際際滷

際際滷Share a Scribd company logo

Software security: Security a Software Issue

D
Dr Sarika Jadhav

Software is often designed with security as an afterthought, leading to vulnerabilities that can be exploited by attackers. This has become a critical issue as our reliance on software continues to grow. Increasing number and sophistication of attacks (CERT vulnerability reports rising). Software security is the practice of protecting applications from unauthorized access, modification, and destruction. Secure software development practices. Executives (E) Project Managers (M) Technical Leaders (L)

1 of 54
preencoded.png Module-I: Security a Software Software Issue BTech CSE (Sem VI) TY TC4 CYS3101 - System Software Security by Dr Sarika Jadhav
preencoded.png Contents 1. Introduction, The problem, 2. Software Assurance and Software Security, 3. Threats to software security, 4. Sources of software insecurity, 5. Benefits of Detecting Software Security, 6. What Makes Software Secure: Properties of Secure Software, 7. Influencing the security properties of software, 8. Asserting and specifying the desired security properties.
preencoded.png 1.1. Introduction Why Software Security Matters High Risk of Vulnerabilities: Lack of security focus during development increases threats. Potential Consequences: The extent of risk depends on the scale of reliance and the possible impact of failures. Software is integral to modern life: Cars, cell phones, banking, utilities, and transportation. Dependency: Complex, interconnected systems rely on the Internet for communication and information transfer. Key Risk: Using software without security can be as risky as walking a high wire without a safety net.
Introduction to Software Security Software security is the practice of protecting applications from unauthorized access, modification, and destruction. It ensures confidentiality, integrity, and availability through security measures. With growing technological reliance, cyber threats have significantly increased. Consequences: Weak security can lead to data breaches, financial loss, and legal liabilities.
preencoded.png 1.1. Introduction Common Software Threats: Exploits targeting software vulnerabilities. Shortcomings in the Development Process: Lack of secure practices makes software prone to attacks. Introduced solutions include: Secure software development practices. Enhancing awareness among stakeholders. Adopting security-focused tools and methodologies. Target Audience Executives (E) Project Managers (M) Technical Leaders (L)
preencoded.png Focus Areas of Chapter 1 1. Why Security is a Software Problem: Software as a key target for threats. 2. Dimensions of Software Assurance: Importance of ensuring trust and reliability in software systems. 3. Software Security: Strategies to protect software from threats.
preencoded.png 1.2 The Problem: A Growing Threat Cyberattacks are Increasing The number and severity of cyberattacks are rising alarmingly. Software vulnerabilities are exploited by attackers to steal data, disrupt operations, and cause financial damage. Software is Vulnerable Software is often designed with security as an afterthought, leading to vulnerabilities that can be exploited by attackers. This has become a critical issue as our reliance on software continues to grow.
preencoded.png The Problem: Increasing Exposure Growing Internet Connectivity Sensitive information stored, processed, and transmitted via software-intensive systems connected to the Internet. Vulnerable Systems: Financial transactions, personal identities, and critical data exposed to unauthorized access. Increased risks from global connectivity and evolving cyber threats (e.g., terrorism, organized crime, cybercrime). Challenges in Software Development Lack of disciplined, controlled processes. Security vulnerabilities exploited by attackers.
preencoded.png The Problem: Risks and Trends Common Vulnerabilities Coding bugs (e.g., buffer overflows). Design flaws (e.g., inconsistent error handling). Security defects ubiquitous in software. Growing Threats Increasing number and sophistication of attacks (CERT vulnerability reports rising). Extensible systems add risks with new features and interfaces. Larger, more complex software systems lead to more bugs and vulnerabilities. Call to Action Integrate secure coding practices, vulnerability testing, and penetration testing into SDLC. Develop a disciplined approach to software security.
preencoded.png 1.2.2 System Complexity: The Context for Softw EvolvingNatureofSoftwareSystems Software systems no longer operate as isolated pieces but as part of integrated environments. New components must merge with existing legacy systems, creating vulnerabilities in systems of systems. Expanding system scope and scale requires a shift in traditional development assumptions. Key Challenges in Modern Software Development Transition from centralized control to multiple, independent control points. Integration complexities hinder the ability to implement wide-scale changes quickly. Heterogeneous components and inconsistent security policies across systems.
preencoded.png 1.2.2 System Complexity: Addressing Complexity in Software Systems Considerations for Project M anag ers Maintaining Security During Upgrades: Ensure operational capability and security while upgrading or adding new services. Managing System Heterogeneity: Address mismatches among components and inconsistencies in security policies. The Reality of Failures Failures are more common due to mismatches and errors in independently managed systems. No established methods exist for ensuring specified levels of security in complex systems.
preencoded.png Software Assurance focuses on building and maintaining trustworthy, reliable, and secure software systems capable of operating effectively in today's complex, interconnected, and threat-prone environments. Software Assurance refers to the level of confidence that software is free from vulnerabilities (intentional or accidental) and operates reliably and securely as intended. It is a systematic approach to ensure that software meets its functional, performance, and security requirements throughout its lifecycle.
preencoded.png Software Assurance and Software Security 1 A Holistic Approach Software assurance is a comprehensive approach that ensures the quality and security of software throughout its entire lifecycle. 2 Security as a Foundation Software security focuses on building security into software from the initial design phase to ensure that applications are secure and resilient.
preencoded.png Terminology Error The Problem in code leads to errors, which means that a mistake can occur due to the developer's coding error as the developer misunderstood the requirement or the requirement was not defined correctly. The developers use the term error. Defects are implementation and design weaknesses. When the application is not working as per the requirement is known as defect. Bugs are implementation-level errors that can be detected and removed. Example: Buffer overflow. a bug is the informal name of defects, which means that software or application is not working as per the requirement. When we have some coding error, it leads a program to its breakdown, which is known as a bug. The test engineers use the terminology Bug.
preencoded.png Terminology Fault may occur in software because it has not added the code for fault tolerance, making an application act up. A fault may happen in a program because of the following reasons: Lack of resources An invalid step Inappropriate data definition
preencoded.png Terminology Risks capture the probability that a flaw or a bug will impact the purpose of the software. Risk = probability x impact Flaws are problems at a deeper level. They are instantiated in the code and present or absent at the design level. Example: Error-handling problems. Failures are the inability of the software to perform its required function. Many defects lead to the software's failure if an end-user detects an issue in the product, then that particular issue is called a failure.
preencoded.png Importanceof Software Assurance and Security: Critical Role of Software: Software now ensures dependability, not just productivity. Trustworthy software operates even under threats. Why Software Assurance Matters: Increased business/mission risks due to exploitable software. Software weaknesses are the weakest link in system success. Complexity and supply-chain risks amplify defenselessness. Challenges in Software Security: Sophisticated and stealthy attacks. Unintended risks from reusing legacy software. Reluctance to invest in risk-appropriate security measures.
