SlideShare a Scribd company logo

Software Security

Download as PPTX, PDF
Integral university, India
Integral university, India

black and white, constructive and destructive

Engineering
1 of 7
by Dr Mohammad Zunnun Khan
 The yin/yang design is the classic Eastern symbol related to the inextricable mixing of standard Western polemics.  Eastern philosophies are for this reason called holistic.  A holistic approach, mixing yin and yangthat is, mixing the black hat and white hat approachesis just what the doctor ordered.
 I define destructive activities as those about attacks, exploits, and breaking software.  These kinds of things are represented by the black hat.  I define constructive activities as those about design, defense, and functionality.  These are represented by the white hat.  Perhaps a less judgmental way to think about the categorisation is in terms of defense and offense.  Neither defense nor offense is intrinsically bad or good, and both are necessary to play almost any sport well.  In any case, based on destroying and constructing, we can look back over the touchpoints and describe how the black and white threads intertwine.
 Code review is a white hat (constructive) activity informed by a black hat history.  The idea is to avoid implementation problems while we build software to be secure.  Architectural risk analysis is a white hat (constructive) activity also informed by a black hat history.  In this case, we work to avoid design flaws while we build software to be secure.  Penetration testing is a black hat (destructive) activity.  The best kind of penetration testing is informed by white hat knowledge of design and risk.  But all the penetration testing in the world will not build you secure software.  Risk-based security testing is a mix of constructive and destructive activities that requires a holistic two-hat approach.  Because risk-based security testing is driven by abuse cases and risk analysis results as well as functional security requirements, a mix of black hat and white hat is unavoidable.
 The core of the problem is that building systems to be secure cannot be accomplished by using an operations mindset.  Instead, we must revisit all phases of system development and make sure that security engineering is present in each of them.  When it comes to software, this means taking a close look over all software artifacts. This is a far cry from black box testing.
 Best practices are usually described as those practices expounded by experts and adopted by practitioners.  As a group, the touchpoints vary in terms of adoption.  While almost every organization worried about security makes use of penetration testing, very few venture into the murky area of abuse case development.  Though I understand that the utility and rate of adoption varies among the touchpoints, I am comfortable calling them all best practices.
 Thank You

Recommended

Common Security Reasoning Errors
Common Security Reasoning ErrorsCommon Security Reasoning Errors
Common Security Reasoning ErrorsRoger Johnston
 
Talks submitted
Talks submittedTalks submitted
Talks submittedKim Minh
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety AnalysisRoger Johnston
 
CIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxCIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxmccormicknadine86
 
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...lephuocthinh2
 
Coolest careers in Cyber Security
Coolest careers in Cyber SecurityCoolest careers in Cyber Security
Coolest careers in Cyber SecurityJasminaKadi1
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 

Recommended

Common Security Reasoning Errors
Common Security Reasoning ErrorsCommon Security Reasoning Errors
Common Security Reasoning ErrorsRoger Johnston
 
Talks submitted
Talks submittedTalks submitted
Talks submittedKim Minh
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety AnalysisRoger Johnston
 
CIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxCIS502 discussion post responses.Respond to the colleagues posts.docx
CIS502 discussion post responses.Respond to the colleagues posts.docxmccormicknadine86
 
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...
Practical Malware Analysis The Hands-On Guide to Dissecting Malicious Softwar...lephuocthinh2
 
Coolest careers in Cyber Security
Coolest careers in Cyber SecurityCoolest careers in Cyber Security
Coolest careers in Cyber SecurityJasminaKadi1
 
So... you want to be a security consultant
So... you want to be a security consultant So... you want to be a security consultant
So... you want to be a security consultant abnmi
 
" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "Bill Ross
 
Attack_Simulation_and_Threat_Modeling
Attack_Simulation_and_Threat_ModelingAttack_Simulation_and_Threat_Modeling
Attack_Simulation_and_Threat_ModelingOluseyi Akindeinde
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
 
