160 likes | 317 Vues
The Importance of Secure Programming. "the cyber threat is one of the most serious economic and national security challenges we face as a nation" and “ America's economic prosperity in the 21st century will depend on cybersecurity.” President Obama, www.whitehouse.gov.
E N D
"the cyber threat is one of the most serious economic and national security challenges we face as a nation" and “America's economic prosperity in the 21st century will depend on cybersecurity.” President Obama, www.whitehouse.gov
“The next Pearl Harbor we confrontcould very well be a cyber attack
In 2013: • January 31: The New York Times and the Wall Street Journal revealed their respective websites had been the target of a well-coordinated hacking effort. • Feb 1: Hackers targeted Twitter, gaining “limited” access to around 250,000 user accounts, including “usernames, email addresses, session tokens and encrypted/salted versions of passwords” • Feb 4: “Energy Department Hit In The Most Dangerous Cyber Attack Yet” • Feb 6: “Federal Reserve Hit by Cyber Attack” • “Here a Hack, There a Hack, Everywhere a Cyber Attack” • “Super Bowl Blackout Wasn’t Caused by Cyberattack”
Software vulnerabilities • Vulnerability – weakness in the software • Estimated 1 to 7 defects per thousand lines of code • For large system with millions of lines of code • => thousands of vulnerabilities
Big Three Three programming errors are responsible for 85% of vulnerabilities (SANS) • Buffer overflow - 23% increase • Integer overflow • Input validation
Software Security begins with education It is our job to teach secure coding
“I think the most critically important part of delivering secure systems is raising awareness through security education.” Bill Gates, Microsoft
“The ability to write secure code should be as fundamental to a university computer science undergraduate as basic literacy.” Matt Bishop, UC Davis
“The first and foremost strategy for reducing securing related coding flaws is to educate developers how to avoid creating vulnerable code.” Robert C. Seacord, CERT
The current state of undergraduate security education… • Security tracks • Security classes • Reaches only a subset of students • Courses occur late in curriculum • After students have learned fundamental coding and design Too little, too late
Create a Security Mindset Early and Often Secure coding education in a perfect world …