Computer Security U9 - Software Security

Need for security
1. "holes"
  1. poor/sloppy coding
2. Software trends
  1. greater networking = greater exposure
    1. increasing size/complexity= harder to police
      1. greater flexibility = error prone
        lack of environment diversity = only 1 major platform
        increasing market pressure = rushed production
3. Penetrate and patch approach
  1. only fixes known vulnerabiliteis
    1. only quick fixes
      1. users may not use patch
        targets symptoms not causes
        users doing testing
        only works on unmodified s/ware
4. Open source vs Closed source
5. Security principles
  1. part of design process
    1. use the K.I.S.S. model
      1. reduce exposure
        ensure "secure failure"
S/ware engineering life cycle
1. Requirements capture
  1. Design
    1. Implementation
      1. Testing
        Support
Languages
1. C
  1. C++
    1. Java
      1. C#
        LISP
Access controls
Common security problems
1. Principle of Least Privilege
  1. buffer overflows
    1. input handling
      1. naming issues
        race conditions = TOCTTOU
        Firewall issues
        cryptographic issues
        Bishop's list*
Managing security
1. risk assessment
2. Security testing
  1. black box testing
  2. red teaming
3. Management issues
  1. distribution (DRM)
  2. installation
  3. maintennance
  4. documentation
  5. oversight
Java security
1. objects
  1. inheritance
2. platform independence
3. language features
  1. type safety
    1. exception handling
  2. garbage collection
    1. multi-thread
4. Sandbox security model
5. signed applets
6. Java 2
7. access control & stack inspection
8. hostile applets
  1. maicious applets
  2. attack applets

Next up

Computer Security U9 - Software Security

Description

Resource summary

Similar

	Created by Nick.Bell2013 over 11 years ago