preencoded.png Objectives and Scope of Software Assurance Definition of Software Assurance: Confidence that software is free from exposure. Ensures intended functionality throughout the software life cycle. Disciplines: Software Reliability: Fault tolerance. Software Safety: Prevents unintended harm. Software Security: Resists, tolerates, and recovers from threats. Goals of Software Security: Build robust, defect-free software. Ensure operation even under malicious attacks. Minimize exploitable weaknesses and damages.
preencoded.png What Makes Software Secure: CoreProperties of Secure Software Predictable Execution: Functions as intended, even against malicious input. Trustworthiness: Minimized exploitable exposures. Aim for no vulnerabilities if possible. Conformance: Adheres to requirements, standards, and procedures. Attack Resilience: Recovers from failures to maintain acceptable service levels. Full recovery to specified performance standards.
preencoded.png Practical Security Considerations Risk Management: Balance security goals with project cost and schedule. Design Principles: Recognize legitimate inputs and known attack patterns. Reflect secure patterns in software design. Resilience in Action: Software should withstand attacks, tolerate faults, and recover quickly. Ensure uninterrupted critical services post-attack.
preencoded.png Threats to Software Security Definition A threat is often a person intending to do harm using malicious software agents. Biggest Threats to Software Security Credential Reuse attack Man-in-the-middle attack Phishing DDoS attack Cloud Service attacks Supply Chain attacks Ransomware attacks New risks introduced by Mobile devices API threats To consider various stages in the software lifecycle where threats may occur and the importance of proactive security measures. Purpose Categories of Threats Threats During Development Threats During Operation
preencoded.png Threats to Software Security Malware Malicious software designed to disrupt computer operations, steal data, or gain unauthorized access to systems. Phishing Deceptive attempts to acquire sensitive information, such as usernames, passwords, and credit card details, through fraudulent emails, messages, or websites. Denial-of-Service Attacks Intentional efforts to make a computer or network unavailable to legitimate users, usually by overwhelming the target with a flood of requests.
preencoded.png Threats During Development Source: Insider threats. Examples of Threats: Sabotage of requirements specifications. Modifications in: Threat models Design documents Source code Test cases and results Installation and configuration tools Countermeasures: Implement secure development practices. Refer to Insider Threats in the SDLC (Cappelli 2006).
preencoded.png An insider threat in cybersecurity refers to an individual using their authorized access to an organizations data and resources to harm the companys equipment, information, networks, and systems. It includes corruption, espionage, degradation of resources, sabotage, terrorism, and unauthorized information disclosure. It can also be a starting point for cyber criminals to launch malware or ransomware attacks.
preencoded.png Threats During Operation Sources: Insider and external threats. Key Issues: Exposure to unpatched exposures. Exploitation of flaws for: Memory corruption Remote code execution Buffer overflows Installation of spyware, adware, and malware. Vulnerable Components: Interfaces, protocols, design features, development faults.
preencoded.png Examples of Vulnerable Software Web Applications Browser and server components Web Services Database Management Systems Operating Systems
preencoded.png Shortcomings and Changing Risks Challenges in Addressing Software Threats Reliance on Operational Controls Security dependent on OS, networks, and server protections. Application-level vulnerabilities are often unaddressed. Asymmetric Risk Defenders must anticipate all vulnerabilities; attackers need only one exploit. The Evolving Threat Landscape Public exploit scripts make attackers jobs easier. Experienced attackers create sophisticated, targeted attacks.
preencoded.png Sources of Software Insecurity Coding Errors Oversights or mistakes in software code can introduce vulnerabilities that attackers can exploit. Weak Security Controls Insufficient or poorly implemented security controls, such as weak passwords or inadequate authentication mechanisms, can compromise software security. Network Vulnerabilities Weaknesses in network infrastructure or configurations can expose software to attacks, allowing unauthorized access to systems.
preencoded.png Sources of Software Insecurity Lack of awareness of security and security standards Security requirements not defined or unclear Not enough communication between product and development teams Design errors that introduce security loopholes Bad programming practices or coding issues Missing security test plans/use cases Complexities, inadequacies, and/or software processing model changes.
preencoded.png Sources of Software Insecurity Incorrect assumptions by the engineer, including beliefs about the capabilities, outputs, and behavior of a state of the softwares execution environment or expected inputs from external entities (users, software processes). Flawed specification design, or defective implementation of: The software interfaces with external entities. Development mistakes of this type include inadequate (or non-existent) input validation, error handling, and exception handling. The components of the softwares execution environment (from middleware-level and operating-system-level to firmware and hardware-level components). Unintended interactions between software components, including those provided by a third party.
preencoded.png Benefits of Detecting Software Security 1 Reduced Risk Proactive security measures help mitigate the risk of cyberattacks, data breaches, and reputational damage. 2 Improved Customer Trust Secure software instills confidence in customers, as they are assured that their data and privacy are protected. 3 Enhanced Compliance Secure software helps organizations comply with industry regulations and legal requirements related to data protection and security.
preencoded.png Benefits of Detecting Software Security 1 Cost Benefits of Early Detection Addressing defects early in the SDLC reduces costs significantly. Defect correction during requirements/design phases is 50200 times cheaper than post-production [Boehm 1988]. 2 ROI in Reducing Defects: Studies show proactive defect reduction improves quality and ROI [Goldenson 2003]. $1 spent during the design phase saves $60$100 post-release [Soo Hoo 2001]. 3 Impact on Development Speed: Higher-quality products have shorter schedules [Jones 1991]. Defect prevention and early correction improve development speed. 4 Error-Prone Modules: Modules with high defect rates cost $2000$4000 per function point compared to $500$1000 for normal modules [Jones 1994]. Identifying and redesigning error-prone modules is critical for rapid development. Relationship between defect rate and development time
preencoded.png Increased D evelopm ent Tim e: Poor quality often results in schedule overruns or project cancellations (~50%) [Jones 1994]. Excessive schedule pressure increases defect rates, leading to costly rework. Defects Persist and Escalate: 60% of defects typically exist by design time [Gilb 1988]. Postponing defect detection increases effort and costs exponentially. Quality and Project Success: Projects with lower defect rates achieve higher user satisfaction and shorter timelines. Early defect removal (95%+) ensures optimal schedules and reduced costs. Savings and Efficiency: Time spent on defect prevention reduces repair effort by 310x. Reworking defective code/design accounts for 4050% of total development costs [Jones 1986b]. 1 2 3 4 Consequences of Skipping Early Defect Detection Cost of correcting defects by life-cycle phase 1 2 3 4
preencoded.png Risk Management Framework for Software Security Overview Risk Management Framework Activities Benefits of RMF A continuous Risk Management Framework (RMF) is crucial for addressing software security risks. Focus on risks from SDLC outputs, insufficient processes, and personnel. 1. Identify Risks: Assess risks across SDLC phases. 2. Analyze Risks: Evaluate likelihood and impact. 3.Mitigate Risks: Develop strategies to reduce likelihood and impact. 4.Monitor Risks: Continuously track risk status and effectiveness of mitigations. 5.Report Progress: Measure and report on risk management activities. Ensures iterative, high-level risk management integrated into the SDLC. Supports governance and enhances decision-making for software security.