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docxDevelop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docxrobert345678
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022KharimMchatta
 
Red Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptxRed Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptxCCNMumbai
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
info sys risk management.pdf
info sys risk management.pdfinfo sys risk management.pdf
info sys risk management.pdfssuser2209e8
 
Full seminar report on ethical hacking
Full seminar report on ethical hackingFull seminar report on ethical hacking
Full seminar report on ethical hackingGeorgekutty Francis
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfCecilSu
 
How to Secure America
How to Secure AmericaHow to Secure America
How to Secure AmericaSecurityStudio
 
Benefits Of Hiring Virtual Employees
Benefits Of Hiring Virtual EmployeesBenefits Of Hiring Virtual Employees
Benefits Of Hiring Virtual EmployeesJennifer Reither
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Roger Johnston
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)Wail Hassan
 
Analysis of personal information security behavior and awareness.docx
Analysis of personal information security behavior and awareness.docxAnalysis of personal information security behavior and awareness.docx
Analysis of personal information security behavior and awareness.docxdaniahendric
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4Integral university, India
 
Cloud resilience, provisioning
Cloud resilience, provisioning Cloud resilience, provisioning
Cloud resilience, provisioning Integral university, India
 

More Related Content

Similar to Software Security

" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "Bill Ross
 
Attack_Simulation_and_Threat_Modeling
Attack_Simulation_and_Threat_ModelingAttack_Simulation_and_Threat_Modeling
Attack_Simulation_and_Threat_ModelingOluseyi Akindeinde
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeBipin Upadhyay
 
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docxDevelop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docxrobert345678
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022KharimMchatta
 
Red Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptxRed Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptxCCNMumbai
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
info sys risk management.pdf
info sys risk management.pdfinfo sys risk management.pdf
info sys risk management.pdfssuser2209e8
 
Full seminar report on ethical hacking
Full seminar report on ethical hackingFull seminar report on ethical hacking
Full seminar report on ethical hackingGeorgekutty Francis
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksMighty Guides, Inc.
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapDominic Vogel
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfCecilSu
 
Benefits Of Hiring Virtual Employees
Benefits Of Hiring Virtual EmployeesBenefits Of Hiring Virtual Employees
Benefits Of Hiring Virtual EmployeesJennifer Reither
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Roger Johnston
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)Wail Hassan
 
Analysis of personal information security behavior and awareness.docx
Analysis of personal information security behavior and awareness.docxAnalysis of personal information security behavior and awareness.docx
Analysis of personal information security behavior and awareness.docxdaniahendric
 

Similar to Software Security (20)

" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "" The Invisible Person ... the Security Architect "
" The Invisible Person ... the Security Architect "
 
Attack_Simulation_and_Threat_Modeling
Attack_Simulation_and_Threat_ModelingAttack_Simulation_and_Threat_Modeling
Attack_Simulation_and_Threat_Modeling
 
Attack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu AkindeindeAttack Simulation And Threat Modeling -Olu Akindeinde
Attack Simulation And Threat Modeling -Olu Akindeinde
 
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docxDevelop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
Develop a 20 slide PPT lecture titled Human Sexuality Sexual Dys.docx
 
Web app security essentials | 2022
Web app security essentials | 2022Web app security essentials | 2022
Web app security essentials | 2022
 
Red Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptxRed Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptx
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint Security
 
info sys risk management.pdf
info sys risk management.pdfinfo sys risk management.pdf
info sys risk management.pdf
 
Full seminar report on ethical hacking
Full seminar report on ethical hackingFull seminar report on ethical hacking
Full seminar report on ethical hacking
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
cybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdfcybersecurity-series-2019-threat-hunting.pdf
cybersecurity-series-2019-threat-hunting.pdf
 
How to Secure America
How to Secure AmericaHow to Secure America
How to Secure America
 
