Beruflich Dokumente
Kultur Dokumente
Software
Development Security
1
Objectives
Software Flaws
SDLC
Software Development Methods
Object Oriented Programming
Databases
Design
Vulnerabilities/Threats
Malicious Code
2
Software Flaws
Reasons Why Software Lacks Security
Software vendors rush product to market with much emphasis on functionality not on
security
A majority of software developers are no security professionals and vice versa
The
computing public is used to receiving software with bugs and then apply
patches to it
Software vendors have not been subjected to liability for insecure code/products
Programmers are not taught secure coding practices in school
TREND:
1.
2.
3.
4.
5.
6.
Software Development
Lifecycle
Where to implement
Security?
1. Project Initiation
2.
3.
4.
5.
6.
7.
threats)
Identify security framework
Determine service level agreements
requirements
5
Software
Development/Programming
Write programming code to meet specifications
Implement security within code
Perform unit test
6
Install/Test
Test system components
User acceptance testing, data checking, resiliency
testing
Install system
Create manuals
Perform acceptance test i.e. certification and
accreditation
System acceptance
Operational/Maintenance
Maintain system through service-level agreement
After changes, recertification may be necessary
Audit and test security components periodically
Retirement/Disposal
Properly dispose of system
Move data to another system or discard accordingly
Benefits:
Modularity (autonomous objects/modules)
Reusability
10
11
12
13
14
Address
Phone
15
16
17
18
each other
Stores data in such a way that a data manipulation
language can be used independently on data
Uses a database engine (Oracle, Sybase, etc.)
19
20
C. Databases
Tables
Name
Address
Phone
21
Aggregation
Inference
Polyinstantiation
Code Injection
Input validation
22
Data Warehousing
Meta Data: data about data:
meaning/context
24
Malicious Software
(Malware)
25
file. It usually performs a variety of actions, including keylogging, opening the computer to further attacks,
destroying data or files, among others.
Rootkits - Malicious code that is intended to take full or
partial control of a
system at the lowest level (core or
kernel). They often hide themselves from monitoring or
detection and modify system files. Most rootkit infections
install back trapdoors, spyware, or other malicious codes
once they gain control of the target system.
Backdoors Usually created by software developers for an
emergency entry
into a system. Example may be a
hotkey in the event that a password is not available for
access. Obviously can be used by anyone with such
knowledge to gain access into the system. A trapdoor is
rather created via malicious activity.
27
Objectives
Software Flaws
SDLC
Software Development Methods
Object Oriented Programming
Databases
Design
Vulnerabilities/Threats
Malicious Code
CMMI
28