La lecture en ligne est gratuite
Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres
Télécharger Lire

Cours-Securité-Design and test3

De
58 pages
Software Security: Design and codeYves Le TraonTejeddine Mouelhi¾¾¾¾¾¾OverviewSecurity: definitions and “big picture” Example of security weakness: SQLIASecurity in the development processSecurity requirementsSecurity analysis and designSecurity test and validationƒ¾ƒ¾ƒ¾¾Security : general definitionProtecting information and information systems from unauthorizedaccess, use, disclosure, disruption, modification, or destruction. CIAConfidentiality• accessed, used, copied, or disclosed by persons who have been authorized to access, use, copy, or disclose the information Integrity• data can not be created, changed, or deleted without authorization Availability (and correctness) of• the information and the security controls (opposite of availability is denial of service - DOS) Confidentiality, possession or control, integrity, authenticity,availability, and utility. Ex of approach for confidentiality: Encryption/cryptographyƒƒ¾¾ƒVocabularyRisk managementRisk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. A security mechanism is the implementation of a security requirement (e.g. access control rule) Securing a web applicationSecuring a web applicationLes couches ...
Voir plus Voir moins

Vous aimerez aussi

Software Security: Design and code
Yves Le Traon
Tejeddine Mouelhi
¾
¾
¾
¾
¾
¾
Overview
Security: definitions and big picture
Exampleofsecurityweakness:SQLIA
Security in the development process
Security requirements
Security analysis and design
Security test and validation
Security : general definition
¾Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
¾CIA ƒConfidentiality  accessed, used, copied, or disclosed by persons who have been authorized to access, use, copy, or disclose the information ƒIntegrity  data can not be created, changed, or deleted without authorization ƒAvailability (and correctness) of  the information and the security controls (opposite of availability is denial of service - DOS)
¾Confidentiality, possession or control, integrity, authenticity, availability, and utility.
¾Ex of approach for confidentiality: Encryption/cryptography
Vocabulary
¾Risk management ƒRiskis the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). ƒAneulvtylibirais a weakness that could be used to endanger or cause harm to an informational asset. ƒAthreatis anything (man made or act of nature) that has the potential to cause harm.
¾Asecurity mechanismis the implementation of asecurity requirement (e.g. access control rule)
Securing a web application
Securing a web application
-7-
Les couches de sécurité
Application
Système
Réseau
Mécanismes de sécurisation du code, la logique métier ...
Antivirus, anti-spyware, anti-malware ...
Cryptographie, pare feu, protocoles sécurisés, IDS ...
7/15
-8-
Security weakness : an example (SQLIA)
-9-
L'injection de code SQL (SQLIA)
˫
¾Caractéristiques ƒCause : Requêtes dynamiques utilisant les entrées de l'utilisateur non filtrées ƒ l'utilisateur et compilé dans laCode SQL injecté par requêtes SQL. ƒConséquences: modification, détournement des données voire suppression.
¾Exemple: ƒLa requête : select * from users where login = ' + varLogin + '; ƒL'utilisateur entre la valeur: ' or 1=1 ƒLa requête devient une tautologie: select * from users where login = '' or 1=1;
-10-
SQL Injection countermeasure
¾Input validation methods zMassage data to get valid data: zAdd a \ before all malicious characters zThe character will not be interpreted (- - becomes /--) zis not final (new unknown character may beBut, the list of malicious character used such as # which has been introduced to deal with dates) zReject illegal characters: delete all malicious characters (like ' or --) zSame problems with the previous approach zAccept only authorized characters zWill always work. zBut we will need to refuse to save in the DB names like (o'connor) and no words containing  or \ z=> Best method is to combine the last two approaches.
¾
SQLIA : Contre-mesures avancées
Plusieurs techniques avancées utilisant des mécanismes de sécurité indépendants de l'application ƒStatic vs. runtime analysis ƒMachine learning ƒSQL Rand
Un pour Un
Permettre à tous d'accéder à la lecture
Pour chaque accès à la bibliothèque, YouScribe donne un accès à une personne dans le besoin