Benefits Of Hiring Virtual Employees
Benefits Of Hiring Virtual EmployeesBenefits Of Hiring Virtual Employees
Benefits Of Hiring Virtual Employees
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
 
Analysis of personal information security behavior and awareness.docx
Analysis of personal information security behavior and awareness.docxAnalysis of personal information security behavior and awareness.docx
Analysis of personal information security behavior and awareness.docx
 

More from Integral university, India

More from Integral university, India (18)

Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
Cloud resilience, provisioning
Cloud resilience, provisioning Cloud resilience, provisioning
Cloud resilience, provisioning
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Data and software privacy
Data and software privacyData and software privacy
Data and software privacy
 
Unit4 next
Unit4 nextUnit4 next
Unit4 next
 
U nit 4
U nit 4U nit 4
U nit 4
 
Unit4 cry
Unit4 cryUnit4 cry
Unit4 cry
 
Unit4
Unit4Unit4
Unit4
 
Unit5
Unit5Unit5
Unit5
 
Unit5 Cloud Federation,
Unit5 Cloud Federation,Unit5 Cloud Federation,
Unit5 Cloud Federation,
 
Unit3 MapReduce
Unit3 MapReduceUnit3 MapReduce
Unit3 MapReduce
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
cloud Resilience
cloud Resilience cloud Resilience
cloud Resilience
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Block Level and File Level
Block Level and File LevelBlock Level and File Level
Block Level and File Level
 
Software Security
Software SecuritySoftware Security
Software Security
 
Security threats
Security threatsSecurity threats
Security threats
 
Virtualization concepts in cloud computing
Virtualization concepts in cloud computingVirtualization concepts in cloud computing
Virtualization concepts in cloud computing
 

Recently uploaded

VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLManishPatel169454
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 

Recently uploaded (20)

VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 

Software Security

  • 1. by Dr Mohammad Zunnun Khan
  • 2.  The yin/yang design is the classic Eastern symbol related to the inextricable mixing of standard Western polemics.  Eastern philosophies are for this reason called holistic.  A holistic approach, mixing yin and yangthat is, mixing the black hat and white hat approachesis just what the doctor ordered.
  • 3.  I define destructive activities as those about attacks, exploits, and breaking software.  These kinds of things are represented by the black hat.  I define constructive activities as those about design, defense, and functionality.  These are represented by the white hat.  Perhaps a less judgmental way to think about the categorisation is in terms of defense and offense.  Neither defense nor offense is intrinsically bad or good, and both are necessary to play almost any sport well.  In any case, based on destroying and constructing, we can look back over the touchpoints and describe how the black and white threads intertwine.
  • 4.  Code review is a white hat (constructive) activity informed by a black hat history.  The idea is to avoid implementation problems while we build software to be secure.  Architectural risk analysis is a white hat (constructive) activity also informed by a black hat history.  In this case, we work to avoid design flaws while we build software to be secure.  Penetration testing is a black hat (destructive) activity.  The best kind of penetration testing is informed by white hat knowledge of design and risk.  But all the penetration testing in the world will not build you secure software.  Risk-based security testing is a mix of constructive and destructive activities that requires a holistic two-hat approach.  Because risk-based security testing is driven by abuse cases and risk analysis results as well as functional security requirements, a mix of black hat and white hat is unavoidable.
  • 5.  The core of the problem is that building systems to be secure cannot be accomplished by using an operations mindset.  Instead, we must revisit all phases of system development and make sure that security engineering is present in each of them.  When it comes to software, this means taking a close look over all software artifacts. This is a far cry from black box testing.
  • 6.  Best practices are usually described as those practices expounded by experts and adopted by practitioners.  As a group, the touchpoints vary in terms of adoption.  While almost every organization worried about security makes use of penetration testing, very few venture into the murky area of abuse case development.  Though I understand that the utility and rate of adoption varies among the touchpoints, I am comfortable calling them all best practices.