preencoded.png
preencoded.png RMF Activities Understand the business context. A key task of an analyst. Extract and describe business goals. Set priorities. Understanding what risks to consider. Gathering the artifacts. Conducting project research to the scope Identify the business and technical risks. Business risks impact business goals. Mapping technical risks to business goals. Developing a set of risk questionnaires. Interviewing the target project team. Analyzing the research interview data. Evaluating software artifacts
preencoded.png RMF Activities Synthesize, prioritize, and rank the risks. Prioritize the risks based on the business goals. Risk metrics: O Risk likelihood. O Risk impact. O Number of risks emerging over time. What shall we do first given the current risk situation? What is the best allocation of resources? Define the risk mitigation strategy. Create a coherent strategy for mitigating the risks that take into account: O Cost. O Implementation time. O Likelihood of success. O Competence. O Impact. Identify the validation techniques. Metrics are financial in nature. 4
preencoded.png RMF Activities Carry out fixes and validate that they are correct Implement the mitigation strategy. The artifacts should be rectified. Progress is measured in terms of completeness against mitigation strategy. Use validation techniques to validate that artifacts no longer bear unacceptable risk. Metrics include artifact quality metrics and levels of risk mitigation effectiveness. 5
preencoded.png 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requirements 7. Security operations Software Security Practices in the Development Life Cycle Seven Touchpoints Security touchpoints are set of security best practices.
preencoded.png Seven Touch points(I) 1. Code Reviews. O Artifact: Code. O Example of risks found: Buffer overflow on line 30. 2. Architectural Risk Analysis. O Artifact: Design and specifications. O Example of risks found: Failure of a Web Service to authenticate calling code. 3. Penetration Testing. O Artifact: System in its environment. O Example of risks found: Poor handling of program state in the Web interface.
preencoded.png Seven Touchpoints(II) 4. Risk-Based Security Testing O Artifact: Units and system. O Example of risks found: Extent of data leakage possible potentially. 5. Abuse cases O Artifact: Requirements and use cases. O An example of risks found is the susceptibility to well-known tampering attacks. 6. Security Requirements O Artifact: Requirements. O Example of risks found: An explicit description of data protection needs is missing. 7. Security Operations O Artifact: Filesystem. O Example of risks found: Insufficient logging to prosecute a known attacker.
preencoded.png Core Properties of Secure Software Several fundamental properties may be seen as attributes of security as a software property Confidentiality Protecting sensitive information from unauthorized access and disclosure. Integrity Ensuring that data remains accurate and unchanged, preventing tampering or corruption. Availability Guaranteeing that software and services are accessible to authorized users when needed.
preencoded.png Core Properties of Secure Software Software Two additional properties commonly associated with human users are required in software entities that act as users (e.g., proxy agents, Web services, peer processes): Accountability All security-relevant actions of the software as a user must be recorded and Tracked with attribution of responsibility. Non-repudiation: The Ability to prevent software as user from disapproving or denying responsibility for actions it has performed. 4 5
preencoded.png
preencoded.png Influencing the Security Properties of Software 1 Dependability: 2 Correctness: The system behaves according to its specifications and requirements. The correct system produces the expected results under normal and exceptional conditions. 3 Predictability The ability to anticipate and understand how a system will behave in different situations. A predictable system follows consistent patterns, making it easier for users and administrators to understand its behavior. Ensures that software always operates as intended, refers to the overall reliability and availability of a software system. Can be trusted to deliver consistent and reliable performance, even in the face of disruptions or failures.
preencoded.png Influencing the Security Properties of Software 4 Reliability: 5 Safety: Safety in the context of software refers to the ability of a system to operate without causing harm or damage to users, other systems, or the environment. ability of a system to consistently perform its functions without failures. A reliable system minimizes downtime and operates as expected under various conditions.
preencoded.png Influencing the Security Properties of Software Key Challenges: Understanding security properties is crucial. Requires balancing defensive security and attacker mindset Two Perspectives: 1. Defender Approach: Build security into software. Minimize weaknesses and enhance resistance. 2. Attacker Approach: Identify potential threats. Analyze openness and high-risk areas.
preencoded.png Effective Security Implementation Key Strategies: Use security knowledge resources: Prescriptive (Guidelines & standards). Diagnostic (Security tools & testing). Historical (Past threats & lessons). Integrate security best practices throughout SDLC. Apply risk-driven security measures for effective protection.
preencoded.png Enhancing Software Security Properties/ Implementing Secure Software Practices 1 1. SecuritybyDesign 2 2. SecureCodingPractices Adherence to Standards: Follow secure coding guidelines to prevent weaknesses. Code Reviews: Conduct peer reviews to identify security flaws. 3 3. Authentication & Authorization Strong Authentication: Implement MFA for secure user verification. Authorization Controls: Enforce least privilege access. Early Integration: Consider security in the design phase. Threat Modeling: Analyze risks, identify attack vectors.
preencoded.png Enhancing Software Security Properties/ Implementing Secure Software Practices 4 4. SecureCommunication 5 5. Input Validation&Sanitization Validate Inputs: Prevent SQL injection, XSS, and other attacks. Output Encoding: Avoid code execution from untrusted data. 6 KeyT akeaway: Integrate security at every phase to build robust and resilient software! Encryption: Use TLS/SSL to protect data in transit. Secure Socket Layers: Ensure safe communication between components.
preencoded.png Asserting and Specifying Desired Security 1 Security Requirements 2 Threat Modeling Identifying potential threats and vulnerabilities that could impact the software. 3 Security Policies and Standards Establishing clear guidelines and principles for secure software development and operations.
preencoded.png Understanding Security Properties Identifying and describing security properties define the softwares security profile. Establishing a common language and objectives for building secure software. Influencing Security Properties Implementing mechanisms to strengthen security assurance. Taking action to ensure software is resistant to vulnerabilities. Need for Security Assertions Helps in planning, communicating, and ensuring compliance. Provides a foundation for security assurance. Role of Assurance Cases Artifacts used to document and manage security assertions. Serve as a reference for validating security measures throughout the SDLC. How to Assert and Specify Desired Security Properties
preencoded.png Purpose of Security Properties Define clear and unambiguous security expectations. Serve as criteria for evaluating system security. Key Steps to Assert Security Properties Define security requirements. Identify threats and risks. Map security properties to functional requirements. Formalizing Security Assertions Use formal methods and specifications. Leverage security standards and frameworks. Document security policies and define acceptance criteria . Ensuring Compliance and Validation Express security properties in requirement documents. Incorporate security testing requirements. Involve stakeholders in security planning.
