Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

1.Security Overview And Patching

537 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

1.Security Overview And Patching

  1. 1. Course 1: Overview of Secure Programming, Section 1 <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>May 2004; updated August 24, 2004 </li></ul><ul><li>Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center </li></ul><ul><li>Copyright (2004) Purdue Research Foundation. All rights reserved. </li></ul>
  2. 2. Course 1 Learning Plan <ul><li>Security overview and patching </li></ul><ul><li>Public vulnerability databases and resources </li></ul><ul><li>Secure software engineering </li></ul><ul><li>Security assessment and testing </li></ul><ul><li>Shell and environment </li></ul><ul><li>Resource management </li></ul><ul><li>Trust management </li></ul>
  3. 3. Overarching Goals <ul><li>Understand the security mindset </li></ul><ul><li>Understand security definitions </li></ul><ul><li>Understand the risk and impact on industry of insecure software products </li></ul><ul><li>Understand patching costs </li></ul>
  4. 4. Understanding the Security Mindset <ul><li>Security as… </li></ul><ul><ul><li>an enabler </li></ul></ul><ul><ul><li>a process </li></ul></ul><ul><ul><li>risk management </li></ul></ul><ul><ul><li>a puzzle </li></ul></ul><ul><ul><li>a multidisciplinary science </li></ul></ul>
  5. 5. Security as an Enabler <ul><li>Common perspective: Security is an inconvenient obstacle that forbids actions </li></ul><ul><li>Correct perspective: Security enables projects and enterprises that would otherwise be impractical, by lowering risks </li></ul><ul><li>Analogy: </li></ul><ul><ul><li>Are the tracks that a train must follow a restriction, or an enabler? </li></ul></ul>
  6. 6. Question <ul><li>Provide another example where something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks </li></ul>
  7. 7. Question Sample Answers <ul><li>Provide another example where something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks </li></ul><ul><ul><li>Restraints in amusement park rides </li></ul></ul><ul><ul><li>Seat belts </li></ul></ul><ul><ul><li>Dual-signature checks </li></ul></ul>
  8. 8. Security as a Process <ul><li>“I got software X so I’m safe” </li></ul><ul><li>What would you think of a railroad company that laid railroads without checking and maintaining their integrity? </li></ul><ul><li>&quot;Old software never dies; it just becomes insecure.“ (Author unknown) </li></ul><ul><li>Need design, configuration, inspection, maintenance, management, updates </li></ul><ul><ul><li>Provide assurance that track quality is acceptable </li></ul></ul><ul><ul><li>Basis for trust </li></ul></ul><ul><li>Processes can provide guarantees </li></ul>
  9. 9. Security as a Process Exercise <ul><li>Discuss why old software can become insecure </li></ul>
  10. 10. Security as a Process Exercise Sample Answers <ul><li>Discuss why old software can become insecure </li></ul><ul><ul><li>Security objectives or policies have changed </li></ul></ul><ul><ul><ul><li>Laws have changed </li></ul></ul></ul><ul><ul><ul><li>Business model changed </li></ul></ul></ul><ul><ul><ul><li>Company processes changed </li></ul></ul></ul><ul><ul><li>Environment has changed </li></ul></ul><ul><ul><ul><li>Configuration is out of date </li></ul></ul></ul><ul><ul><ul><li>Operating system has changed </li></ul></ul></ul><ul><ul><ul><li>Risks are different </li></ul></ul></ul><ul><ul><ul><li>Protections have changed (e.g., firewall rules) </li></ul></ul></ul><ul><ul><ul><li>Employees, units responsibilities have changed </li></ul></ul></ul><ul><ul><li>Vulnerabilities have been found </li></ul></ul><ul><ul><ul><li>Exploits, worms, viruses exploit them </li></ul></ul></ul><ul><ul><li>Input has changed </li></ul></ul><ul><ul><ul><li>e.g., old application made to work online (with a wrapper) </li></ul></ul></ul><ul><ul><ul><li>Protocol changed </li></ul></ul></ul>
  11. 11. Security as Risk Management <ul><li>How much is an asset worth? </li></ul><ul><li>How vulnerable is the asset? </li></ul><ul><li>What are the risks? </li></ul><ul><ul><li>Financial costs (contracts, sales, remediation, etc...) </li></ul></ul><ul><ul><li>Reputation (that alone killed the Arthur Anderson accounting firm in the Enron scandal) </li></ul></ul><ul><ul><ul><li>Part of building trust is building secure software </li></ul></ul></ul><ul><ul><li>Employee loyalty, productivity and well-being </li></ul></ul><ul><ul><ul><li>Morale, self-respect </li></ul></ul></ul>
  12. 12. Security as Risk Management Question <ul><li>You maintain a customer credit card database for your business. Which security questions would you ask to help you manage the risks to the database? </li></ul>
  13. 13. Security as Risk Management Possible Answers <ul><li>You maintain a customer credit card database for your business. Which security questions would you ask to help you manage the risks to the database? </li></ul><ul><ul><li>How valuable is the database to an attacker, to your customers, and to you? </li></ul></ul><ul><ul><li>Who (and what) has access to the database? </li></ul></ul><ul><ul><li>How is the database protected? </li></ul></ul><ul><ul><ul><li>Is it on a shared or dedicated host? </li></ul></ul></ul><ul><ul><ul><li>Is there a path to the internet from the database? </li></ul></ul></ul><ul><ul><ul><li>How well is the software kept up-to-date with patches? </li></ul></ul></ul><ul><ul><ul><li>Are there applicable risk mitigation strategies? </li></ul></ul></ul><ul><ul><ul><ul><li>How long is credit card information kept? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Do customers have the option of re-entering their credit card information every time instead of having it stored? </li></ul></ul></ul></ul>
  14. 14. Security as a Puzzle <ul><li>What can a skilled attacker contrive? </li></ul><ul><ul><li>Which assumptions are being made? </li></ul></ul><ul><ul><ul><li>Are they always true? What guarantees the assumptions? </li></ul></ul></ul><ul><ul><ul><li>Is indirect evidence relied upon? </li></ul></ul></ul><ul><ul><li>Who and what can be trusted? </li></ul></ul><ul><ul><ul><li>Who controls, controlled or could control it? </li></ul></ul></ul><ul><ul><li>What logic flaws exist? </li></ul></ul><ul><ul><ul><li>Are all cases handled? (a single hole may sink the ship) </li></ul></ul></ul><ul><ul><ul><li>Is there a transformation that makes all the pieces fall apart? </li></ul></ul></ul><ul><ul><li>What resources are exposed? </li></ul></ul>
  15. 15. Security as a Puzzle Exercise <ul><li>Give an example of an incorrect assumption made by an application that inhibits security </li></ul><ul><ul><li>Example: some email clients assume that the standard ports for IMAP, POP and SMTP protocols will always be used, and so it rejects server specifications with a port number: </li></ul></ul><ul><ul><ul><li>127.0.0.1:1143 is rejected </li></ul></ul></ul><ul><ul><ul><li>Consequence: the use of encryption through ssh tunneling is discouraged </li></ul></ul></ul>
  16. 16. Security as a Puzzle Exercise Answers <ul><li>Give an example of an incorrect security assumption made by an application. </li></ul><ul><ul><li>Assuming that the file extension and the MIME type are the same </li></ul></ul><ul><ul><ul><li>Decide to download something using the file extension, but the file is processed according to another mime type </li></ul></ul></ul><ul><ul><ul><ul><li>IE 5, 6 </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>CAN-2001-0712 </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Decide how to handle an email attachment based on the MIME type, but the attachment really is an executable that gets launched! </li></ul></ul></ul><ul><ul><ul><ul><li>IE 5 </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>CAN-2001-0154 </li></ul></ul></ul></ul></ul>
  17. 17. Security as a Multidisciplinary Science Social Engineering <ul><li>Social engineering is used to exploit human trust through deception </li></ul><ul><ul><li>Poor user interface design may facilitate social engineering Example: </li></ul></ul><ul><ul><ul><li>In some email programs, someone could be fooled into thinking that an attachment was a safe file, and open it. What appeared as &quot;resume.txt&quot; was in reality </li></ul></ul></ul><ul><ul><ul><ul><li>&quot;resume.txt .exe&quot; </li></ul></ul></ul></ul><ul><ul><ul><li>User interface design affects the security of applications! </li></ul></ul></ul>
  18. 18. Security as a Multidisciplinary Science Social Engineering <ul><li>You get a phone call from the CFO, on a trip, &quot;I can't remember the VPN password, and I need a document now!&quot; </li></ul><ul><li>Your account will be terminated tomorrow unless you take action, as described in this attachment! </li></ul><ul><li>Please help me get my money out of this crazy country! </li></ul><ul><li>Oh, no, I forgot my key/badge/token! </li></ul><ul><li>Please, hold the door, I have my hands full! Thanks! </li></ul>
  19. 19. Security as a Multidisciplinary Science Social Engineering <ul><li>Most problems are related to identification without authentication </li></ul><ul><ul><li>By phone </li></ul></ul><ul><ul><li>Online </li></ul></ul><ul><li>Identification by impression and persuasion </li></ul><ul><ul><li>Social mechanisms </li></ul></ul><ul><ul><ul><li>Helpfulness </li></ul></ul></ul><ul><ul><ul><li>Ingratiation (a.k.a. &quot;brown-nosing&quot;) </li></ul></ul></ul><ul><ul><ul><li>Conformity, peer pressure </li></ul></ul></ul><ul><ul><ul><li>Diffusion of responsibility </li></ul></ul></ul><ul><ul><ul><li>Friendliness </li></ul></ul></ul><ul><ul><li>Employees can do it even if they know they shouldn't! </li></ul></ul>
  20. 20. Security as a Multidisciplinary Science Social Engineering (continued) <ul><li>Physical Security </li></ul><ul><ul><li>Dumpster diving </li></ul></ul><ul><ul><ul><li>Recon for attack </li></ul></ul></ul><ul><ul><ul><ul><li>Phone books, calendars, etc... </li></ul></ul></ul></ul><ul><ul><li>Backdoors, tailing someone through a door </li></ul></ul><ul><ul><li>Stealing documents... </li></ul></ul><ul><li>Reverse Social Engineering </li></ul><ul><ul><li>Instead of asking for information and help, you provide it initially </li></ul></ul><ul><ul><li>Of course they need help because of something the attacker did </li></ul></ul><ul><li>Read more: Granger S. (2001, 2002) Security Focus &quot;Infocus&quot; articles </li></ul>
  21. 21. Security as a Multidisciplinary Science Exercise: Social Engineering <ul><li>Team up in groups of 2 or 3 and make up a skit to demonstrate a social engineering technique; your &quot;victim&quot; will be another student in the audience who will &quot;fall for it&quot;. Follow it up with a second version showing the correct response. Do try to obtain the most outrageous results possible (while being convincing). After the skit, explain the preparation you would have needed to conduct the attack. </li></ul><ul><ul><li>You can get inspiration from the table of correct responses (Granger 2002): </li></ul></ul><ul><ul><ul><li>http://www.securityfocus.com/infocus/1533 </li></ul></ul></ul>
  22. 22. Security as a Multidisciplinary Science Psychological Effects <ul><li>Security features (or the lack thereof) have psychological effects </li></ul><ul><ul><li>SPAM: loss of value and control over an important communication medium </li></ul></ul><ul><ul><li>Panoptical effects (feeling of being watched) </li></ul></ul><ul><ul><ul><li>Can affect motivation, focus </li></ul></ul></ul><ul><ul><ul><li>People perform differently </li></ul></ul></ul><ul><ul><ul><ul><li>Intellectual performance is typically lower under surveillance </li></ul></ul></ul></ul>
  23. 23. Exercises <ul><li>Identify a user interface limitation that may allow social engineering </li></ul><ul><li>Identify a security mechanism that may cause users to feel that they are being watched </li></ul>
