This document discusses the importance of secure software development practices. It begins with background information and defines key terms like source code and programming languages. It then covers principles for writing secure code like least privilege and input validation. Common coding errors like SQL injection and buffer overflows are explained along with their impacts. The document concludes that following secure coding practices and analyzing code can help protect software from attacks.

1. SECURE DEVELOPMENT OF CODE
ACC 626 Term Paper
Salome Victor
20316185
July 7, 2013

2. AGENDA
 Background
 Introduction
 Importance of Secure Development of Code
 Key Coding Principles
 Secure Code Analysis
 Conclusion

3. WHAT IS YOUR MOST IMPORTANT ASSET?

5. THE BEST DEFENSE IS A GOOD OFFENSE
In order to implement such
strong code, the company must
develop with secure coding
practices in mind.

6. WHAT IS SOFTWARE?
Software is described as operating systems, application programs and
data that is used by products containing microprocessors

7. WHAT IS SOURCE CODE?
Source code is defined as a version
of software written by the developer
in plain text (i.e., human readable
alphanumeric characters)

8. WHAT IS PROGRAMMING LANGUAGE?
In order to write source code, a
programming language must be selected
from a large pool of available
programming languages. A few common
programming languages are
JavaScript, Python, C, C++, Visual
Basic, and Perl.

9. CODE ANALYSIS
KEY CODING PRINCIPLES

10. IMPORTANCE OF SECURE DEVELOPMENT OF CODE
AVAILABILITY
INTEGRITY
PRIVACY
CONFIDENTIALITY

11. ECONOMIC IMPACTS

12. COMMON CODING ERRORS
 SQL Injection
 Buffer Overflow
 Race Conditions

13. COMMON CODING ERRORS – SQL INJECTION
 Intruder can gain unauthorized access to database
 Intruder can read and modify data
 Integrity, confidentiality, and privacy compromised

14. COMMON CODING ERRORS – BUFFER OVERFLOW
 Attacker can crash the program
 Attacker can inject his own code
into the program
 Availability, integrity, privacy, and
confidentiality compromised

15. COMMON CODING ERRORS – RACE CONDITIONS
 Attacker can insert malicious code
and interfere with the normal
execution of the program
 Attacker can exhaust the
computer’s resources
 Availability and confidentiality
compromised

16. KEY CODING PRINCIPLES
 Least Privilege
 Keep it Simple
 Validate Input
 Practice defense in Depth

17.  “Need-to know” principle
 Access should be restricted
 High clearance should be allowed only for a limited time
 Reduces the impact an attacker can have and reduces the possibility
of attacks
KEY CODING PRINCIPLES – LEAST PRIVILEGE

18.  Complex systems have more surface
area for attack
 Complexity creates errors
 Complexity demands more resources
KEY CODING PRINCIPLES – KEEP IT SIMPLE

19.  Input from external parties can be very dangerous
 Every company should have a set of policies on handling input
 Reduced risk of malicious data causing damage
KEY CODING PRINCIPLES – VALIDATING INPUT

20.  A good system should have multiple
layers of security
 More layers of security means more
trouble for an attacker
 Helps mitigate insecure coding issues
KEY CODING PRINCIPLES –DEFENSE IN DEPTH

21.  Manual Code Review
 Penetration Testing
 Static Analysis
 Dynamic Analysis
SECURE CODE ANALYSIS

22.  Software designers and programmers examine source code quality
 Expensive, labor intensive , and highly effective
 More than 75% of faults are found through this method
SECURE CODE ANALYSIS – MANUAL CODE REVIEW

23.  Overt penetration testing has the pseudo-attacker working with the
organization
 Covert penetration testing is a simulated attack
without the knowledge of most of the
organization
 Overt testing is effective for finding faults, but
ineffective at testing incident response and
attack detection
 Covert testing does test the organizations ability to respond to
attacks, but is very time consuming and costly
SECURE CODE ANALYSIS – PENETRATION TESTING

24.  White box testing gives the pseudo-
attacker full access to the organizations
structure and defenses
 It is cost effective and less like real life
 Black box testing gives the pseudo-
attacker little to no information
 It simulates real life well, but is very costly
SECURE CODE ANALYSIS – PENETRATION TESTING

25.  A tool meant for analyzing the
executable program, rather than the
source code
 Covers a wide scope, not user-
friendly, many false positives
SECURE CODE ANALYSIS – STATIC ANALYSIS

