Class 8 Outline Software Security Basics SecurityPractices in the Software Development Life Cycle Cybersecurity Threats Software Testing for Security Social Engineering Application Security ReliaQuest Guest Speakers
October 11, 2018 Copyright 2018 Alan Hevner 2
Nature of Cybersecurity Threats Computer Systems can become unavailable or very slow Computer Systems can become corrupted – processes or data are wrong Data can be stolen from systems Interfaces can be manipulated to capture user information Causes can be Accidental or Deliberate Copyright 2018 Alan 3 October 11, 2018 Hevner Security Definitions Vulnerabilities are defects or weaknesses in the design, implementation, or operations of a system. Threats are adversaries that are motivated to exploit a system vulnerability. Risks are the likelihood that a vulnerability will be exploited. Security Forensics investigates security breaches. Security Prevention defends against future attacks.
Copyright 2018 Alan
4 October 11, 2018 Hevner Cybersecurity Observations Security is expensive and it has no value when there are no attacks. It is hard to justify the cost. There are no widely accepted metrics for evaluating system security. The overall security of a system is only as strong as its weakest link. Security is a game of attack and counterattack.
Copyright 2018 Alan
5 October 11, 2018 Hevner Cybersecurity and Software The essence of cybersecurity is the protection of the items that you value in computerized applications: Hardware Software Data Human Interfaces Software is the active agent in computing systems that controls these valued assets Software security, thus, is essential to achieve the goals of cybersecurity
October 11, 2018 Copyright 2018 Alan Hevner 6
Software Security Internet-enabled software applications present the most common security risk encountered today. Software Security is the engineering of software so that it continues to function correctly under malicious attack. Software security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the system software.
October 11, 2018 Copyright 2018 Alan Hevner 7
Security Hierarchies Security must be built into software via best practices throughout the software development life cycle – This is Software Security. (You can’t embed security into software after it is built!) Application Security – Security of applications after software has been built and deployed Operational Security – Security of operational systems, including network security
October 11, 2018 Copyright 2018 Alan Hevner 8
Security Practices in the SDLC
Figure from McGraw (2004), “Software Security,” IEEE Security & Privacy.
October 11, 2018 Copyright 2018 Alan Hevner 9
Security Testing References: C. Pfleeger, S. Pfleeger, and J. Margulies, Security in Computing, 5th Edition, Prentice-Hall, Inc., 2015. J. Whittaker and H. Thompson, How to Break Software Security, Pearson Addison Wesley, Inc., 2004. Security is the biggest modern software development and testing problem. Security requirements are very poorly understood. Software can be correct without being secure. Software security issues: Piracy Access Control Malicious Use Buffer Overruns Data Privacy
Copyright 2018 Alan
10 October 11, 2018 Hevner Testing Terminology IEEE Standards Error – People make errors (e.g. Programming errors) Fault – A fault is the result of an error. Synonyms include Defect and Bug. Faults of Commission Faults of Omission Failure – Failure occurs when a fault executes.
Copyright 2018 Alan
11 October 11, 2018 Hevner Testing for Vulnerabilities Traditional defects are found by looking for behaviors that don’t work as specified. Security defects are found by ignoring the specifications and looking instead at additional behaviors, their side effects, and the implications of interactions between the software and its environment. User Interface File System Operating System Software User
Copyright 2018 Alan
12 October 11, 2018 Hevner Attack Planning and Execution When an attack exposes a security vulnerability, ask three questions: What fault would have caused this vulnerability? What were the failure symptoms that would alert a tester to the presence of the vulnerability? What testing technique would find this vulnerability?
Copyright 2018 Alan
13 October 11, 2018 Hevner Social Engineering Issues “Social engineering is information security’s weakest link.” – Kevin Mitnick “The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in reciprocal obligations. But the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect.” – Dr. Brad Sagarin References: The Art of Deception – Mitnick and Simon The Art of Intrusion – Mitnick and Simon Ghost in the Wires – Mitnick and Simon
Copyright 2018 Alan
14 October 11, 2018 Hevner Principles of Social Engineering Trappings of the Role Establish Credibility Go against self-interest Warn victim of attack Predict attack and help solve problem Force target into a helping role Distract from Systematic Thinking Momentum of Compliance The Desire to Help Attribution Liking Fear Reactance
Copyright 2018 Alan
15 October 11, 2018 Hevner Countermeasures Clear, concise security protocols that are enforced consistently Security awareness training Simple rules defining what information is sensitive Simple rule that says that whenever a requestor is asking for a restricted action, the requestor’s identify must be verified according to company policy Enforce a data classification policy Train employees on ways to resist social engineering Conduct security assessments to test susceptibility to social engineering attacks Make it OK to say “No” Get top management buy-in
Copyright 2018 Alan
16 October 11, 2018 Hevner Class 8 Discussion Question Discuss the importance of software security as a priority throughout the software development life cycle. Describe your experiences with the development or use of software applications that lack key security features.