La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
Télécharger Lire

Building Secure Software (tutorial)

De
36 pages
Exploiting Software:How to Break CodeGary McGraw, Ph.D.CTO, Cigitalhttp://www.cigital.com© 2004 Cigital„Pop quizWhat do wireless devices, cell phones, PDAs, browsers, operating systems, servers, personal computers, public key infrastructure systems, and firewalls have in common?Software© 2004 Cigital So what’s the problem?© 2004 Cigital„„„„„„„„„Commercial security is reactiveDefend the perimeter with a firewallTo keep stuff outOver-rely on crypto“We use SSL”“Review” products when they’re doneWhy your code is badPromulgate “penetrate and patch”The “ops guy with keys” does Disallow advanced not really understand software technologiesdevelopment.Extensible systems (Java and .NET) are dangerous© 2004 Cigital „„„„„„„„„„Builders versus operatorsMost security people are Most builders are not operations people security peopleNetwork administrators Software development remains a black artFirewall rules manipulators How well are we doing teaching students to COTS products engineer code?glommersEmergent properties like These people need security are hard for trainingbuilders to grokThese people need Security means different academic educationthings to different people© 2004 Cigital „„„„„„„Making software behave is hardCan you test in quality?How do you find (adaptive) bugs in code?What about bad guys doing evil on purpose?What’s the difference between security testing and functional testing?How ...
Voir plus Voir moins

Vous aimerez aussi

Exploiting Software: How to Break Code
Gary McGraw, Ph.D. CTO, Cigital
http://www.cigital.com
© 2004 Cigital
„
Pop quiz
What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, personal computers, public key infrastructure systems, and firewalls have in common?
Software
©2 00 4iCigtal 
So what’s the problem?
©2 004 Ciigtla
„ „ „ „ „
Commercial security is reactive
Defend the perimeter with a firewall „To keep stuff out Over-rely on crypto „“We use SSL” “Review” products when they’re done „Why your code is bad Promulgate “penetrate and patch” Disallow advanced technologies „Extensible systems (Java and .NET) are dangerous
The “ops guy with keys” does not really understand software development.
© 2004 Cigital 
„
Most security people are operations people „Network administrators „Firewall rules manipulators „COTS products glommers „These people need training
Security means different things to different people
Builders versus operators
„Most builders are not security people „Software development remains a black art „How well are we doing teaching students to engineer code? „Emergent properties like security are hard for builders to grok „These people need academic education
©2 00 4iCigtla 
„ „ „
„ „ „ „
Making software behave is hard
Can you test in quality? How do you find (adaptive) bugs in code? What about bad guys doing evil on purpose?
What’s the difference between security testing and functional testing? How can you teach security design? How can you codify non-functional, emergent requirements like security? Can you measure security?
©2 004 Ciigtla 
The network is the computer.
The Trinity of Trouble
Th…iiss  stih.NET
„ivitytCoecnn „The Internet is everywhere and most software is on it „Complexity „Networked, distributed, mobile code is hard „ybisntilietxE „Systems evolve in unexpected ways and are changed on the fly
edrarty icurien hs evs foingn eeswtraitig C04aitt Aal02 ©
45 40 35 30 25 20 15 10 5 0
Win 3.1 (1990)
Software complexity growth
Windows Complexity
WinWin 95NT 4.0Win 98NT 5.0WinXP NT (1997) (1998) (1999) (2000) 2K (2002) (1995) (2001)
© 2004 Cigitla 
Software vulnerability growth
© 2004 Cigital 
Normalized (and slightly shifted) data from Geer
©2 004 Cigitla 
„ „
„
Science please
Basic understanding of complexity and its impact on security problems is sorely needed Do the LOC and vulnerability graphs really correlate?
What are software security problems really like? „How common are basic categories? „How can we teach students something that now takes years of fieldwork to merely intuitively grasp?
© 2004 Ciigtla 
Un pour Un
Permettre à tous d'accéder à la lecture
Pour chaque accès à la bibliothèque, YouScribe donne un accès à une personne dans le besoin