Secure development of code

605 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
605
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure development of code

  1. 1. SECURE DEVELOPMENT OF CODE ACC 626 Term Paper Salome Victor 20316185 July 7, 2013
  2. 2. AGENDA  Background  Introduction  Importance of Secure Development of Code  Key Coding Principles  Secure Code Analysis  Conclusion
  3. 3. WHAT IS YOUR MOST IMPORTANT ASSET?
  4. 4. THE BEST DEFENSE IS A GOOD OFFENSE In order to implement such strong code, the company must develop with secure coding practices in mind.
  5. 5. WHAT IS SOFTWARE? Software is described as operating systems, application programs and data that is used by products containing microprocessors
  6. 6. WHAT IS SOURCE CODE? Source code is defined as a version of software written by the developer in plain text (i.e., human readable alphanumeric characters)
  7. 7. WHAT IS PROGRAMMING LANGUAGE? In order to write source code, a programming language must be selected from a large pool of available programming languages. A few common programming languages are JavaScript, Python, C, C++, Visual Basic, and Perl.
  8. 8. CODE ANALYSIS KEY CODING PRINCIPLES
  9. 9. IMPORTANCE OF SECURE DEVELOPMENT OF CODE AVAILABILITY INTEGRITY PRIVACY CONFIDENTIALITY
  10. 10. ECONOMIC IMPACTS
  11. 11. COMMON CODING ERRORS  SQL Injection  Buffer Overflow  Race Conditions
  12. 12. COMMON CODING ERRORS – SQL INJECTION  Intruder can gain unauthorized access to database  Intruder can read and modify data  Integrity, confidentiality, and privacy compromised
  13. 13. COMMON CODING ERRORS – BUFFER OVERFLOW  Attacker can crash the program  Attacker can inject his own code into the program  Availability, integrity, privacy, and confidentiality compromised
  14. 14. COMMON CODING ERRORS – RACE CONDITIONS  Attacker can insert malicious code and interfere with the normal execution of the program  Attacker can exhaust the computer’s resources  Availability and confidentiality compromised
  15. 15. KEY CODING PRINCIPLES  Least Privilege  Keep it Simple  Validate Input  Practice defense in Depth
  16. 16.  “Need-to know” principle  Access should be restricted  High clearance should be allowed only for a limited time  Reduces the impact an attacker can have and reduces the possibility of attacks KEY CODING PRINCIPLES – LEAST PRIVILEGE
  17. 17.  Complex systems have more surface area for attack  Complexity creates errors  Complexity demands more resources KEY CODING PRINCIPLES – KEEP IT SIMPLE
  18. 18.  Input from external parties can be very dangerous  Every company should have a set of policies on handling input  Reduced risk of malicious data causing damage KEY CODING PRINCIPLES – VALIDATING INPUT
  19. 19.  A good system should have multiple layers of security  More layers of security means more trouble for an attacker  Helps mitigate insecure coding issues KEY CODING PRINCIPLES –DEFENSE IN DEPTH
  20. 20.  Manual Code Review  Penetration Testing  Static Analysis  Dynamic Analysis SECURE CODE ANALYSIS
  21. 21.  Software designers and programmers examine source code quality  Expensive, labor intensive , and highly effective  More than 75% of faults are found through this method SECURE CODE ANALYSIS – MANUAL CODE REVIEW
  22. 22.  Overt penetration testing has the pseudo-attacker working with the organization  Covert penetration testing is a simulated attack without the knowledge of most of the organization  Overt testing is effective for finding faults, but ineffective at testing incident response and attack detection  Covert testing does test the organizations ability to respond to attacks, but is very time consuming and costly SECURE CODE ANALYSIS – PENETRATION TESTING
