Secure Programming Techniques

Similar documents
David Rook. Agnitio Security code review swiss army knife. Hack in Paris, Paris

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

CSWAE Certified Secure Web Application Engineer

CMSC 414 Computer and Network Security

Engineering Your Software For Attack

Secure Coding, some simple steps help. OWASP EU Tour 2013

Certified Secure Web Application Engineer

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Ethical Hacking and Prevention

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Web Application Threats and Remediation. Terry Labach, IST Security Team

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Large Scale Generation of Complex and Faulty PHP Test Cases

Software Security and CISQ. Dr. Bill Curtis Executive Director

Your Turn to Hack the OWASP Top 10!

19.1. Security must consider external environment of the system, and protect it from:

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Applications Security

C and C++ Secure Coding 4-day course. Syllabus

RiskSense Attack Surface Validation for Web Applications

6-Points Strategy to Get Your Application in Security Shape

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CS 356 Software Security. Fall 2013

Wrapup. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

OWASP Top 10 The Ten Most Critical Web Application Security Risks


Advanced Systems Security: Ordinary Operating Systems

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Application security : going quicker

McAfee Certified Assessment Specialist Network

Web Application Penetration Testing

Web Application Security. Philippe Bogaerts

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Securing Web Applications. Architecture Alternatives. Web Application Security Roadmap. Defense in Depth. Defense in Depth

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Secure coding practices

Hacking by Numbers OWASP. The OWASP Foundation

Exam Questions MA0-150

90% of data breaches are caused by software vulnerabilities.

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Improving Software Assurance 1

Secure Programming. Course material Introduction. 3 Course material. 4 Contents

Secure Programming. Introduction. Ahmet Burak Can Hacettepe University

Web Attacks CMSC 414. September 25 & 27, 2017

Development*Process*for*Secure* So2ware

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen

Curso: Ethical Hacking and Countermeasures

Certified Secure Web Application Security Test Checklist

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Developing Secure Systems. Associate Professor

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security Solutions. Overview. Business Needs

Exam4Free. Free valid exam questions and answers for certification exam prep

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CoreMax Consulting s Cyber Security Roadmap

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

1 About Web Security. What is application security? So what can happen? see [?]

Introduction to Security and User Authentication

Hands-On Hacking Course Syllabus

Application Security Approach

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

Solutions Business Manager Web Application Security Assessment

Secure Development Processes

Web Application Vulnerabilities: OWASP Top 10 Revisited

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Finding Architectural Flaws in Android Apps Is Easy

Introductions. Jack Katie

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Outline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines

Five Nightmares for a Telecom

OWASP TOP 10. By: Ilia

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

CPET 499/ITC 250 Web Systems Chapter 16 Security. Topics

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

COMP9321 Web Application Engineering

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Andrew van der Stock OWASP Foundation

Application. Security. on line training. Academy. by Appsec Labs

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Some recent security news

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Operating System Security, Continued CS 136 Computer Security Peter Reiher January 29, 2008

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Transcription:

Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014

Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP Shell scripts Java MEELIS ROOS 2

Literature OWASP (Open Web Application Security Project) documents Secure Programming for Linux and Unix HOWTO Creating Secure Software Secure coding: principles and practices, Mark Graff, Kenneth R. Van Wyk, O Reilly 2003 Secure Programming with Static Analysis, Brian Chess, Jacob West, Addison-Wesley Professional, 2007 SecureProgramming.com MEELIS ROOS 3

Homework Several homeworks Find the bugs and report MEELIS ROOS 4

Introduction Scope of this course Why programs are insecure Security requirements General principles MEELIS ROOS 5

Scope of this course Learn about secure coding practices in popular and widely used languages and environments Not about exploitation of vulnerabilities only enough to see why the problems are relevant Not about designing the architecture of secure systems there s a different course for that Practical project is under different course code (MTAT.07.016, http://courses.cs.ut.ee/2014/secprog-proj/) Some lab excercises (you will need a laptop) Some Unix and Windows system programming background is also included MEELIS ROOS 6

Dates and times Question: suitable dates for exams in June? Another question: secure programming techniques project time? MEELIS ROOS 7