  24. 24. Example Answers <ul><li>Identify a user interface limitation that may allow social engineering </li></ul><ul><ul><li>Phishing email scams </li></ul></ul><ul><ul><ul><li>Look-alike web sites that capture passwords </li></ul></ul></ul><ul><li>Identify a security mechanism that may cause users to feel that they are being watched </li></ul><ul><ul><li>Windows login banners </li></ul></ul><ul><ul><li>&quot;Possibly&quot; recorded phone calls to help centers </li></ul></ul>
  25. 25. Overarching Goals <ul><li>Understand the security mindset </li></ul><ul><li>Understand security definitions </li></ul><ul><li>Understand the risk and impact on industry of insecure software products </li></ul><ul><li>Understand patching costs </li></ul>
  26. 26. Vulnerability <ul><li>A flaw in a system that allows a policy to be violated </li></ul><ul><li>Example policy: the content on a web site is restricted to authenticated users. </li></ul><ul><li>Vulnerability: the web site relies on JavaScript to be executed on the client browser for access control </li></ul><ul><li>Exploit: Disable JavaScript </li></ul><ul><li>An abundance of vulnerable sites exist </li></ul>
  27. 27. Exploit <ul><li>An exploit is the act of exercising a vulnerability </li></ul><ul><li>A lso used to refer to an actual program, binary or script that automates an attack </li></ul>
  28. 28. Latent Vulnerabilities <ul><li>Sometimes, a vulnerability can be protected by a change that leaves the vulnerable code in place: </li></ul><ul><ul><li>some change external to the application (firewall) </li></ul></ul><ul><ul><li>a configuration change (disabling an option) </li></ul></ul><ul><ul><li>a code wrapper that blocks exploit attempts </li></ul></ul><ul><li>A vulnerability that is not exploitable at the moment is a latent vulnerability </li></ul>
  29. 29. Potential Vulnerabilities <ul><li>Bad practices, quality defects and other flaws that could result in vulnerabilities in a different code context are potential vulnerabilities </li></ul>
  30. 30. Exploitability <ul><li>Difficult to establish whether a vulnerability is exploitable , latent or potential in complex systems </li></ul><ul><li>A latent or potential vulnerability can become exploitable when </li></ul><ul><ul><li>The software is used in a different context sometime after its design </li></ul></ul><ul><ul><li>The configuration is changed </li></ul></ul><ul><ul><li>The code is changed </li></ul></ul><ul><ul><li>Someone thinks of something you didn't </li></ul></ul><ul><li>Is a memory leak exploitable? </li></ul><ul><ul><li>It depends! </li></ul></ul>
  31. 31. Exercise <ul><li>Evaluate your security stance and risk tolerance. For each potential, latent and exploitable vulnerability you find, would you: </li></ul><ul><li>Ignore the problem to save money and development time </li></ul><ul><li>Add a &quot;REVISIT&quot; type of comment in the code or create an entry in the bug tracking database </li></ul><ul><li>Bring immediate attention to the problem </li></ul>
  32. 32. Exercise Typical Answer <ul><li>Ignore the problem to save money and development time </li></ul><ul><li>Add a &quot;REVISIT&quot; type of comment in the code or create an entry in the bug tracking database </li></ul><ul><li>Bring immediate attention to the problem </li></ul><ul><li>Option c) should be done first and serves as an assessment step. Then, both b) and a) may also be done for the same issue. Ignoring the problem (temporarily?) can be justified depending on its severity and business circumstances (e.g., support for an end-of-life product ends sooner than the time required for a fix). </li></ul>
  33. 33. Exposure <ul><li>An exposure is an information leak that may assist an attacker. </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Software identification and version number released when connecting to a service, which may be used to select the most effective attack. </li></ul></ul><ul><ul><li>When web pages display SQL error messages </li></ul></ul><ul><ul><li>When an IT person is having trouble (e.g., with their firewall) and posts questions to public mailing lists with their company's email address </li></ul></ul><ul><ul><li>Sun's &quot;tar&quot; utility disclosed part of the password file </li></ul></ul>
