Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
This talk was presented at the 7th WCSQ World Congress for Software Quality in Lima, Perú on Wednesday, 22nd March 2017.
Writing secure code certainly is not an easy endeavor. In the book titled “Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Developer Best Practices)” authors Howard and LeBlanc talk about the so called attacker’s advantage and the defenders dilemma and they put into perspective the fact that developers (identified as defenders) must build better quality software because attackers have the advantage.
In this dilemma, software applications must be on a state of defense because attackers are out there taking advantage of any minor mistake, whereas the defender must be always vigilant, adding new features to the code, fixing issues, adding new engineers to the team. All this conditions are important when it comes to software security.
Sadly, strong understanding of software security principles is not always a characteristic of most software engineers but we can’t blame them. Writing code is a complex task per se, the abstraction level required, along with choosing and/or writing the accurate algorithm and dealing with tight schedules seems to be always a common denominator and the outcome when talking to developers.
This talk also includes techniques, tools and guidance that software engineers can use to perform Application Security testing during the development stage, enabling them to catch vulnerabilities at the time they are created.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
This talk was presented at the 7th WCSQ World Congress for Software Quality in Lima, Perú on Wednesday, 22nd March 2017.
Writing secure code certainly is not an easy endeavor. In the book titled “Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Developer Best Practices)” authors Howard and LeBlanc talk about the so called attacker’s advantage and the defenders dilemma and they put into perspective the fact that developers (identified as defenders) must build better quality software because attackers have the advantage.
In this dilemma, software applications must be on a state of defense because attackers are out there taking advantage of any minor mistake, whereas the defender must be always vigilant, adding new features to the code, fixing issues, adding new engineers to the team. All this conditions are important when it comes to software security.
Sadly, strong understanding of software security principles is not always a characteristic of most software engineers but we can’t blame them. Writing code is a complex task per se, the abstraction level required, along with choosing and/or writing the accurate algorithm and dealing with tight schedules seems to be always a common denominator and the outcome when talking to developers.
This talk also includes techniques, tools and guidance that software engineers can use to perform Application Security testing during the development stage, enabling them to catch vulnerabilities at the time they are created.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
To ensure critical data can only be accessed by authorized personnel, it is paramount to integrate security best practices during development. It’s equally important to protect deployed systems, especially in CI/CD (continuous integration and deployment) and DevOps environments.
Attend this webcast to learn techniques to define, design, develop, test, and maintain secure systems. Particular focus will be paid to software-dependent systems.
Topics include:
• Identifying and risk-rating common vulnerabilities
• Applying practices such as least privilege, input/output sanitation, and system hardening
• Implementing test techniques for system components, COTS, and custom software
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
A short introduction to security patterns. It describes why patterns are useful, what they consists of, and gives an example of a published security pattern.
My Presentation on Career Opportunities in Cyber Security presented at the North Cap University during the course inauguration ceremony, where I talked about different career paths to get into the cyber security domain.
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
To ensure critical data can only be accessed by authorized personnel, it is paramount to integrate security best practices during development. It’s equally important to protect deployed systems, especially in CI/CD (continuous integration and deployment) and DevOps environments.
Attend this webcast to learn techniques to define, design, develop, test, and maintain secure systems. Particular focus will be paid to software-dependent systems.
Topics include:
• Identifying and risk-rating common vulnerabilities
• Applying practices such as least privilege, input/output sanitation, and system hardening
• Implementing test techniques for system components, COTS, and custom software
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
A short introduction to security patterns. It describes why patterns are useful, what they consists of, and gives an example of a published security pattern.
My Presentation on Career Opportunities in Cyber Security presented at the North Cap University during the course inauguration ceremony, where I talked about different career paths to get into the cyber security domain.
This presentation by Christopher Grayson covers some lessons learned as a security professional that has made his way into software engineering full time.
Similar to chap-1 : Vulnerabilities in Information Systems (20)
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
3. What is vulnerability?
• Vulnerability in any system is the result of an intentional or
unintentional omission or of an inadvertent design mistake that
directly or indirectly leads to a compromise in the system’s
availability, integrity, or confidentiality.
• Hidden in
• Information access security
• Computer and storage security
• Communication security
• Operational and physical security
4. What is vulnerability?
• Components of information system
• People
• hardware
• Software
• Reliability vs vulnerability
• Quantify the abstract concept of vulnerability
• The aim is to express the perceived level of security in a way that is
measurable, standardized, and understood and to improve “the
measurability of security through enumerating baseline security data,
providing standardized languages as means for accurately communicating
the information, and encouraging the sharing of the information with users
by developing repositories
5. Authentication
• Vulnerabilities can be hidden in data, code, and most often in
processes that inadvertently allow unauthorized access
• Security at both user and server end.
• User end authentication:
• OTP
• Biometrics
• Questionnaires
• User device identification numbers (MAC, IMEI, manufacturer’s serial
number)
9. When vulnerabilities originate?
• Firewall penetration
• Trojan horse attack
• Decentralization
• Static resource allocation
• During system upgradation
• Being adapted to new environment
10. Measuring Vulnerabilities
• Security Content Automation Protocol (SCAP)
• Used for standardization classification and assessment of security
content in software sysetms.
• Standardize the way security vulnerability and configuration
information is identified and catalogued.
• Developed by NIST
11. Components of SCAP
• Common vulnerabilities and exposure (CVE)
• Common configuration and enumerator (CCE)
• Common platform enumerator (CPE)
• Common vulnerability scoring system (CVSS)
• Extensible configuration checklist description format (XCCDF)
• Open vulnerability and assessment language (OVAL)
Note: the above standards comprise a very powerful infrastructure for
information system vulnerability assessment and reporting.