preencoded.png

Recommended

Secure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdfSecure Software Development: Best practice and strategies.pdf
Secure Software Development: Best practice and strategies.pdf
Nexflare Dynamics
IT6701-Information Management Unit 2
IT6701-Information Management Unit 2IT6701-Information Management Unit 2
IT6701-Information Management Unit 2
SIMONTHOMAS S
Chapter 2- Software Security FULL SLIDES.ppt
Chapter 2- Software Security FULL SLIDES.pptChapter 2- Software Security FULL SLIDES.ppt
Chapter 2- Software Security FULL SLIDES.ppt
Lina Shimelis
Secure Software Design and Secure Programming
Secure Software Design and Secure ProgrammingSecure Software Design and Secure Programming
Secure Software Design and Secure Programming
MustafaAlshekly1
03-15-2025UPDATED INFORMATION ASSURANCE.pptx
03-15-2025UPDATED INFORMATION ASSURANCE.pptx03-15-2025UPDATED INFORMATION ASSURANCE.pptx
03-15-2025UPDATED INFORMATION ASSURANCE.pptx
ROSARIEDELAPAZ
Information security software security presentation.pptx
Information security software security presentation.pptxInformation security software security presentation.pptx
Information security software security presentation.pptx
salutiontechnology
unit 1 ppt.pptx
unit 1 ppt.pptxunit 1 ppt.pptx
unit 1 ppt.pptx
SadikshyaTimilsina1
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
Software Development Security_ Protect Your Software From Cyber Attacks.pdf
Software Development Security_ Protect Your Software From Cyber Attacks.pdfSoftware Development Security_ Protect Your Software From Cyber Attacks.pdf
Software Development Security_ Protect Your Software From Cyber Attacks.pdf
RahimMakhani2
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
SE 18CS35 Module 1.pdf
SE 18CS35 Module 1.pdfSE 18CS35 Module 1.pdf
SE 18CS35 Module 1.pdf
balaji984829
Role of Cybersecurity in Software Development
Role of Cybersecurity in Software DevelopmentRole of Cybersecurity in Software Development
Role of Cybersecurity in Software Development
yuktimakelink2025com
Best Practices For Securing Your Software Applications.pdf
Best Practices For Securing Your Software Applications.pdfBest Practices For Securing Your Software Applications.pdf
Best Practices For Securing Your Software Applications.pdf
Bahaa Al Zubaidi
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
Secure software development.pdf
Secure software development.pdfSecure software development.pdf
Secure software development.pdf
IntuitiveCloud
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
Importance of Secure Coding with its Best Practices
Importance of Secure Coding with its Best PracticesImportance of Secure Coding with its Best Practices
Importance of Secure Coding with its Best Practices
ElanusTechnologies
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
Swe notes
Swe notesSwe notes
Swe notes
Mohammed Romi
Importance of software engineering
Importance of software engineeringImportance of software engineering
Importance of software engineering
SRM Easwari engineering college, Ramapuram, Chennai
How to Ensure Security in Software Application Development.pdf
How to Ensure Security in Software Application Development.pdfHow to Ensure Security in Software Application Development.pdf
How to Ensure Security in Software Application Development.pdf
himanshuwowit
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 / HIFLUX Co., Ltd.
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptxUHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
ariomthermal2031

More Related Content

Similar to Software security: Security a Software Issue (20)

Software Development Security_ Protect Your Software From Cyber Attacks.pdf
Software Development Security_ Protect Your Software From Cyber Attacks.pdfSoftware Development Security_ Protect Your Software From Cyber Attacks.pdf
Software Development Security_ Protect Your Software From Cyber Attacks.pdf
RahimMakhani2
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
SE 18CS35 Module 1.pdf
SE 18CS35 Module 1.pdfSE 18CS35 Module 1.pdf
SE 18CS35 Module 1.pdf
balaji984829
Role of Cybersecurity in Software Development
Role of Cybersecurity in Software DevelopmentRole of Cybersecurity in Software Development
Role of Cybersecurity in Software Development
yuktimakelink2025com
Best Practices For Securing Your Software Applications.pdf
Best Practices For Securing Your Software Applications.pdfBest Practices For Securing Your Software Applications.pdf
Best Practices For Securing Your Software Applications.pdf
Bahaa Al Zubaidi
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
Secure software development.pdf
Secure software development.pdfSecure software development.pdf
Secure software development.pdf
IntuitiveCloud
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
Importance of Secure Coding with its Best Practices
Importance of Secure Coding with its Best PracticesImportance of Secure Coding with its Best Practices
Importance of Secure Coding with its Best Practices
ElanusTechnologies
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
Swe notes
Swe notesSwe notes
Swe notes
Mohammed Romi
Importance of software engineering
Importance of software engineeringImportance of software engineering
Importance of software engineering
SRM Easwari engineering college, Ramapuram, Chennai
How to Ensure Security in Software Application Development.pdf
How to Ensure Security in Software Application Development.pdfHow to Ensure Security in Software Application Development.pdf
How to Ensure Security in Software Application Development.pdf
himanshuwowit
Software Development Security_ Protect Your Software From Cyber Attacks.pdf
Software Development Security_ Protect Your Software From Cyber Attacks.pdfSoftware Development Security_ Protect Your Software From Cyber Attacks.pdf
Software Development Security_ Protect Your Software From Cyber Attacks.pdf
RahimMakhani2
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
Web Application Hacking tools .pptx
Web Application Hacking tools .pptxWeb Application Hacking tools .pptx
Web Application Hacking tools .pptx
Guna Dhondwad
SE 18CS35 Module 1.pdf
SE 18CS35 Module 1.pdfSE 18CS35 Module 1.pdf
SE 18CS35 Module 1.pdf
balaji984829
Role of Cybersecurity in Software Development
Role of Cybersecurity in Software DevelopmentRole of Cybersecurity in Software Development
Role of Cybersecurity in Software Development
yuktimakelink2025com
Best Practices For Securing Your Software Applications.pdf
Best Practices For Securing Your Software Applications.pdfBest Practices For Securing Your Software Applications.pdf
Best Practices For Securing Your Software Applications.pdf
Bahaa Al Zubaidi
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
Secure software development.pdf
Secure software development.pdfSecure software development.pdf
Secure software development.pdf
IntuitiveCloud
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
Importance of Secure Coding with its Best Practices
Importance of Secure Coding with its Best PracticesImportance of Secure Coding with its Best Practices
Importance of Secure Coding with its Best Practices
ElanusTechnologies
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
Swe notes
Swe notesSwe notes
Swe notes
Mohammed Romi
Importance of software engineering
Importance of software engineeringImportance of software engineering
Importance of software engineering
SRM Easwari engineering college, Ramapuram, Chennai
How to Ensure Security in Software Application Development.pdf
How to Ensure Security in Software Application Development.pdfHow to Ensure Security in Software Application Development.pdf
How to Ensure Security in Software Application Development.pdf
himanshuwowit

Recently uploaded (20)

危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 / HIFLUX Co., Ltd.