  34. 34. Exercise <ul><li>Identify other examples of information leaks that may assist an attacker </li></ul>
  35. 35. Exercise Sample Answers <ul><li>Identify other examples of information leaks that may assist an attacker </li></ul><ul><ul><li>Finger may release information about who is online, e.g., administrators </li></ul></ul><ul><ul><li>Source code leaks (if the code contains vulnerabilities) </li></ul></ul><ul><ul><li>Directory listings </li></ul></ul><ul><ul><li>Wireless networks that broadcast their existence </li></ul></ul>
  36. 36. Security Objective <ul><li>A security objective is a high-level description of what the program or system must accomplish. </li></ul><ul><ul><li>Federal regulations drive many of these objectives </li></ul></ul><ul><ul><ul><li>HIPAA (Health Insurance Portability and Accountability Act) </li></ul></ul></ul><ul><ul><ul><li>etc... </li></ul></ul></ul><ul><ul><li>Examples: </li></ul></ul><ul><ul><ul><li>all money transfers must be legal </li></ul></ul></ul><ul><ul><ul><li>the system must pass EAL4 Common Criteria certification </li></ul></ul></ul>
  37. 37. Policy <ul><li>Policies specify which activities, states and processes are allowed. </li></ul><ul><ul><li>Examples: </li></ul></ul><ul><ul><ul><li>All users must be authenticated </li></ul></ul></ul><ul><ul><ul><li>Money transfers can only be requested by the account owner </li></ul></ul></ul><ul><li>Also refers to security models that specify rules </li></ul><ul><li>Famous policies (e.g., see Bishop 2002): </li></ul><ul><ul><li>The Bell-LaPadula confidentiality model </li></ul></ul><ul><ul><li>The Biba integrity model </li></ul></ul><ul><ul><li>The Clark-Wilson integrity model </li></ul></ul>
  38. 38. Risks to Confidentiality, Integrity and Availability <ul><li>Confidentiality is threatened when information can be revealed in violation of a policy </li></ul><ul><ul><li>Examples: eavesdropping and inadequate access control </li></ul></ul><ul><li>Integrity is threatened when information can be manipulated by an attacker. </li></ul><ul><ul><li>Example: &quot;man-in-the-middle&quot; attack </li></ul></ul><ul><li>Availability is threatened when a resource can be disabled or made unavailable. </li></ul><ul><ul><li>Assets can be classified according to these </li></ul></ul>
  39. 39. Example <ul><li>An FTP server is read-only. If passwords are sent in clear text, what is threatened if transmissions are captured? </li></ul><ul><ul><li>Confidentiality of the passwords </li></ul></ul><ul><ul><ul><li>Confidentiality of the documents on the FTP server </li></ul></ul></ul><ul><ul><ul><li>Confidentiality, Integrity and Availability of other resources that use the same password! </li></ul></ul></ul>
  40. 40. Question <ul><li>Privacy fits best into which category? </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Availability </li></ul>
  41. 41. Question <ul><li>Privacy fits best into which category? </li></ul><ul><li>Confidentiality (not a perfect fit) </li></ul><ul><li>Integrity </li></ul><ul><li>Availability </li></ul><ul><li>Note that some organizations prefer to put emphasis on privacy separately from CIA (e.g., Purdue University's Security and Privacy office). Also, privacy advocates consider it important to be able to verify the integrity of personal information, especially when that information can be used against them (e.g., credit reports). </li></ul>
  42. 42. Overarching Goals <ul><li>Understand the security mindset </li></ul><ul><li>Understand security definitions </li></ul><ul><li>Understand the risk and impact on industry of insecure software products </li></ul><ul><li>Understand patching costs </li></ul>
