1 / 14

Software Engineering for Secure Systems Individual Research Project

Software Engineering for Secure Systems Individual Research Project. Hiram Garcia. Security Engineering.

davin
Télécharger la présentation

Software Engineering for Secure Systems Individual Research Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Engineering for Secure Systems Individual Research Project Hiram Garcia

  2. Security Engineering “Security engineering is about building systems that are and can remain dependable in the face of malice, error or mischance. As a discipline, security engineering focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.”

  3. Requirements Engineering* A cooperative, iterative and incremental process which aims at ensuring that: • All relevant requirements are explicitly known and understood at the required level of detail • A sufficient agreement about the system requirements is achieved between the stakeholders involved • All requirements are documented and specified in compliance with the defined documentation/specification formats and rules *Requirements Engineering: Fundamentals, Principles & Techniques – Klaus Pohl

  4. Why Is RE SE Important? • Flawed requirements a major cause of project failure – one of top ten failures in Standish CHAOS Reports • Fixing an error in later phases 10x more expensive • Incorrect requirements  Incorrect system leads to wasted costs • System maybe unreliable for practical use disrupting normal day-to-day operations • The primary vehicle for going from “vision” to “realization”

  5. Main Kinds of Requirements • Product Requirements • Capability Requirements • local to system, specific system functionality • Level of Service Requirements • local to system, may affect many system requirements • System Interface Requirements • varies, affects groups system requirements • Project Requirements • global to project, affects overall system requirements • Evolutionary Requirements • varies, effects design and implementation

  6. Examples of Levels of Service • Dependability • Reliability • Availability • Usability • Ease of learning • Ease of use • Performance • Maintainability • Portability • Inter-operability (or binary portability) • Reusability • Security

  7. Top 25 Most Dangerous Software Errors in 2011 • SQL-injection • Used of Hard-coded credentials • Missing encryption of sensitive data • Unrestricted upload of file with dangerous type 11.Execution with unnecessary privileges Non errors: Phishing attacks, malware

  8. SQL Injection • Figure out how the application handles bad inputs Insert something like hacker@programmerinterview.com‘ into an email address form field then there are basically 2 possibilities: 1 - The application will first “sanitize” the input, then, the application may run the sanitized input in the database query 2 - The application will not sanitize the input first - This is what the hacker is hoping would happen • Run the actual SQL injection attack

  9. Phishing Attack Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. - Wikipedia 

  10. Phishing Attack - Amazon

  11. Associated Press Twitter http://abcnews.go.com/GMA/video/press-twitter-hacked-white-house-explosion-obama-injury-19029118 DOW Jones Index immediately following attach.

  12. Types of Defenses

  13. Multi Factor Authentication Requires the presentation of two or more of the three authentication factors: aknowledge factor ("something the user knows“) like password or pin, apossession factor ("something the user has“) like phone call, text message or email, and aninherence factor ("something the user is") like a finger print or retina scan.

  14. Keywords & References • Keywords  • Secure Systems, Security, Software, Cloud computing • References • “Software Engineering for Security: a Roadmap”, Premkumar T. Devanbu, Stuart Stubblebine • “SECURITY IN SOFTWARE ARCHITECTURE: A CASE STUDY”, Adam Sachitano, Richard O. Chapman, Ph.D., Member, IEEE and John A. Hamilton, Jr.,Ph.D., Senior Member, IEEE • “Secure Software Systems Engineering: The Secure Tropos Approach”, Haralambos Mouratidis • “Requirements Engineering”, Nupul Kukreja, Barry Boehm • Evernote hack shows that passwords aren't good enough by Tony Bradleyhttp://www.pcworld.com/article/2030052/evernote-hack-shows-that-passwords-arent-good-enough.html • Twitter 2-Factor Authentication: What It Is and Why It Would Help National Security http://abcnews.go.com/Technology/ap-twitter-hack-cited-proof-factor-authentication-desperately/story?id=19031526#.UXv727XbPHR • Common Weakness Enumerationhttp://cwe.mitre.org/top25/#Listing • Provide an example of SQL Injectionhttp://www.programmerinterview.com/index.php/database-sql/sql-injection-example/

More Related