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptxUHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
ariomthermal2031
Crude-Oil-System for oil and gas industry
Crude-Oil-System for oil and gas industryCrude-Oil-System for oil and gas industry
Crude-Oil-System for oil and gas industry
Okeke Livinus
Distributed renewable energy in Colombia.OECD2023.pdf
Distributed renewable energy in Colombia.OECD2023.pdfDistributed renewable energy in Colombia.OECD2023.pdf
Distributed renewable energy in Colombia.OECD2023.pdf
SantiagoCardonaGallo
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.pptLecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
INSTITUTE OF ENGINEERING /BKC
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptxGRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
ChrisPuyoc1
NBA Criteria TIER I and TIER II Comparison
NBA Criteria TIER I and TIER II ComparisonNBA Criteria TIER I and TIER II Comparison
NBA Criteria TIER I and TIER II Comparison
Dr INBAMALAR T M
Energy Transition Factbook Bloomberg.pdf
Energy Transition Factbook Bloomberg.pdfEnergy Transition Factbook Bloomberg.pdf
Energy Transition Factbook Bloomberg.pdf
CarlosdelaFuenteMnde
GDGoC Artificial Intelligence Workshop.pptx
GDGoC Artificial Intelligence Workshop.pptxGDGoC Artificial Intelligence Workshop.pptx
GDGoC Artificial Intelligence Workshop.pptx
Aditi330605
Scalling Rails: The Journey to 200M Notifications
Scalling Rails: The Journey to 200M NotificationsScalling Rails: The Journey to 200M Notifications
Scalling Rails: The Journey to 200M Notifications
Gustavo Araujo
Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...
IJDKP
Telehealth technology A new horizon in health care
Telehealth technology A new horizon in health careTelehealth technology A new horizon in health care
Telehealth technology A new horizon in health care
Dr INBAMALAR T M
Artificial-Intelligence-in-Cybersecurity.pptx
Artificial-Intelligence-in-Cybersecurity.pptxArtificial-Intelligence-in-Cybersecurity.pptx
Artificial-Intelligence-in-Cybersecurity.pptx
Vigneshwarar3
pptforclass10kkkkkkkclasseee2eewsw10scienve
pptforclass10kkkkkkkclasseee2eewsw10scienvepptforclass10kkkkkkkclasseee2eewsw10scienve
pptforclass10kkkkkkkclasseee2eewsw10scienve
jeevasreemurali
Artificial intelligence and Machine learning in remote sensing and GIS
Artificial intelligence and Machine learning in remote sensing and GISArtificial intelligence and Machine learning in remote sensing and GIS
Artificial intelligence and Machine learning in remote sensing and GIS
amirthamm2083
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
ssuserb91a20
Why the Engineering Model is Key to Successful Projects
Why the Engineering Model is Key to Successful ProjectsWhy the Engineering Model is Key to Successful Projects
Why the Engineering Model is Key to Successful Projects
Maadhu Creatives-Model Making Company
PLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amityPLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amity
UrjaMoon
悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx
悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx
悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx
zeidali3
Requirements Engineering for Secure Software
Requirements Engineering for Secure SoftwareRequirements Engineering for Secure Software
Requirements Engineering for Secure Software
Dr Sarika Jadhav
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 渚狩 豺企襦蠏 2025 (Lok Fitting Catalog 2025)
危 / HIFLUX Co., Ltd.
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptxUHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
UHV unit-2UNIT - II HARMONY IN THE HUMAN BEING.pptx
ariomthermal2031
Crude-Oil-System for oil and gas industry
Crude-Oil-System for oil and gas industryCrude-Oil-System for oil and gas industry
Crude-Oil-System for oil and gas industry
Okeke Livinus
Distributed renewable energy in Colombia.OECD2023.pdf
Distributed renewable energy in Colombia.OECD2023.pdfDistributed renewable energy in Colombia.OECD2023.pdf
Distributed renewable energy in Colombia.OECD2023.pdf
SantiagoCardonaGallo
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.pptLecture 16 - 17 - NonTraditional Machining Presentation.ppt
Lecture 16 - 17 - NonTraditional Machining Presentation.ppt
INSTITUTE OF ENGINEERING /BKC
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptxGRAPHS AND DISCONTINUITIES POWERPOINT.pptx
GRAPHS AND DISCONTINUITIES POWERPOINT.pptx
ChrisPuyoc1
NBA Criteria TIER I and TIER II Comparison
NBA Criteria TIER I and TIER II ComparisonNBA Criteria TIER I and TIER II Comparison
NBA Criteria TIER I and TIER II Comparison
Dr INBAMALAR T M
Energy Transition Factbook Bloomberg.pdf
Energy Transition Factbook Bloomberg.pdfEnergy Transition Factbook Bloomberg.pdf
Energy Transition Factbook Bloomberg.pdf
CarlosdelaFuenteMnde
GDGoC Artificial Intelligence Workshop.pptx
GDGoC Artificial Intelligence Workshop.pptxGDGoC Artificial Intelligence Workshop.pptx
GDGoC Artificial Intelligence Workshop.pptx
Aditi330605
Scalling Rails: The Journey to 200M Notifications
Scalling Rails: The Journey to 200M NotificationsScalling Rails: The Journey to 200M Notifications
Scalling Rails: The Journey to 200M Notifications
Gustavo Araujo
Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...Call for Papers - 6th International Conference on Big Data and Machine Learni...
Call for Papers - 6th International Conference on Big Data and Machine Learni...
IJDKP
Telehealth technology A new horizon in health care
Telehealth technology A new horizon in health careTelehealth technology A new horizon in health care
Telehealth technology A new horizon in health care
Dr INBAMALAR T M
Artificial-Intelligence-in-Cybersecurity.pptx
Artificial-Intelligence-in-Cybersecurity.pptxArtificial-Intelligence-in-Cybersecurity.pptx
Artificial-Intelligence-in-Cybersecurity.pptx
Vigneshwarar3
pptforclass10kkkkkkkclasseee2eewsw10scienve
pptforclass10kkkkkkkclasseee2eewsw10scienvepptforclass10kkkkkkkclasseee2eewsw10scienve
pptforclass10kkkkkkkclasseee2eewsw10scienve
jeevasreemurali
Artificial intelligence and Machine learning in remote sensing and GIS
Artificial intelligence and Machine learning in remote sensing and GISArtificial intelligence and Machine learning in remote sensing and GIS
Artificial intelligence and Machine learning in remote sensing and GIS
amirthamm2083
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
Chapter1-Introduction 旅留粒粒旅虜劉 劉僚僚凌旅竜
ssuserb91a20
Why the Engineering Model is Key to Successful Projects
Why the Engineering Model is Key to Successful ProjectsWhy the Engineering Model is Key to Successful Projects
Why the Engineering Model is Key to Successful Projects
Maadhu Creatives-Model Making Company
PLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amityPLANT CELL REACTORS presenation PTC amity
PLANT CELL REACTORS presenation PTC amity
UrjaMoon
悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx
悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx
悋悋 惺悋 惶悋悸 惠惘惡悋惠 ( 愀惡悋惺悸)kkkjjj kkkkk .pptx
zeidali3
Requirements Engineering for Secure Software
Requirements Engineering for Secure SoftwareRequirements Engineering for Secure Software
Requirements Engineering for Secure Software
Dr Sarika Jadhav

Software security: Security a Software Issue

  • 1. preencoded.png Module-I: Security a Software Software Issue BTech CSE (Sem VI) TY TC4 CYS3101 - System Software Security by Dr Sarika Jadhav
  • 2. preencoded.png Contents 1. Introduction, The problem, 2. Software Assurance and Software Security, 3. Threats to software security, 4. Sources of software insecurity, 5. Benefits of Detecting Software Security, 6. What Makes Software Secure: Properties of Secure Software, 7. Influencing the security properties of software, 8. Asserting and specifying the desired security properties.