26.  Analyzes the program behavior
while it is running
 Precise and valid results
SECURE CODE ANALYSIS – DYNAMIC ANALYSIS

27. CONCLUSION
 Importance of source code and secure development
 Common coding errors
 Key coding principles
 Secure code analysis

28. REFERENCES FOR PICTURES
 http://avi72.livejournal.com/3018.html
 http://www.cartoonstock.com/directory/i/investor_con
fidence_gifts.asp
 http://chem-manufacturing.com/program/
 http://www.cisco.com/en/US/docs/app_ntwk_service
s/waas/waas/v421/configuration/guide/other.html
 http://compare.buscape.com.br/writing-secure-code-
second-edition-michael-howard-david-leblanc-
0735617228.html#precos
 http://cyrilwang.pixnet.net/blog/post/32220475-
%5B%E6%8A%80%E8%A1%93%E5%88%86%E4
%BA%AB%5D-
%E7%94%A8%E4%BA%86%E5%8F%83%E6%95
%B8%E5%8C%96%E6%9F%A5%E8%A9%A2%E5
%B0%B1%E5%8F%AF%E4%BB%A5%E5%B0%8D
-sql-injecti
 http://www.danmc.info/high-availability/
 http://www.dreamworldproject.info/uncategorized/typ
es-of-computer-software/
 http://easysolution4you.blogspot.ca/2013/05/insall-
turbocpp-onwindows8-fullscreen.html
 http://www.ehackingnews.com/search/label/Reverse
%20Engineering
 https://en.wikipedia.org/wiki/File:VisualBasicLogo.gif
 http://en.wikipedia.org/wiki/Operation_Aurora
 http://es.123rf.com/photo_5980477_letras-del-
teclado-de-la-computadora-alrededor-de-la-
integridad-de-la-palabra.html
 http://evos4rd.wordpress.com/author/evos4rd/page/2
/
 https://www.facebook.com/penetretion.testing.blogge
r
 http://www.flickr.com/photos/helloimchloe/562082106
1/
 http://www.flickr.com/photos/sebastian_bergmann/39
91540987/
 http://geniuscountry.com/assets/2011/i-just-want-to-
say-one-word-to-you-data/
 http://iappsofts.com/amrutvahini-institute-of-
management-and-business-administration.html
 http://infocenter.arm.com/help/index.jsp?topic=/com.
arm.doc.dui0414ck/RP_code_view_The_disassembl
y_view.html
 http://www.informit.com/store/secure-coding-in-c-
and-c-plus-plus-9780321335722
 http://www.innovategy.com/html/strategieworkshop.h
tml
 http://www.isaca.org/Journal/Past-
Issues/2008/Volume-3/Pages/JOnline-Role-
Engineering-The-Cornerstone-of-RBAC1.aspx
 http://javakenai-
dev.cognisync.net/pub/a/today/2006/08/17/code-
reviews.html
 http://www.kinokuniya.co.jp/f/dsg-02-9780071626750
 http://lurkerfaqs.com/boards/8-gamefaqs-
contests/60380480/
 http://madchuckle.blogspot.ca/2010/04/just-what-is-
python-my-initial-thoughts.html
 http://www.maxit.com.au/portfolio-view/custom-
software-design-architecture-3/
 http://www.mindfiresolutions.com/perl-
development.htm
 http://www.myotherpcisacloud.com/?page=11
 http://www.phidgets.com/docs/Language_-_C/C++
 http://rebootblueprint.com/7-healthy-no-fap-
replacement-habits/
 http://www.ronpaulforums.com/showthread.php?331
019-Supervoter-Bomb-envelope-design-need-input
 http://rusbase.com/news/author/editor/morgan-
stanley-predicts-e-commerce-growth-russia/
 http://www.securecoding.org/
 http://www.selectinternet.co.uk/html/backup.html
 http://seravo.fi/2013/javascript-the-winning-style
 http://staff.ustc.edu.cn/~bjhua/courses/security/2012/l
abs/lab2/index.html
 http://softbuka.ru/soft/screens-IDA-Pro.html
 http://www.softwaresecuritysolutions.com/layered-
security.html
 http://thwartedefforts.org/2006/11/11/race-conditions-
with-ajax-and-php-sessions/
 http://turbotodd.wordpress.com/2013/03/
 http://www.webpronews.com/were-googlers-
involved-in-chinese-cyber-attack-2010-01
 http://xkcd.com/327/
 http://zheronelit.wordpress.com/category/c-source-
codes/