Software Security in Software Engineering PDF

Summary

This document provides an overview of software security in software engineering. It examines escalating cyber threats and their impacts, including direct financial loss, reputational damage, and legal consequences. The document also discusses key security concepts like confidentiality, integrity, and availability, along with common vulnerabilities and threats.

Full Transcript

Software Security in Software Engineering Protecting Applications from Evolving Cyber Threats Why Software Security Matters 1. Escalating Cyber Threats o Attackers are employing sophisticated techniques like AI-driven phishing campaigns, automated vulnerability scanning, and zero-day expl...

Software Security in Software Engineering Protecting Applications from Evolving Cyber Threats Why Software Security Matters 1. Escalating Cyber Threats o Attackers are employing sophisticated techniques like AI-driven phishing campaigns, automated vulnerability scanning, and zero-day exploitation. o Statistic: Cybercrime costs are estimated to hit $10.5 trillion annually by 2025. 2. Direct Financial Loss o Companies lose billions annually due to ransomware attacks, fraudulent transactions, and data breaches. 3. Reputational Damage o Trust is critical in the digital age, and breaches can destroy years of goodwill with customers. o Example: After the Facebook-Cambridge Analytica scandal, Facebook faced public outrage and legal scrutiny, significantly affecting user trust. 4. Legal and Regulatory Consequences: Non-compliance with laws like GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act) can lead to multimillion-dollar fines. o Example: British Airways was fined £20 million in 2020 for a data breach affecting customer information. 5. National Security and Infrastructure: Critical infrastructure such as energy grids, water supplies, and transportation systems are prime targets for cyberattacks. o Example: The NotPetya malware attack disrupted global shipping and logistics operations. Key Software Security Concepts 1. Confidentiality o Protect sensitive information from unauthorized access or disclosure. o Example: Encrypting user credentials in databases ensures only authorized applications or users can access them. o Tools: Transport Layer Security (TLS), Virtual Private Networks (VPNs). 2. Integrity o Ensure that data remains accurate, consistent, and unaltered during transmission or storage. o Example: Digital signatures validate that a document hasn’t been tampered with after signing. o Tools: Checksum utilities, cryptographic hash functions like SHA-256. 3. Availability o Ensure that applications and systems are available to authorized users when needed. o Example: Employing redundancy in data centers to maintain uptime even during hardware failures. Tools: Load balancers, backup and disaster recovery systems. 1. Authentication o Verify the identity of users and systems accessing the application. o Example: Requiring users to provide both a password and a fingerprint scan for login (two-factor authentication). o Standards: OAuth, OpenID Connect, and biometric authentication. 2. Authorization o Control what authenticated users are permitted to do. o Example: A banking app allows a teller to view account balances but not authorize fund transfers, which is restricted to a manager. o Tools: Role-based access control (RBAC), Attribute-based access control (ABAC). Common Software Threats 1. Injection Attacks o Attackers exploit input fields to inject malicious code into backend systems. o Example: SQL Injection modifies database queries to leak sensitive data or corrupt databases. o Real-World Case: A 2021 attack leaked financial records by exploiting a web app’s SQL injection vulnerability. o Mitigation: Use parameterized queries and stored procedures. 2. Cross-Site Scripting (XSS) o Attackers inject scripts into webpages that execute in other users’ browsers. o Impact: Hijacks user sessions, steals cookies, or redirects to phishing sites. o Example: An online forum with improper input sanitization allowed XSS to inject popups tricking users into revealing credentials. o Mitigation: Input sanitization, output encoding, and implementing Content Security Policy (CSP). 1. Denial-of-Service (DoS) o Attackers flood a system with traffic to overwhelm resources and make it unavailable to legitimate users. o Impact: Business disruptions and financial losses. o Example: Amazon’s AWS services were briefly disrupted by a major DDoS attack. o Mitigation: Deploy rate limiting, load balancers, and automated mitigation tools. 2. Man-in-the-Middle (MITM) Attacks o Attackers intercept communication between two parties to eavesdrop or manipulate data. o Example: Stealing user login credentials transmitted over an unencrypted Wi-Fi network. Mitigation: Use HTTPS, VPNs, and TLS for secure communication. Common Vulnerabilities in Software 1. Unvalidated Inputs o Applications fail to validate user inputs, leading to injection attacks or unexpected crashes. o Example: Allowing special characters in form fields can break database queries. o Mitigation: Strict input validation with whitelists. 2. Outdated Dependencies o Libraries or frameworks with known vulnerabilities can be exploited by attackers. o Example: Log4j vulnerability allowed remote code execution on millions of systems. o Mitigation: Regular dependency scanning and patching. 