14. Avoiding vulnerabilities through Secure
Coding
• Old programming culture
• Minimum number of lines
• Executable in a minimum amount of time
• Memory and processor time were valuable assets
• Fault tolerance for data integrity.
• No extra code for security as system were stand-alone and physically isolated.
• Neither memory space nor processing speed seem to be the
programming constraint anymore.
• High speed total interconnectivity
15. Avoiding vulnerabilities through Secure
Coding
• vulnerabilities can be minimized by segmenting the code and the data
into resident and transient sections.
• Call the data and application only that is needed rather than bringing
the entire inventory of application.
• Minimize the impact of malware intrusion.
• Experts openly say: “The Internet is a hostile environment, so
you must . . . [be able to] withstand attack[s to survive,” and it is often
referred to as the Wild Wild Web, WWW.
16. Avoiding vulnerabilities through Secure
Coding
• Design web with security from hostile attacks
• Move from minimal code to minimal vulnerability.
• Concepts of s/w quality and s/w security have been embedded.
• Spend time in designing secure apps than costly development patches
and bad publicity etc.
• An increasing trend is for web applications to come with their own
firewalls rather than exclusively relying on those of the hosting
system.
17. Avoiding vulnerabilities through Secure
Coding
• Cost of fixing vulnerability
• Very high from five to seven digit dollar
• Depend on how deep in design the vulnerability exists.
• During the fixing, resources will have to be
taken away from other assignments to attend to this matter in a very
urgent way.
19. Steps necessary to rectify a software
vulnerability
1. Location of the origin of the vulnerability
2. Design of a patch that will strengthen the code and eliminate the
vulnerability
3. Application and testing of the patch
4. Confirmation that there are no side effects
5. Drafting of patch documentation
6. Preparation of a patch distribution plan to all affected clients
7. Patch installation
8. Confirmation of the effectiveness of the patch; public relations
campaign to offset prior negative publicity
20. Most frequent vulnerabilities
• Buffer overflow
• Arithmetic overflow
• Format string attacks
• Command injections
• Cross-site scripting (XSS)
• SQL injections
• Insecure direct object reference
22. Avoiding vulnerabilities through Secure
Coding
• the software designer’s mindset must have two parallel tracks
• functionality and security
• with security being a mechanism that reveals and subsequently blocks
intrusions.
• Such security mechanism should be robust and well designed and should
never be replaced by some data obscurity scheme that attempts to outsmart
the attacker.
• The designer must also think of the user convenience and provide a security
mechanism that poses no hindrance to the normal operations, being as
transparent to the user as possible.
23. Mistakes can be good
• Learn from mistakes.
• Making a mistake again and again is foolish.
• Assign privilege to the extent where it is needed.
• Make list of resources and their permissions (read, write, execute, create ,
delete) at the time of installation.
• This way, should a malware install itself in the application, the potential
damage will be minimal, and the malware will not be able to roam inside
the system
• when a computer is a single user, it should not necessarily operate in
the administrator mode, but in the user mode.
24. Threat Classification
• Any circumstance or event that can negatively impact assets
• Basic types of threats
• Illegal data change
• Illegal data access
• Illegal obstruction of data access
Information security researchers at Microsoft broadly classified all
threats in six categories named as “STRIDE”
27. Threat Modeling Process
1.Define what constitutes the information system in question. That is,
determine the functional and geographical borders of what we refer to
as being our system. Beyond what point is it not our responsibility or
liability?
2. Now that we have quantified our system, we attempt to identify
what we consider as being the threats that are based on internal or
external vulnerabilities. The STRIDE categories, mentioned previously,
can serve as a starting point to threats classification.
28. Threat Modeling Process
3. Recognize which of the threats, in your context of operations, constitute
absolute danger that may lead to a catastrophic impact on the system.
Define the modes under which such threats can become successful attacks.
4. Develop defense options for each and every recognized threat, and rank
the considered defense mechanisms based on effectiveness and demand of
resources.
5. Select optimum approaches to threat eliminations, balancing
effectiveness, probability of occurrence, severity of occurrence, and solution
development cost.
30. Security starts at Home
• home is the creative phases of the Software Development Life Cycle
(SDLC), especially the program design and coding stages.
• From abstract needs to formal requirements—Analysis (security
requirements are defined)
2. From formal requirements to overall design—Design (Security
mechanisms are developed)
3. From overall design to program code
4. From all of the above to documentation drafting
5. From all of the above to system testing (Vulnerabilities are
discovered and eliminated)
6. From system testing to system utilization (or to a previous step)
7. From system utilization to needs enhancement (Step 1)
31. Security starts at Home
• Measures taken to improve s/w development process
• Programmers certification in secure coding
• Software certification as to secure coding
• Utilization of software analysis tools
• Measures taken in intra-organizational s/w development initiatives
• Programmers certification in secure coding
• Software certification as to secure coding
• Utilization of software analysis tools
32. Tools for Security
• Categories of S/w tools
• Code Coverage—Keeps track of the code and data locations that have been
created, read, or modified.
◾ Instruction Trace—Records the execution of each instruction, making it
available for subsequent step-by-step analysis.
◾ Memory Analysis—Keeps track of the memory space utilization, looking for
possible violations.
◾ Performance Analysis—Based on the user’s criteria, software are analyzed
and fine-tuned for performance optimization.
33. Security in Application
• Vulnerabilities come with insecure application.
• MS Office 2003 is the example.
• Vulnerability Notes Database
• Severity Metric
• A most common gateway to malware attacks is the web browser.
• Many web browsers are configured to provide increased functionality
at the cost of decreased security.”