  43. 43. Security Organizations <ul><li>Security companies and organizations are held to a higher standard of security </li></ul><ul><ul><li>Reputation </li></ul></ul><ul><li>Would you buy from an HVAC company that has broken A/C equipment in their offices? </li></ul><ul><li>Employees are responsible to protect the credibility of the company </li></ul>
  44. 44. Exercise <ul><li>Name an industry sector, and something that would make you avoid a company working in that sector. </li></ul>
  45. 45. People Want Software That: <ul><li>Is produced with security assurance </li></ul><ul><ul><li>Analogy: some applications exposed to the internet are like disguised cartons of eggs on the sidewalk </li></ul></ul><ul><li>Lowers security risks </li></ul><ul><ul><li>To comply with laws mandating low security risks </li></ul></ul><ul><ul><ul><li>HIPAA </li></ul></ul></ul><ul><ul><ul><li>GLBA (Gramm-Leach Bliley) </li></ul></ul></ul><ul><ul><ul><li>FERPA </li></ul></ul></ul><ul><ul><li>To protect trade secrets and other valuable company information </li></ul></ul><ul><li>Has fewer maintenance headaches (patching) and costs </li></ul><ul><li>Protects their reputation </li></ul>
  46. 46. Exercise <ul><li>Identify risks that would cause you to stop using a product. Be specific. </li></ul>
  47. 47. Exercise Example Answers <ul><li>Frequencies of vulnerabilities and patches </li></ul><ul><li>Absence of patches (or slow turnover) for known issues </li></ul><ul><li>Severity of vulnerabilities </li></ul><ul><li>Criticality of the application </li></ul><ul><li>Unreliability of patches </li></ul><ul><ul><li>Patches that break previous fixes </li></ul></ul><ul><ul><li>Patches that are incompatible with other software </li></ul></ul><ul><ul><li>Downtime while applying patches </li></ul></ul><ul><li>Unreliable file systems (non-journaled) </li></ul><ul><li>Which matter most (for whom)? </li></ul>
  48. 48. Your motivation as a participant in software development <ul><li>How important is quality? </li></ul><ul><ul><li>Quality assurance is inclusive of secure programming techniques </li></ul></ul><ul><li>How much design? </li></ul><ul><ul><li>Information assurance happens by design </li></ul></ul><ul><li>How risk-averse? </li></ul><ul><ul><li>Security problems in your projects and code can hurt your reputation as well as your employer's </li></ul></ul>
  49. 49. Overarching Goals <ul><li>Understand the security mindset </li></ul><ul><li>Understand security definitions </li></ul><ul><li>Understand the risk and impact on Symantec of insecure software products </li></ul><ul><li>Understand patching costs </li></ul>
  50. 50. Cost of Patching <ul><li>Cost of evaluating vulnerability claims </li></ul><ul><li>Cost of patch development and testing </li></ul><ul><li>Cost of patch notification and download system </li></ul><ul><li>NIST recommendation on applying patches (s.p. 800-40) </li></ul><ul><ul><li>Patch and Vulnerability Group (customer's cost) </li></ul></ul><ul><ul><ul><li>test patches </li></ul></ul></ul><ul><ul><ul><li>notify administrators </li></ul></ul></ul><ul><ul><ul><li>monitor application of patches by system administrators </li></ul></ul></ul><ul><li>Vulnerability scanning to verify or enforce </li></ul>
  51. 51. Question <ul><li>Patches incur costs to? </li></ul><ul><li>the vendor </li></ul><ul><li>the customer </li></ul><ul><li>both </li></ul>
  52. 52. Question <ul><li>Patches incur costs to? </li></ul><ul><li>the vendor </li></ul><ul><li>the customer </li></ul><ul><li>both </li></ul>
  53. 53. Cost of Patching vs Preventing Flaws <ul><li>Security bugs are introduced at 3 different stages: </li></ul><ul><ul><li>Design and architecture </li></ul></ul><ul><ul><li>Implementation </li></ul></ul><ul><ul><li>Operations </li></ul></ul><ul><li>Fixing security bugs with a patch costs 60 times more than catching them at design time* </li></ul>*: IBM System Sciences Institute statistics, cited by Kevin Soo Hoo, Andrew W. Sudbury and Andrew R. Jaquith in &quot;Tangible ROI through Secure Software Engineering,&quot; Secure Business Quarterly, Volume 1, Issue 2.