  • 3. preencoded.png 1.1. Introduction Why Software Security Matters High Risk of Vulnerabilities: Lack of security focus during development increases threats. Potential Consequences: The extent of risk depends on the scale of reliance and the possible impact of failures. Software is integral to modern life: Cars, cell phones, banking, utilities, and transportation. Dependency: Complex, interconnected systems rely on the Internet for communication and information transfer. Key Risk: Using software without security can be as risky as walking a high wire without a safety net.
  • 4. Introduction to Software Security Software security is the practice of protecting applications from unauthorized access, modification, and destruction. It ensures confidentiality, integrity, and availability through security measures. With growing technological reliance, cyber threats have significantly increased. Consequences: Weak security can lead to data breaches, financial loss, and legal liabilities.
  • 5. preencoded.png 1.1. Introduction Common Software Threats: Exploits targeting software vulnerabilities. Shortcomings in the Development Process: Lack of secure practices makes software prone to attacks. Introduced solutions include: Secure software development practices. Enhancing awareness among stakeholders. Adopting security-focused tools and methodologies. Target Audience Executives (E) Project Managers (M) Technical Leaders (L)
  • 6. preencoded.png Focus Areas of Chapter 1 1. Why Security is a Software Problem: Software as a key target for threats. 2. Dimensions of Software Assurance: Importance of ensuring trust and reliability in software systems. 3. Software Security: Strategies to protect software from threats.
  • 7. preencoded.png 1.2 The Problem: A Growing Threat Cyberattacks are Increasing The number and severity of cyberattacks are rising alarmingly. Software vulnerabilities are exploited by attackers to steal data, disrupt operations, and cause financial damage. Software is Vulnerable Software is often designed with security as an afterthought, leading to vulnerabilities that can be exploited by attackers. This has become a critical issue as our reliance on software continues to grow.
  • 8. preencoded.png The Problem: Increasing Exposure Growing Internet Connectivity Sensitive information stored, processed, and transmitted via software-intensive systems connected to the Internet. Vulnerable Systems: Financial transactions, personal identities, and critical data exposed to unauthorized access. Increased risks from global connectivity and evolving cyber threats (e.g., terrorism, organized crime, cybercrime). Challenges in Software Development Lack of disciplined, controlled processes. Security vulnerabilities exploited by attackers.
  • 9. preencoded.png The Problem: Risks and Trends Common Vulnerabilities Coding bugs (e.g., buffer overflows). Design flaws (e.g., inconsistent error handling). Security defects ubiquitous in software. Growing Threats Increasing number and sophistication of attacks (CERT vulnerability reports rising). Extensible systems add risks with new features and interfaces. Larger, more complex software systems lead to more bugs and vulnerabilities. Call to Action Integrate secure coding practices, vulnerability testing, and penetration testing into SDLC. Develop a disciplined approach to software security.
  • 10. preencoded.png 1.2.2 System Complexity: The Context for Softw EvolvingNatureofSoftwareSystems Software systems no longer operate as isolated pieces but as part of integrated environments. New components must merge with existing legacy systems, creating vulnerabilities in systems of systems. Expanding system scope and scale requires a shift in traditional development assumptions. Key Challenges in Modern Software Development Transition from centralized control to multiple, independent control points. Integration complexities hinder the ability to implement wide-scale changes quickly. Heterogeneous components and inconsistent security policies across systems.
  • 11. preencoded.png 1.2.2 System Complexity: Addressing Complexity in Software Systems Considerations for Project M anag ers Maintaining Security During Upgrades: Ensure operational capability and security while upgrading or adding new services. Managing System Heterogeneity: Address mismatches among components and inconsistencies in security policies. The Reality of Failures Failures are more common due to mismatches and errors in independently managed systems. No established methods exist for ensuring specified levels of security in complex systems.
  • 12. preencoded.png Software Assurance focuses on building and maintaining trustworthy, reliable, and secure software systems capable of operating effectively in today's complex, interconnected, and threat-prone environments. Software Assurance refers to the level of confidence that software is free from vulnerabilities (intentional or accidental) and operates reliably and securely as intended. It is a systematic approach to ensure that software meets its functional, performance, and security requirements throughout its lifecycle.
  • 13. preencoded.png Software Assurance and Software Security 1 A Holistic Approach Software assurance is a comprehensive approach that ensures the quality and security of software throughout its entire lifecycle. 2 Security as a Foundation Software security focuses on building security into software from the initial design phase to ensure that applications are secure and resilient.
  • 14. preencoded.png Terminology Error The Problem in code leads to errors, which means that a mistake can occur due to the developer's coding error as the developer misunderstood the requirement or the requirement was not defined correctly. The developers use the term error. Defects are implementation and design weaknesses. When the application is not working as per the requirement is known as defect. Bugs are implementation-level errors that can be detected and removed. Example: Buffer overflow. a bug is the informal name of defects, which means that software or application is not working as per the requirement. When we have some coding error, it leads a program to its breakdown, which is known as a bug. The test engineers use the terminology Bug.
  • 15. preencoded.png Terminology Fault may occur in software because it has not added the code for fault tolerance, making an application act up. A fault may happen in a program because of the following reasons: Lack of resources An invalid step Inappropriate data definition
  • 16. preencoded.png Terminology Risks capture the probability that a flaw or a bug will impact the purpose of the software. Risk = probability x impact Flaws are problems at a deeper level. They are instantiated in the code and present or absent at the design level. Example: Error-handling problems. Failures are the inability of the software to perform its required function. Many defects lead to the software's failure if an end-user detects an issue in the product, then that particular issue is called a failure.
  • 17. preencoded.png Importanceof Software Assurance and Security: Critical Role of Software: Software now ensures dependability, not just productivity. Trustworthy software operates even under threats. Why Software Assurance Matters: Increased business/mission risks due to exploitable software. Software weaknesses are the weakest link in system success. Complexity and supply-chain risks amplify defenselessness. Challenges in Software Security: Sophisticated and stealthy attacks. Unintended risks from reusing legacy software. Reluctance to invest in risk-appropriate security measures.
  • 18. preencoded.png Objectives and Scope of Software Assurance Definition of Software Assurance: Confidence that software is free from exposure. Ensures intended functionality throughout the software life cycle. Disciplines: Software Reliability: Fault tolerance. Software Safety: Prevents unintended harm. Software Security: Resists, tolerates, and recovers from threats. Goals of Software Security: Build robust, defect-free software. Ensure operation even under malicious attacks. Minimize exploitable weaknesses and damages.
