Upload
ashis-kumar-chanda
View
65
Download
3
Tags:
Embed Size (px)
Citation preview
Dr. Md. Shariful IslamAssociate Professor (IIT, DU)
Ashis Kumar ChandaMS Student (JN - 343)
Dept. of Computer Science & EngineeringUniversity of Dhaka
Information Security
Secure Software Design
Contents
Introduction
Common flaws
S-SDLC
Developer - Security tester
Security Model
Introduction
Security is the first concerning criteria in software development
A single feature can create a lot of trouble
Two groups – software developer & information security staff
Don’t stand
so close to me
Come together (right now)
10 common flaws
1. Earn or give, but never assume, trust.2. Use an authentication mechanism that cannot be bypassed or tampered with.3. Authorize after you authenticate.4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.5. Define an approach that ensures all data are explicitly validated.
10 common flaws
6. Use cryptography correctly.7. Identify sensitive data and how it should be handled.8. Always consider the users.9. Understand how integrating external components changes your attack surface.10. Be flexible when considering future changes to objects and actors.
Security Principles
AuthenticationWho a user is
Authorization What a user can do
Confidentiality What a user can see
Non-repudiation Did a user really perform an action
Availability The system is ready for user activity
“I already apply all those principles in my design…”
Model Security !
Bugs?
Security Model
Techniques to evaluate an application’s overall security or assess the impact of a specific threat
Objectively identify vulnerabilities and address countermeasures
Integrated steps to take in the development process
… but wait. There’s more !
Buffer OverflowsInsecure Configuration ManagementInsecure StorageUnnecessary and Malicious Code Unauthorized Information Gathering Broken Caching, Pooling, and Reuse
Look at to the core source of the problem and not the symptoms
References
• Bridging the Gap between Software Development and Information Security - KENNETH R. VAN WYK, GARY MCGRAW
• G. Hogland and G. McGraw, Exploiting Software: How to Break Code, Addison-Wesley, 2004.
• J. Koziol et al., The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, John Wiley & Sons, 2004.
• D. Farmer and W. Venema, Forensic Discovery, Addison-Wesley, 2004
THANKS