from http://www.wired.com/ wired/ archive/ 11.07/ slammer.html 2003 W32.Sasser.Worm CVE-2003-0533
Overflow in Windows LSASS on XP and 2000 500,000 machines infected Sven Jaschan, Germany Estimated loss: $18.1 billion
Motivation: Famous Buffer Overflow Attacks 2008 Worm:Win32 Conficker CVE-2008-4250
Overflow in Windows Server 10 million machines infected MS offered $250,000 in 2009 Author(s) of Conficker not found yet Conficker botnet not dormant 2011 Conficker fraudsters arrested in Ukrania for draining millions from US banks Estimated loss: $9.1 billion
201x - 2013 CVE-2013-???? Many BO security patches issued for Linux and Windows Visit cve.mitre.org. How many BOAs in the last 12 months? System DLC The Security Systems Development
Life Cycle The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project Identification of specific threats and creating controls to counter them SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions Investigation Identifies process, outcomes, goals, and constraints of the project
Begins with Enterprise Information Security Policy (EISP) Organizational feasibility analysis is performed Analysis Documents from investigation phase are studied Analysis of existing security policies or programs, along with documented current threats and associated controls Includes analysis of relevant legal issues that could impact design of the security solution
Risk management task begins Logical Design Creates and develops blueprints for information security Incident response actions planned: Continuity planning Incident response Disaster recovery
Feasibility analysis to determine whether project should be continued or outsourced Physical Design Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project
Implementation Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval Maintenance and Change Perhaps the most important phase, given the ever-changing threat
environment Often, repairing damage and restoring information is a constant duel with an unseen adversary Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve OWASP Top 10 What is OWASP? OWASP Top 10 :
https://www.owasp.org/index.php/Top_10-2017_Top_10 OWASP SDLC 1. Assess: Ensure a proper start of the project 2. Set the target: Develop a target score that you can use as a measuring stick to guide you to act on the most important activities for your situation 3. Define the plan: Develop or update your plan to take your organization to the next level
4. Implement: Work the plan 5. Roll out: Ensure that improvements are available and effectively used within the organization SANS Top 25 https://cwe.mitre.org/top25/ In class exercise Go to OWASP top 10 and SANS top 25
Find all the potential problems that your election system software may have based on these vulnerabilities Describe how you would fix these problems Sources for Java Secure Coding https://www.oracle.com/technetwork/java/seccodeguide-139067.ht ml SQL Injection Examples:
http://www.unixwiz.net/techtips/sql-injection.html How to fix SQL Injection with prepared statements: https://software-security.sans.org/developer-how-to/fix-sql-injectionin-java-using-prepared-callable-statement JDBC SQL Injection
Professor Hughes and Professor Gallagher's Shared Education Programme provides a system to help bring together children educated under ethno-religious divisions. Following success with sixteen thousand school children in Northern Ireland, the Programme is being further developed for Macedonia and Israel.
The first Software Testers are certified in 1998 2002 The I ISTQB® (International Software Testing Qualifications Board) is founded by 8 member boards: Austria, Denmark, Finland, Germany, Sweden, Switzerland, the Netherlands and UK 2003 The syllabus for the "Advanced Level"...
Towards Eradicating Phishing Attacks Stefan Saroiu University of Toronto Today's anti-phishing tools have done little to stop the proliferation of phishing Many Anti-Phishing Tools Exist Phishing is Gaining Momentum Current Anti-Phishing Tools Are Not Effective Let's look at new approaches...
Boys tend to bully with direct bullying or physical or verbal aggression. Girls tend to bully with indirect means such as social aggression. Boys who bully tend to be 1 to 2 years older than their victims. Their victims can...
Former USSR Provinces revolting. The most important factor in the collapse of the Soviet Union. Gorbachev. Abandons the notion of a political monopoly. Loses support from people as economy continues to stagnate. Boris Yeltsin 1990-1998.
Setting up equipment resources in Microsoft Project is very similar to setting up people resources. There are key differences, however, in the way equipment resources can be scheduled. You don't need to track every piece of equipment that will be...