  • 19. preencoded.png What Makes Software Secure: CoreProperties of Secure Software Predictable Execution: Functions as intended, even against malicious input. Trustworthiness: Minimized exploitable exposures. Aim for no vulnerabilities if possible. Conformance: Adheres to requirements, standards, and procedures. Attack Resilience: Recovers from failures to maintain acceptable service levels. Full recovery to specified performance standards.
  • 20. preencoded.png Practical Security Considerations Risk Management: Balance security goals with project cost and schedule. Design Principles: Recognize legitimate inputs and known attack patterns. Reflect secure patterns in software design. Resilience in Action: Software should withstand attacks, tolerate faults, and recover quickly. Ensure uninterrupted critical services post-attack.
  • 21. preencoded.png Threats to Software Security Definition A threat is often a person intending to do harm using malicious software agents. Biggest Threats to Software Security Credential Reuse attack Man-in-the-middle attack Phishing DDoS attack Cloud Service attacks Supply Chain attacks Ransomware attacks New risks introduced by Mobile devices API threats To consider various stages in the software lifecycle where threats may occur and the importance of proactive security measures. Purpose Categories of Threats Threats During Development Threats During Operation
  • 22. preencoded.png Threats to Software Security Malware Malicious software designed to disrupt computer operations, steal data, or gain unauthorized access to systems. Phishing Deceptive attempts to acquire sensitive information, such as usernames, passwords, and credit card details, through fraudulent emails, messages, or websites. Denial-of-Service Attacks Intentional efforts to make a computer or network unavailable to legitimate users, usually by overwhelming the target with a flood of requests.
  • 23. preencoded.png Threats During Development Source: Insider threats. Examples of Threats: Sabotage of requirements specifications. Modifications in: Threat models Design documents Source code Test cases and results Installation and configuration tools Countermeasures: Implement secure development practices. Refer to Insider Threats in the SDLC (Cappelli 2006).
  • 24. preencoded.png An insider threat in cybersecurity refers to an individual using their authorized access to an organizations data and resources to harm the companys equipment, information, networks, and systems. It includes corruption, espionage, degradation of resources, sabotage, terrorism, and unauthorized information disclosure. It can also be a starting point for cyber criminals to launch malware or ransomware attacks.
  • 25. preencoded.png Threats During Operation Sources: Insider and external threats. Key Issues: Exposure to unpatched exposures. Exploitation of flaws for: Memory corruption Remote code execution Buffer overflows Installation of spyware, adware, and malware. Vulnerable Components: Interfaces, protocols, design features, development faults.
  • 26. preencoded.png Examples of Vulnerable Software Web Applications Browser and server components Web Services Database Management Systems Operating Systems
  • 27. preencoded.png Shortcomings and Changing Risks Challenges in Addressing Software Threats Reliance on Operational Controls Security dependent on OS, networks, and server protections. Application-level vulnerabilities are often unaddressed. Asymmetric Risk Defenders must anticipate all vulnerabilities; attackers need only one exploit. The Evolving Threat Landscape Public exploit scripts make attackers jobs easier. Experienced attackers create sophisticated, targeted attacks.
  • 28. preencoded.png Sources of Software Insecurity Coding Errors Oversights or mistakes in software code can introduce vulnerabilities that attackers can exploit. Weak Security Controls Insufficient or poorly implemented security controls, such as weak passwords or inadequate authentication mechanisms, can compromise software security. Network Vulnerabilities Weaknesses in network infrastructure or configurations can expose software to attacks, allowing unauthorized access to systems.
  • 29. preencoded.png Sources of Software Insecurity Lack of awareness of security and security standards Security requirements not defined or unclear Not enough communication between product and development teams Design errors that introduce security loopholes Bad programming practices or coding issues Missing security test plans/use cases Complexities, inadequacies, and/or software processing model changes.
  • 30. preencoded.png Sources of Software Insecurity Incorrect assumptions by the engineer, including beliefs about the capabilities, outputs, and behavior of a state of the softwares execution environment or expected inputs from external entities (users, software processes). Flawed specification design, or defective implementation of: The software interfaces with external entities. Development mistakes of this type include inadequate (or non-existent) input validation, error handling, and exception handling. The components of the softwares execution environment (from middleware-level and operating-system-level to firmware and hardware-level components). Unintended interactions between software components, including those provided by a third party.
  • 31. preencoded.png Benefits of Detecting Software Security 1 Reduced Risk Proactive security measures help mitigate the risk of cyberattacks, data breaches, and reputational damage. 2 Improved Customer Trust Secure software instills confidence in customers, as they are assured that their data and privacy are protected. 3 Enhanced Compliance Secure software helps organizations comply with industry regulations and legal requirements related to data protection and security.
  • 32. preencoded.png Benefits of Detecting Software Security 1 Cost Benefits of Early Detection Addressing defects early in the SDLC reduces costs significantly. Defect correction during requirements/design phases is 50200 times cheaper than post-production [Boehm 1988]. 2 ROI in Reducing Defects: Studies show proactive defect reduction improves quality and ROI [Goldenson 2003]. $1 spent during the design phase saves $60$100 post-release [Soo Hoo 2001]. 3 Impact on Development Speed: Higher-quality products have shorter schedules [Jones 1991]. Defect prevention and early correction improve development speed. 4 Error-Prone Modules: Modules with high defect rates cost $2000$4000 per function point compared to $500$1000 for normal modules [Jones 1994]. Identifying and redesigning error-prone modules is critical for rapid development. Relationship between defect rate and development time
  • 33. preencoded.png Increased D evelopm ent Tim e: Poor quality often results in schedule overruns or project cancellations (~50%) [Jones 1994]. Excessive schedule pressure increases defect rates, leading to costly rework. Defects Persist and Escalate: 60% of defects typically exist by design time [Gilb 1988]. Postponing defect detection increases effort and costs exponentially. Quality and Project Success: Projects with lower defect rates achieve higher user satisfaction and shorter timelines. Early defect removal (95%+) ensures optimal schedules and reduced costs. Savings and Efficiency: Time spent on defect prevention reduces repair effort by 310x. Reworking defective code/design accounts for 4050% of total development costs [Jones 1986b]. 1 2 3 4 Consequences of Skipping Early Defect Detection Cost of correcting defects by life-cycle phase 1 2 3 4
  • 34. preencoded.png Risk Management Framework for Software Security Overview Risk Management Framework Activities Benefits of RMF A continuous Risk Management Framework (RMF) is crucial for addressing software security risks. Focus on risks from SDLC outputs, insufficient processes, and personnel. 1. Identify Risks: Assess risks across SDLC phases. 2. Analyze Risks: Evaluate likelihood and impact. 3.Mitigate Risks: Develop strategies to reduce likelihood and impact. 4.Monitor Risks: Continuously track risk status and effectiveness of mitigations. 5.Report Progress: Measure and report on risk management activities. Ensures iterative, high-level risk management integrated into the SDLC. Supports governance and enhances decision-making for software security.
