36 pages

English

Building Secure Software (tutorial)

Octey - Gem

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

36 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Exploiting Software:How to Break CodeGary McGraw, Ph.D.CTO, Cigitalhttp://www.cigital.com© 2004 Cigital„Pop quizWhat do wireless devices, cell phones, PDAs, browsers, operating systems, servers, personal computers, public key infrastructure systems, and firewalls have in common?Software© 2004 Cigital So what’s the problem?© 2004 Cigital„„„„„„„„„Commercial security is reactiveDefend the perimeter with a firewallTo keep stuff outOver-rely on crypto“We use SSL”“Review” products when they’re doneWhy your code is badPromulgate “penetrate and patch”The “ops guy with keys” does Disallow advanced not really understand software technologiesdevelopment.Extensible systems (Java and .NET) are dangerous© 2004 Cigital „„„„„„„„„„Builders versus operatorsMost security people are Most builders are not operations people security peopleNetwork administrators Software development remains a black artFirewall rules manipulators How well are we doing teaching students to COTS products engineer code?glommersEmergent properties like These people need security are hard for trainingbuilders to grokThese people need Security means different academic educationthings to different people© 2004 Cigital „„„„„„„Making software behave is hardCan you test in quality?How do you find (adaptive) bugs in code?What about bad guys doing evil on purpose?What’s the difference between security testing and functional testing?How ...

Informations

Publié par	Octey
Nombre de lectures	19
Langue	English

Extrait

Exploiting Software: How to Break Code

Gary McGraw, Ph.D. CTO, Cigital

http://www.cigital.com

Pop quiz

What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, personal computers, public key infrastructure systems, and firewalls have in common?

Software

So what’s the problem?

Commercial security is reactive

Defend the perimeter with a firewall To keep stuff out Over-rely on crypto “We use SSL “Review products when they’re done Why your code is bad Promulgate “penetrate and patch Disallow advanced technologies Extensible systems (Java and .NET) are dangerous

The “ops guy with keys does not really understand software development.

Most security people are operations people Network administrators Firewall rules manipulators COTS products glommers These people need training

Security means different things to different people

Builders versus operators

Most builders are not security people Software development remains a black art How well are we doing teaching students to engineer code? Emergent properties like security are hard for builders to grok These people need academic education

Making software behave is hard

Can you test in quality? How do you find (adaptive) bugs in code? What about bad guys doing evil on purpose?

What’s the difference between security testing and functional testing? How can you teach security design? How can you codify non-functional, emergent requirements like security? Can you measure security?

The network is the computer.

The Trinity of Trouble

Thiiss stih.NET

ivitytCoecnn The Internet is everywhere and most software is on it Complexity Networked, distributed, mobile code is hard ybisntilietxE Systems evolve in unexpected ways and are changed on the fly

edrarty icurien hs evs foingn eeswtraitig C04aitt Aal02 ©

45 40 35 30 25 20 15 10 5 0

Win 3.1 (1990)

Software complexity growth

Windows Complexity

WinWin 95NT 4.0Win 98NT 5.0WinXP NT (1997) (1998) (1999) (2000) 2K (2002) (1995) (2001)

Software vulnerability growth

Normalized (and slightly shifted) data from Geer

Science please

Basic understanding of complexity and its impact on security problems is sorely needed Do the LOC and vulnerability graphs really correlate?

What are software security problems really like? How common are basic categories? How can we teach students something that now takes years of fieldwork to merely intuitively grasp?