Secure Programming Overview

Assessing the Need for Secure Programming

• Cyber-attacks can be prevented by using secure programming
• Examples of cyber-attacks include data breaches, hacks, and cyber warfare
• Cyber warfare is the use of technology to attack a nation, causing comparable harm to actual warfare

Open Source and Reliance on the Internet

• Open source software provides freedom to:
  • Run the program for any purpose
  • Study how the program works and adapt it to your needs
  • Redistribute copies to help others
  • Improve the program and release improvements to the public
• Access to the source code is a precondition for these freedoms
• Reliance on the internet increases the need for secure programming

Industry Regulations and Complexity of Networks

• Industry regulations include:
  • Healthcare
  • Department of Defense
  • Data Protection
  • Financial institutions
• Complexity of networks today includes:
  • Diverse network technologies
  • Misconfigurations
  • Lack of knowledge about the network makes managers downplay vulnerabilities

Security

• Security is holistic and consists of:
  • Physical security
  • Technological security
  • Operational security

Physical Security

• Physical security measures protect personnel, critical assets, and systems against deliberate and accidental threats
• Physical assets include:
  • Information assets

Technological Security

• Application security includes:
  • Web browser
  • Web server
  • Database
• OS security (host)
• Network security

Operational Security

• Policies include:
  • Password policy – complexity
  • Social engineering awareness
• Standards include:
  • How policies should be implemented and enforced
• Procedures include:
  • Step-by-step instructions on how to implement policies
• Guidelines include:
  • Recommendations relating to a policy

Security Objectives - CIA Triad

• Security is concerned with the protection of assets against threats
• Threats related to confidentiality, integrity, or availability (CIA)
• Attacks against CIA are called Disclosure, Alteration, and Destruction (DAD) attacks
• A target is said to be secure when the possibility of undetected theft or tampering is kept to an acceptable level

Security Goals

• Authentication
• Authorization
• Confidentiality
• Data/message integrity
• Accountability
• Availability
• Non-repudiation

Authentication

• Authentication mechanisms use any of four qualities to confirm a user's identity:
  • Something the user knows
  • Something the user has
  • Something the user is
  • Something the user can do
• Multifactor authentication

Authorization

• Authorization is the act of checking whether a user has permission to conduct some action
• Access control list (ACL) is used by many operating systems to determine whether users are authorized to conduct different actions

Confidentiality

• Confidentiality is the protection of assets from unauthorized access

Data/Message Integrity

• Data/message integrity is the protection of assets from unauthorized modification or alteration

Availability

• Availability is the protection of assets from unauthorized denial or destruction
• A denial of service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources

Accountability

• Accountability is the ability to determine who the attacker or principal is in the case that something goes wrong or an erroneous transaction is identified
• Find out vulnerabilities, fix bugs, improve the application, and use digital forensics

Non-Repudiation

• Non-repudiation is the ability to ensure undeniability of a transaction by any of the parties involved