Secure Software Fundamentals Week 03 Quiz

Questions and Answers

What is a crucial aspect of building secure software according to the discussed principles?

Only functional requirements are necessary to define security.

Security should not be considered in the design phase.

Security must be integrated from the beginning of the design process. (correct)

Implementing security features alone is sufficient.

What does the concept of 'tradeoffs' in software requirements imply?

All security measures should be implemented without considering performance.

There is no need to balance different security measures.

Developers should focus solely on performance over security.

There are compromises between performance and security features that need to be addressed. (correct)

Which of the following is NOT a component of software security as risk management?

Detection

Reaction

User Interface Design (correct)

Prevention

Why are basic security features like authentication alone considered inadequate?

Attackers can circumvent them if deeper security measures are lacking.

What is emphasized as a fundamental approach to software security?

Thinking like an attacker throughout the development process.

What does software security aim to achieve during the software development life cycle?

Avoiding security vulnerabilities

Which statement best reflects why there is an exponential increase in vulnerabilities in software systems?

Convenience often outweighs security measures

What does the CIA triad stand for in the context of software security principles?

Confidentiality, Integrity, Availability

What is a common misconception regarding the role of programmers in security?

They contribute to security vulnerabilities unknowingly

What is a frequent result of poor software quality concerning security?

Increased vulnerability to attacks

Why is circumventing security often easier than defeating it?

Developers often overlook simple exploits

What does the cost of inadequate software security typically involve?

Potential financial losses and reputational damage

Which term refers to data that is actively being processed in a computer's memory?

Data in Use

Which of the following is NOT a source of software vulnerabilities?

Version Control

What is a proactive control mechanism that detects flaws in software?

Auditing

Which type of software failure occurs due to a flaw deeply instantiated in the code?

Flaw

Which attack is commonly associated with inserting malicious code into a program during its execution?

Command Injection

What is one main reason cited for the high cost of poor software quality in the U.S.?

Rising Complexity of Software Projects

Which of the following is an example of a buffer overflow vulnerability?

Exceeding allocated memory space

What does the TIOBE Programming Community Index primarily measure?

Popularity of Programming Languages

Which of the following practices focuses on preventing vulnerabilities in software development?

Better Software Development

What is a common misinterpretation of the term 'Bug' in software development?

It signifies a deep level flaw

Study Notes

Course Information

• Course name: Secure Software Fundamentals
• Course code: CSC 1029

Objectives

• Identify common software vulnerabilities
• Identify what secure programming is and why it is needed
• Overview of security problems and introduce security terms and concepts
• Provide insight into why so many vulnerabilities are found in different programming languages
• Describe security principles, including the CIA triad

Agenda: Week 03

• Why Software Security
• Software Security & Risk Management
• What are we protecting
• Security Policy: CIA
• Security Trade-Offs
• Common Software Attacks
• Secure Software Mitigation Practices
• What is the cost
• Software Security Practices
• Terminology
• Programming language vulnerabilities
• TODO & Resources for Help

Why Secure Software

• Most software systems have flaws and bugs that attackers exploit
• New threats emerge frequently
• Convenience often trumps security measures
• Vulnerabilities in software systems are increasing exponentially
• Software security is everyone's job
• Programmers often repeat security-related mistakes

Software Security

• Engineering software to continue functioning correctly under malicious attack
• Avoiding security vulnerabilities by addressing security from the early stages of software development
• Security is a risk management

Software Requirements & Misconceptions

• Software developers often describe requirements in terms of system functionality when everything goes right
• The focus has been mainly on functionality
• Often assume the system won't be intentionally abused
• Some developers see security only as a set of features (e.g., implemented SSL, 128-bit encryption)
• Security features alone are insufficient; security must be built into the design from the beginning

Building Secure Software

• Developers need to explicitly define trade-offs between performance and functional security features in system requirements
• Obvious features (e.g., authentication, authorization) might not be sufficient to stop attackers
• Security approaches need to be deeply integrated into all layers of a software system
• Need to incorporate attacker thinking throughout the development process

Software Security = Risk Management

• Prevention (proactive measures to stop security breaches)
• Detection (proactive measures to detect breaches)
• Reaction (measures to recover assets, repair damage, and persecute/deter offenders)
• Multi-layer (in-depth) control (software systems with access control mechanisms should also include detection mechanisms)

What Are We Protecting?

• Data at rest (stored in media)
• Data in transit (transmitted between locations)
• Data in use (loaded into computer memory for processing)

Common Software Attacks

• Input Validation
• Buffer overflow
• Stack overflow
• Command injection
• SQL injection
• Dangling pointers
• Cross-site scripting
• Homogeneity (sourcing from open source or common vendors)
• Complexity (needlessly complicated code)
• Poor design (poor access control)
• Connectivity (increases attack paths)

Secure Software Mitigation Practices

• Review the Top 10 Secure Coding Practices (link provided)

What Is the Cost of Poor Software Quality in the U.S.?

• Cost of fixing defects at each stage of software development (requirements, design, coding, testing, maintenance) - costs increase dramatically as you move later in the software development stage; costs provided in graph format. (link provided)

Software Security Practices

• Better Software Development (preventive control mechanism)
• Patching (reactive control mechanism)
• Testing (proactive control mechanism - detection)
• Auditing (proactive control mechanism - detection)
• Improvement in automation and quality of audits is needed.
• Testing is inherently limited on coverage and depth (often manual)

Terminology

• Defects: implementation and design vulnerabilities
• Bugs: implementation-level errors that can be detected and removed
• Buffer Overflow
• Flaws: problems at a deep level in the code
• Error handling problems
• Failures: inability of software to perform required functions

TIOBE Index

• Indicator of programming language popularity
• Not the best programming language but an indicator of commonly used languages
• Used to check programming skills and make strategic decisions when building a new software system

Interpreted Compared to Compiled

• Interpreted languages are easier and quicker to use for application development but have more overhead and leave more weaknesses for attackers
• Compiled languages are more challenging but create more secure and efficient binary files

Comparing C and C++

• C: low-level, powerful language originally used to develop the Unix operating system, lacks many modern constructs
• C++: newer language based on C, adds modern programming language features and makes programming easier

Programming Language Vulnerabilities

• Read article and share the programming language and topic that most caught attention (link provided)

Why Software Security?

• Software systems have numerous flaws and bugs that attackers exploit
• New security threats emerge frequently
• Convenience often outweighs security measures
• Vulnerabilities in software systems increase exponentially
• Software security is everyone's responsibility
• Programmers frequently repeat security-related errors

How Many Millions Lines of Code

• Discusses the paradigm shift for software
• Highlights software-enabled products & their security considerations

Review Security Requirements

• Summarizes security requirements and possible matching descriptions (e.g., authentication, integrity, confidentiality, service availability, non-repudiation, security auditing, malicious activities detection, backup and recovery)

Pre-work Grade

• Post weekly discussion question and research solution
• Complete week 3 content module in D2L

Questions, Clarifications, and Help

• Student office hours (appointment and drop-in)
• Email
• RRCC on-campus tutoring
• 24/7 online tutoring located in the D2L course content.

Description

This quiz covers important concepts from the Secure Software Fundamentals course, specifically focusing on Week 03's topics. You'll explore software security principles, common vulnerabilities, risk management, and secure software practices. Test your knowledge on why these security measures are critical in today's programming landscape.