Why are programs insecure? Economic reasons consumers do not select products based on real security So implementing real security is unnecessary for selling Security measures affect usabilty and waste users time so a real security feature might waste more time and money on global scale than possible losses from bad security Marketing: don t worry, be crappy! Let s go into production with it now and we can secure it later MEELIS ROOS 8

Why are programs insecure? Programmers are not taught enough Programmers are lazy Many programmers are lousy programmers Programmers are not security experts Security costs more (time, money) C/C++ are hard to write securely No thought is given to multi-user systems Insufficient security models Formal verification is rarely used Users don t care Lots of old software is in use MEELIS ROOS 9

Security requirements So, what exactly does secure mean? General security goals as usual: Confidentiality Integrity Availability We need more specific requirements to be usable in validating a program Example: as per Common Criteria (CC) MEELIS ROOS 10

CC Functionality Requirements Auditability Non-repudiation Cryptography support User data protection Identification and authentication Security management Privacy Protection of security functions Resource utilization Access Trusted path MEELIS ROOS 11

CC Assurance Measure Requirements Configuration management Delivery and operation Development Guidance documents Life-cycle support Tests Vulnerability Assessment Maintenance of assurance MEELIS ROOS 12

General principles Security must be desinged into the system from the beginning, not patched in later Security can be audited only relative to knowledge in specific point of time Enumerating badness does not work Paranoia is a virtue Many simple bugs can appear as vulnerabilities when the data to trigger it comes from another security domain (untrusted source) Complexity is your enemy MEELIS ROOS 13

Outline of next topics Security features Open Source software and security Disclosure of vulnerabilities Top vulnerability classes MEELIS ROOS 14

Security features Security features secure features Reliable software does what it is supposed to do Secure software does what it is supposed to do, and nothing else MEELIS ROOS 15

Is Open Source good for security? More reviewers more errors are found And fixed? What makes people review the code? Closed source programs can also have stringent review procedures Possibilty of checking the quality of code "No strcat comes though the door!" "Oh, the scientists again!" More incentives to making the code clean Open source by itself does not guarantee quality! Many open source projects never get beyond one-man stage MEELIS ROOS 16

Open Source and security Attacker has more information than with closed source He can reverse engineer anyway Attacker has less advantages over good guys Trojan horses where do they come from? Chance of fixing if vendor does not care or is dead Or pay someone to fix it Conclusion: open source has the potential of getting better over time MEELIS ROOS 17

Disclosure of vulnerabilities Prehistory: report or don t report, most vendors pretend nothing happened False sense of security Full disclosure Vendors need to start patching Finder gets fame Responsible disclosure Vendors are given some time to fix before disclosure Coordinating fixes Finder still gets fame "No more free bugs" Selling of vulnerabilities MEELIS ROOS 18

Top vulnerability classes (CWE 2011) 1. Improper Sanitization of Special Elements used in an SQL Command ( SQL Injection ) 2. Improper Sanitization of Special Elements used in an OS Command ( OS Command Injection ) 3. Buffer Copy without Checking Size of Input ( Buffer Overflow ) 4. Failure to Preserve Web Page Structure ( Cross-site Scripting ) 5. Missing Authentication for Critical Function 6. Missing Authorization 7. Use of Hard-coded Credentials 8. Missing Encryption of Sensitive Data MEELIS ROOS 19

Top vulnerability classes (CWE 2011) 9. Unrestricted Upload of File with Dangerous Type 10. Reliance on Untrusted Inputs in a Security Decision 11. Execution with Unnecessary Privileges 12. Cross-Site Request Forgery (CSRF) 13. Improper Limitation of a Pathname to a Restricted Directory ( Path Traversal ) 14. Download of Code Without Integrity Check 15. Improper Access Control (Authorization) 16. Inclusion of Functionality from Untrusted Control Sphere 17. Incorrect Permission Assignment for Critical Resource MEELIS ROOS 20

Top vulnerability classes (CWE 2011) 18. Use of Potentially Dangerous Function 19. Use of a Broken or Risky Cryptographic Algorithm 20. Incorrect Calculation of Buffer Size 21. Improper Restriction of Excessive Authentication Attempts 22. URL Redirection to Untrusted Site ( Open Redirect ) 23. Uncontrolled Format String 24. Integer Overflow or Wraparound 25. Use of a One-Way Hash without a Salt MEELIS ROOS 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback