Software Engineering for Secure Systems Individual Research Project
description
Transcript of Software Engineering for Secure Systems Individual Research Project
Software Engineering for Secure SystemsIndividual Research Project
Hiram Garcia
Security Engineering
“Security engineering is about building systems that are and can remain dependable in the face of malice, error or mischance. As a discipline, security engineering focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.”
Requirements Engineering*A cooperative, iterative and incremental process which aims at ensuring that:1.All relevant requirements are explicitly known and understood at the required level of detail2.A sufficient agreement about the system requirements is achieved between the stakeholders involved3.All requirements are documented and specified in compliance with the defined documentation/specification formats and rules
*Requirements Engineering: Fundamentals, Principles & Techniques – Klaus Pohl
3
• Flawed requirements a major cause of project failure – one of top ten failures in Standish CHAOS Reports
• Fixing an error in later phases 10x more expensive
• Incorrect requirements Incorrect system leads to wasted costs
• System maybe unreliable for practical use disrupting normal day-to-day operations
• The primary vehicle for going from “vision” to “realization”
4
Main Kinds of Requirements
5
• Product Requirements– Capability Requirements
• local to system, specific system functionality– Level of Service Requirements
• local to system, may affect many system requirements• System Interface Requirements
– varies, affects groups system requirements• Project Requirements
– global to project, affects overall system requirements• Evolutionary Requirements
– varies, effects design and implementation
Examples of Levels of Service• Dependability
– Reliability– Availability
• Usability– Ease of learning– Ease of use
• Performance• Maintainability• Portability• Inter-operability (or binary portability)• Reusability• Security
6
Top 25 Most Dangerous Software Errors in 2011
1. SQL-injection7. Used of Hard-coded credentials8. Missing encryption of sensitive data9. Unrestricted upload of file with dangerous
type11.Execution with unnecessary privilegesNon errors: Phishing attacks, malware
SQL Injection1. Figure out how the application handles bad inputs
Insert something like [email protected]‘
into an email address form field then there are basically 2 possibilities:1 - The application will first “sanitize” the input, then, the
application may run the sanitized input in the database query 2 - The application will not sanitize the input first
- This is what the hacker is hoping would happen
– Run the actual SQL injection attack
Phishing Attack
Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. - Wikipedia
Phishing Attack - Amazon
Associated Press Twitter
DOW Jones Index immediately following attach.
http://abcnews.go.com/GMA/video/press-twitter-hacked-white-house-explosion-obama-injury-19029118
Types of DefensesAttack Defense
SQL-injection Parameterized Queries or Stored Procedures
Used of Hard-coded credentials Avoid hard coding
Missing encryption of sensitive data Encrypt any sensitive data
Unrestricted upload of file with dangerous type
Restrict dangerous file type uploads
Execution with unnecessary privileges Execute with elevated privileges only when required
Phishing • Challenge–response • Secret questions• Multi-factor authentication
Malware • Keep Antivirus up to date• Perform scheduled scans
Multi Factor AuthenticationRequires the presentation of two or more of the three authentication factors:•a knowledge factor ("something the user knows“) like password or pin, •a possession factor ("something the user has“) like phone call, text message or email, and •an inherence factor ("something the user is") like a finger print or retina scan.
Keywords & References
14
• Keywords • Secure Systems, Security, Software, Cloud computing• References1. “Software Engineering for Security: a Roadmap”, Premkumar T. Devanbu, Stuart Stubblebine2. “SECURITY IN SOFTWARE ARCHITECTURE: A CASE STUDY”, Adam Sachitano, Richard O. Chapman, Ph.D.,
Member, IEEE and John A. Hamilton, Jr.,Ph.D., Senior Member, IEEE3. “Secure Software Systems Engineering: The Secure Tropos Approach”, Haralambos Mouratidis4. “Requirements Engineering”, Nupul Kukreja, Barry Boehm5. Evernote hack shows that passwords aren't good enough by Tony Bradley
http://www.pcworld.com/article/2030052/evernote-hack-shows-that-passwords-arent-good-enough.html6. Twitter 2-Factor Authentication: What It Is and Why It Would Help National Security http
://abcnews.go.com/Technology/ap-twitter-hack-cited-proof-factor-authentication-desperately/story?id=19031526#.UXv727XbPHR
7. Common Weakness Enumerationhttp://cwe.mitre.org/top25/#Listing
8. Provide an example of SQL Injectionhttp://www.programmerinterview.com/index.php/database-sql/sql-injection-example/