  54. 54. Question <ul><li>If it costs $100,000 to issue each security patch, approximately how much could have been saved by correcting the problem at design time? </li></ul><ul><li>$9,800 </li></ul><ul><li>$98,000 </li></ul><ul><li>$980 </li></ul>
  55. 55. Question <ul><li>If it costs $100,000 to issue each security patch, approximately how much could have been saved by correcting the problem at design time? </li></ul><ul><li>$9,800 </li></ul><ul><li>$98,000 </li></ul><ul><li>$980 </li></ul><ul><li>Note: It isn’t possible to catch all security flaws at design time. </li></ul>
  56. 56. Results from Current Software Engineering Methods <ul><li>> 1000 reported vulnerabilities each year </li></ul><ul><li>About 50% of vulnerabilities are commonly repeated mistakes </li></ul><ul><li>About 25% of vulnerabilities could be avoided by applying secure design principles at design time </li></ul><ul><li>Need new methods </li></ul><ul><li>Patches created using the same development methods that created the buggy software, are likely buggy themselves! </li></ul><ul><ul><li>“We can't solve problems by using the same kind of thinking we used when we created them.” (Albert Einstein) </li></ul></ul>
  57. 57. Question <ul><li>Approximately what percentage of documented vulnerabilities are common repeated mistakes? </li></ul><ul><li>25% </li></ul><ul><li>50% </li></ul><ul><li>75% </li></ul>
  58. 58. Question <ul><li>Approximately what percentage of documented vulnerabilities are common repeated mistakes? </li></ul><ul><li>25% </li></ul><ul><li>50% </li></ul><ul><li>75% </li></ul>
  59. 59. Question (guess) <ul><li>How much money does a developer for a large software project typically save a company when catching and fixing a vulnerability during development instead of patching? </li></ul><ul><li>$1,000 </li></ul><ul><li>$10,000 </li></ul><ul><li>$100,000 </li></ul><ul><li>A vulnerability fixed before release may take one hour, compared to weeks of several people's time to fix it after release. </li></ul>
  60. 60. Answer <ul><li>c) $100,000 </li></ul><ul><li>Without counting </li></ul><ul><li>1) costs to customers </li></ul><ul><ul><li>Especially if revenue-generating activities are interrupted! </li></ul></ul><ul><li>2) intangible costs </li></ul>
  61. 61. Motivation and Definitions: End Scrabble copyright Hasbro
  62. 62. About These Slides <ul><li>You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. </li></ul><ul><ul><li>You must give the original author and other contributors credit </li></ul></ul><ul><ul><li>The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes </li></ul></ul><ul><ul><li>For any reuse or distribution, you must make clear to others the terms of use for this work </li></ul></ul><ul><ul><li>Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification </li></ul></ul><ul><ul><li>For other uses please contact the Purdue Office of Technology Commercialization. </li></ul></ul><ul><li>Developed thanks to the support of Symantec Corporation </li></ul>
  63. 63. Pascal Meunier [email_address] <ul><li>Contributors: </li></ul><ul><li>Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera </li></ul>

×