  • 36. preencoded.png RMF Activities Understand the business context. A key task of an analyst. Extract and describe business goals. Set priorities. Understanding what risks to consider. Gathering the artifacts. Conducting project research to the scope Identify the business and technical risks. Business risks impact business goals. Mapping technical risks to business goals. Developing a set of risk questionnaires. Interviewing the target project team. Analyzing the research interview data. Evaluating software artifacts
  • 37. preencoded.png RMF Activities Synthesize, prioritize, and rank the risks. Prioritize the risks based on the business goals. Risk metrics: O Risk likelihood. O Risk impact. O Number of risks emerging over time. What shall we do first given the current risk situation? What is the best allocation of resources? Define the risk mitigation strategy. Create a coherent strategy for mitigating the risks that take into account: O Cost. O Implementation time. O Likelihood of success. O Competence. O Impact. Identify the validation techniques. Metrics are financial in nature. 4
  • 38. preencoded.png RMF Activities Carry out fixes and validate that they are correct Implement the mitigation strategy. The artifacts should be rectified. Progress is measured in terms of completeness against mitigation strategy. Use validation techniques to validate that artifacts no longer bear unacceptable risk. Metrics include artifact quality metrics and levels of risk mitigation effectiveness. 5
  • 39. preencoded.png 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requirements 7. Security operations Software Security Practices in the Development Life Cycle Seven Touchpoints Security touchpoints are set of security best practices.
  • 40. preencoded.png Seven Touch points(I) 1. Code Reviews. O Artifact: Code. O Example of risks found: Buffer overflow on line 30. 2. Architectural Risk Analysis. O Artifact: Design and specifications. O Example of risks found: Failure of a Web Service to authenticate calling code. 3. Penetration Testing. O Artifact: System in its environment. O Example of risks found: Poor handling of program state in the Web interface.
  • 41. preencoded.png Seven Touchpoints(II) 4. Risk-Based Security Testing O Artifact: Units and system. O Example of risks found: Extent of data leakage possible potentially. 5. Abuse cases O Artifact: Requirements and use cases. O An example of risks found is the susceptibility to well-known tampering attacks. 6. Security Requirements O Artifact: Requirements. O Example of risks found: An explicit description of data protection needs is missing. 7. Security Operations O Artifact: Filesystem. O Example of risks found: Insufficient logging to prosecute a known attacker.
  • 42. preencoded.png Core Properties of Secure Software Several fundamental properties may be seen as attributes of security as a software property Confidentiality Protecting sensitive information from unauthorized access and disclosure. Integrity Ensuring that data remains accurate and unchanged, preventing tampering or corruption. Availability Guaranteeing that software and services are accessible to authorized users when needed.
  • 43. preencoded.png Core Properties of Secure Software Software Two additional properties commonly associated with human users are required in software entities that act as users (e.g., proxy agents, Web services, peer processes): Accountability All security-relevant actions of the software as a user must be recorded and Tracked with attribution of responsibility. Non-repudiation: The Ability to prevent software as user from disapproving or denying responsibility for actions it has performed. 4 5
  • 45. preencoded.png Influencing the Security Properties of Software 1 Dependability: 2 Correctness: The system behaves according to its specifications and requirements. The correct system produces the expected results under normal and exceptional conditions. 3 Predictability The ability to anticipate and understand how a system will behave in different situations. A predictable system follows consistent patterns, making it easier for users and administrators to understand its behavior. Ensures that software always operates as intended, refers to the overall reliability and availability of a software system. Can be trusted to deliver consistent and reliable performance, even in the face of disruptions or failures.
  • 46. preencoded.png Influencing the Security Properties of Software 4 Reliability: 5 Safety: Safety in the context of software refers to the ability of a system to operate without causing harm or damage to users, other systems, or the environment. ability of a system to consistently perform its functions without failures. A reliable system minimizes downtime and operates as expected under various conditions.
  • 47. preencoded.png Influencing the Security Properties of Software Key Challenges: Understanding security properties is crucial. Requires balancing defensive security and attacker mindset Two Perspectives: 1. Defender Approach: Build security into software. Minimize weaknesses and enhance resistance. 2. Attacker Approach: Identify potential threats. Analyze openness and high-risk areas.
  • 48. preencoded.png Effective Security Implementation Key Strategies: Use security knowledge resources: Prescriptive (Guidelines & standards). Diagnostic (Security tools & testing). Historical (Past threats & lessons). Integrate security best practices throughout SDLC. Apply risk-driven security measures for effective protection.
  • 49. preencoded.png Enhancing Software Security Properties/ Implementing Secure Software Practices 1 1. SecuritybyDesign 2 2. SecureCodingPractices Adherence to Standards: Follow secure coding guidelines to prevent weaknesses. Code Reviews: Conduct peer reviews to identify security flaws. 3 3. Authentication & Authorization Strong Authentication: Implement MFA for secure user verification. Authorization Controls: Enforce least privilege access. Early Integration: Consider security in the design phase. Threat Modeling: Analyze risks, identify attack vectors.
  • 50. preencoded.png Enhancing Software Security Properties/ Implementing Secure Software Practices 4 4. SecureCommunication 5 5. Input Validation&Sanitization Validate Inputs: Prevent SQL injection, XSS, and other attacks. Output Encoding: Avoid code execution from untrusted data. 6 KeyT akeaway: Integrate security at every phase to build robust and resilient software! Encryption: Use TLS/SSL to protect data in transit. Secure Socket Layers: Ensure safe communication between components.
  • 51. preencoded.png Asserting and Specifying Desired Security 1 Security Requirements 2 Threat Modeling Identifying potential threats and vulnerabilities that could impact the software. 3 Security Policies and Standards Establishing clear guidelines and principles for secure software development and operations.
  • 52. preencoded.png Understanding Security Properties Identifying and describing security properties define the softwares security profile. Establishing a common language and objectives for building secure software. Influencing Security Properties Implementing mechanisms to strengthen security assurance. Taking action to ensure software is resistant to vulnerabilities. Need for Security Assertions Helps in planning, communicating, and ensuring compliance. Provides a foundation for security assurance. Role of Assurance Cases Artifacts used to document and manage security assertions. Serve as a reference for validating security measures throughout the SDLC. How to Assert and Specify Desired Security Properties
  • 53. preencoded.png Purpose of Security Properties Define clear and unambiguous security expectations. Serve as criteria for evaluating system security. Key Steps to Assert Security Properties Define security requirements. Identify threats and risks. Map security properties to functional requirements. Formalizing Security Assertions Use formal methods and specifications. Leverage security standards and frameworks. Document security policies and define acceptance criteria . Ensuring Compliance and Validation Express security properties in requirement documents. Incorporate security testing requirements. Involve stakeholders in security planning.
AboutCopyright
息 2025 際際滷