  23. 23.  White box testing gives the pseudo- attacker full access to the organizations structure and defenses  It is cost effective and less like real life  Black box testing gives the pseudo- attacker little to no information  It simulates real life well, but is very costly SECURE CODE ANALYSIS – PENETRATION TESTING
  24. 24.  A tool meant for analyzing the executable program, rather than the source code  Covers a wide scope, not user- friendly, many false positives SECURE CODE ANALYSIS – STATIC ANALYSIS
  25. 25.  Analyzes the program behavior while it is running  Precise and valid results SECURE CODE ANALYSIS – DYNAMIC ANALYSIS
  26. 26. CONCLUSION  Importance of source code and secure development  Common coding errors  Key coding principles  Secure code analysis
  27. 27. REFERENCES FOR PICTURES  http://avi72.livejournal.com/3018.html  http://www.cartoonstock.com/directory/i/investor_con fidence_gifts.asp  http://chem-manufacturing.com/program/  http://www.cisco.com/en/US/docs/app_ntwk_service s/waas/waas/v421/configuration/guide/other.html  http://compare.buscape.com.br/writing-secure-code- second-edition-michael-howard-david-leblanc- 0735617228.html#precos  http://cyrilwang.pixnet.net/blog/post/32220475- %5B%E6%8A%80%E8%A1%93%E5%88%86%E4 %BA%AB%5D- %E7%94%A8%E4%BA%86%E5%8F%83%E6%95 %B8%E5%8C%96%E6%9F%A5%E8%A9%A2%E5 %B0%B1%E5%8F%AF%E4%BB%A5%E5%B0%8D -sql-injecti  http://www.danmc.info/high-availability/  http://www.dreamworldproject.info/uncategorized/typ es-of-computer-software/  http://easysolution4you.blogspot.ca/2013/05/insall- turbocpp-onwindows8-fullscreen.html  http://www.ehackingnews.com/search/label/Reverse %20Engineering  https://en.wikipedia.org/wiki/File:VisualBasicLogo.gif  http://en.wikipedia.org/wiki/Operation_Aurora  http://es.123rf.com/photo_5980477_letras-del- teclado-de-la-computadora-alrededor-de-la- integridad-de-la-palabra.html  http://evos4rd.wordpress.com/author/evos4rd/page/2 /  https://www.facebook.com/penetretion.testing.blogge r  http://www.flickr.com/photos/helloimchloe/562082106 1/  http://www.flickr.com/photos/sebastian_bergmann/39 91540987/  http://geniuscountry.com/assets/2011/i-just-want-to- say-one-word-to-you-data/  http://iappsofts.com/amrutvahini-institute-of- management-and-business-administration.html  http://infocenter.arm.com/help/index.jsp?topic=/com. arm.doc.dui0414ck/RP_code_view_The_disassembl y_view.html  http://www.informit.com/store/secure-coding-in-c- and-c-plus-plus-9780321335722  http://www.innovategy.com/html/strategieworkshop.h tml  http://www.isaca.org/Journal/Past- Issues/2008/Volume-3/Pages/JOnline-Role- Engineering-The-Cornerstone-of-RBAC1.aspx  http://javakenai- dev.cognisync.net/pub/a/today/2006/08/17/code- reviews.html  http://www.kinokuniya.co.jp/f/dsg-02-9780071626750  http://lurkerfaqs.com/boards/8-gamefaqs- contests/60380480/  http://madchuckle.blogspot.ca/2010/04/just-what-is- python-my-initial-thoughts.html  http://www.maxit.com.au/portfolio-view/custom- software-design-architecture-3/  http://www.mindfiresolutions.com/perl- development.htm  http://www.myotherpcisacloud.com/?page=11  http://www.phidgets.com/docs/Language_-_C/C++  http://rebootblueprint.com/7-healthy-no-fap- replacement-habits/  http://www.ronpaulforums.com/showthread.php?331 019-Supervoter-Bomb-envelope-design-need-input  http://rusbase.com/news/author/editor/morgan- stanley-predicts-e-commerce-growth-russia/  http://www.securecoding.org/  http://www.selectinternet.co.uk/html/backup.html  http://seravo.fi/2013/javascript-the-winning-style  http://staff.ustc.edu.cn/~bjhua/courses/security/2012/l abs/lab2/index.html  http://softbuka.ru/soft/screens-IDA-Pro.html  http://www.softwaresecuritysolutions.com/layered- security.html  http://thwartedefforts.org/2006/11/11/race-conditions- with-ajax-and-php-sessions/  http://turbotodd.wordpress.com/2013/03/  http://www.webpronews.com/were-googlers- involved-in-chinese-cyber-attack-2010-01  http://xkcd.com/327/  http://zheronelit.wordpress.com/category/c-source- codes/

×