Advanced Information Systems

Analysis and Design

Class 8: Software System Security

Alan R. Hevner
University of South Florida

October 11, 2018 Copyright 2018 Alan Hevner 1

Class 8 Outline
 Software Security Basics
 SecurityPractices in the Software
Development Life Cycle
 Cybersecurity Threats
 Software Testing for Security
 Social Engineering
 Application Security
 ReliaQuest Guest Speakers

October 11, 2018 Copyright 2018 Alan Hevner 2

Nature of Cybersecurity Threats
 Computer Systems can become unavailable
or very slow
 Computer Systems can become corrupted –
processes or data are wrong
 Data can be stolen from systems
 Interfaces can be manipulated to capture
user information
 Causes can be Accidental or Deliberate
Copyright 2018 Alan
3 October 11, 2018 Hevner
Security Definitions
 Vulnerabilities are defects or weaknesses in the
design, implementation, or operations of a system.
 Threats are adversaries that are motivated to exploit
a system vulnerability.
 Risks are the likelihood that a vulnerability will be
exploited.
 Security Forensics investigates security breaches.
 Security Prevention defends against future attacks.

Copyright 2018 Alan

4 October 11, 2018 Hevner
Cybersecurity Observations
 Security is expensive and it has no value when
there are no attacks. It is hard to justify the
cost.
 There are no widely accepted metrics for
evaluating system security.
 The overall security of a system is only as
strong as its weakest link.
 Security is a game of attack and counterattack.

Copyright 2018 Alan

5 October 11, 2018 Hevner
Cybersecurity and Software
 The essence of cybersecurity is the protection of
the items that you value in computerized
applications:
 Hardware
 Software
 Data
 Human Interfaces
 Software is the active agent in computing systems
that controls these valued assets
 Software security, thus, is essential to achieve the
goals of cybersecurity

October 11, 2018 Copyright 2018 Alan Hevner 6

Software Security
 Internet-enabled software applications present the
most common security risk encountered today.
 Software Security is the engineering of software
so that it continues to function correctly under
malicious attack.
 Software security encompasses measures taken
throughout the code's life-cycle to prevent gaps in
the security policy of an application or the
underlying system (vulnerabilities) through flaws in
the design, development, deployment, upgrade, or
maintenance of the system software.

October 11, 2018 Copyright 2018 Alan Hevner 7

Security Hierarchies
 Security must be built into software via best
practices throughout the software development
life cycle – This is Software Security. (You
can’t embed security into software after it is
built!)
 Application Security – Security of applications
after software has been built and deployed
 Operational Security – Security of operational
systems, including network security

October 11, 2018 Copyright 2018 Alan Hevner 8

Security Practices in the SDLC

Figure from McGraw (2004), “Software Security,” IEEE Security & Privacy.

October 11, 2018 Copyright 2018 Alan Hevner 9

Security Testing
 References:
 C. Pfleeger, S. Pfleeger, and J. Margulies, Security in Computing, 5th
Edition, Prentice-Hall, Inc., 2015.
 J. Whittaker and H. Thompson, How to Break Software Security, Pearson
Addison Wesley, Inc., 2004.
 Security is the biggest modern software development and testing
problem.
 Security requirements are very poorly understood.
 Software can be correct without being secure.
 Software security issues:
 Piracy
 Access Control
 Malicious Use
 Buffer Overruns
 Data Privacy

Copyright 2018 Alan

10 October 11, 2018 Hevner
Testing Terminology
 IEEE Standards
 Error – People make errors (e.g. Programming
errors)
 Fault – A fault is the result of an error.
Synonyms include Defect and Bug.
 Faults of Commission
 Faults of Omission
 Failure – Failure occurs when a fault executes.

Copyright 2018 Alan

11 October 11, 2018 Hevner
Testing for Vulnerabilities
 Traditional defects are found by looking for behaviors
that don’t work as specified.
 Security defects are found by ignoring the
specifications and looking instead at additional
behaviors, their side effects, and the implications of
interactions between the software and its environment.
 User Interface
 File System
 Operating System
 Software User

Copyright 2018 Alan

12 October 11, 2018 Hevner
Attack Planning and Execution
 When an attack exposes a security
vulnerability, ask three questions:
 What fault would have caused this vulnerability?
 What were the failure symptoms that would alert
a tester to the presence of the vulnerability?
 What testing technique would find this
vulnerability?

Copyright 2018 Alan

13 October 11, 2018 Hevner
Social Engineering Issues
 “Social engineering is information security’s weakest link.” –
Kevin Mitnick
 “The social engineer employs the same persuasive
techniques the rest of us use every day. We take on roles. We
try to build credibility. We call in reciprocal obligations. But the
social engineer applies these techniques in a manipulative,
deceptive, highly unethical manner, often to devastating
effect.” – Dr. Brad Sagarin
 References:
 The Art of Deception – Mitnick and Simon
 The Art of Intrusion – Mitnick and Simon
 Ghost in the Wires – Mitnick and Simon

Copyright 2018 Alan

14 October 11, 2018 Hevner
Principles of Social Engineering
 Trappings of the Role
 Establish Credibility
 Go against self-interest
 Warn victim of attack
 Predict attack and help solve problem
 Force target into a helping role
 Distract from Systematic Thinking
 Momentum of Compliance
 The Desire to Help
 Attribution
 Liking
 Fear
 Reactance

Copyright 2018 Alan

15 October 11, 2018 Hevner
Countermeasures
 Clear, concise security protocols that are enforced
consistently
 Security awareness training
 Simple rules defining what information is sensitive
 Simple rule that says that whenever a requestor is asking for
a restricted action, the requestor’s identify must be verified
according to company policy
 Enforce a data classification policy
 Train employees on ways to resist social engineering
 Conduct security assessments to test susceptibility to social
engineering attacks
 Make it OK to say “No”
 Get top management buy-in

Copyright 2018 Alan

16 October 11, 2018 Hevner
 Class 8 Discussion Question
 Discuss the importance of software security as
a priority throughout the software development
life cycle. Describe your experiences with the
development or use of software applications
that lack key security features.

October 11, 2018 Copyright 2018 Alan Hevner 17