1. Weak Default Configurations o Out-of-the-box settings often lack adequate security. o Example: Default admin passwords for devices like routers or IoT devices. o Mitigation: Enforce strong passwords and secure configurations during setup. 2. Improper Error Handling o Applications expose sensitive details (e.g., stack traces) in error messages. o Example: Revealing database structure in error outputs. o Mitigation: Log detailed errors securely but present generic error messages to users. Secure Coding Practices 1. Input Validation o All input from users should be checked for type, size, and acceptable format before processing. o Example: Reject inputs containing SQL commands or special characters. o Code Example (Python): def validate_input(user_input): if not user_input.isnumeric(): raise ValueError("Invalid input: Numbers only.") 2. Secure APIs o Always use APIs designed with security in mind, avoiding those with known vulnerabilities. o Example: Use OAuth 2.0 for secure access token generation in APIs. 1. Error Handling o Avoid providing detailed system information in error messages. o Example: Replace a database stack trace with a simple “An error occurred. Please try again later.” 2. Data Encryption o Encrypt data both in transit and at rest using robust algorithms. o Example: Use AES-256 for sensitive information and TLS for transmission. 3. Secrets Management o Avoid hardcoding API keys or credentials in source code. o Example: Use a vault like AWS Secrets Manager or environment variables. Secure Design Principles 1. Defense in Depth: Combine multiple security measures to mitigate risks at different layers. o Example: A web app with WAF, IDS, and database encryption. 2. Least Privilege o Assign minimal permissions required for each user or process. o Example: A web server should only have read-only access to database tables. 3. Fail-Safe Defaults o Default to denying access unless explicitly permitted. o Example: All firewall rules should block traffic unless specifically allowed. 4. Minimize Attack Surface o Limit the features and services exposed to reduce potential entry points. o Example: Disable unused APIs and ports on production systems. 5. Separation of Duties o Prevent conflicts of interest by dividing tasks among different individuals or systems. o Example: Developers should not have access to production databases. Lecture Notes: Software Validation and Verification Learning Objectives 1. Understand the Concepts of Validation and Verification o Grasp the purpose and scope of validation and verification in software engineering. 2. Explore the Differences and Importance o Learn how validation and verification address different aspects of software quality. 3. Learn Validation Methods o Discover techniques like user acceptance testing and end-user testing. 4. Learn Verification Methods o Explore formal approaches, such as static analysis and code inspections. 5. Examine Validation and Verification in the SDLC o Understand their role at various stages of the Software Development Life Cycle (SDLC). Definitions 1. Validation: Ensures that the software meets user needs and expectations. o Focuses on the question: "Are we building the right product?" 2. Verification: Confirms that the software complies with specified requirements. o Focuses on the question: "Are we building the product right?" Importance of Validation and Verification 1. Ensures Software Quality o Identifies and fixes defects to ensure reliability and functionality. 2. Improves User Satisfaction o Aligns the final product with the user's expectations and goals. 3. Reduces Development Costs o Early defect detection minimizes costly rework during later phases. 4. Meets Regulatory Compliance o Ensures adherence to legal and industry standards like ISO or GDPR. 5. Enhances Stakeholder Confidence o Provides evidence that the software is robust and reliable. Differences Between Validation and Verification 1. Focus o Validation: Ensures the software solves the intended problem for users. o Verification: Ensures technical correctness according to specifications. 2. Timing o Validation: Conducted during and after development (closer to deployment). o Verification: Conducted throughout the development process. 3. Methods o Validation: User acceptance testing (UAT), prototypes, simulations. o Verification: Inspections, walkthroughs, static and dynamic analysis. Techniques for Validation 1. User Acceptance Testing (UAT) o Involves end-users directly to ensure the software meets business needs. o Example: Testing an e-commerce site’s checkout process with real users. 2. Prototyping o Provides a model of the software for early feedback. o Example: A wireframe or clickable mockup of a mobile app. 3. Simulation o Mimics real-world conditions to evaluate system behavior. o Example: Testing navigation software using simulated GPS data. 4. End-User Testing o Allows actual end-users to interact with the software in a controlled setting. o Example: Beta testing before launching a product. Techniques for Verification 1. Code Reviews: Peer reviews to ensure adherence to coding standards and identify logical errors. o Example: Reviewing a module to check for compliance with security requirements. 2. Static Analysis: Automated tools analyze source code without executing it. o Tools: SonarQube, Checkmarx. 3. Walkthroughs : Informal reviews where developers present their work to peers for feedback. o Example: Reviewing a new feature design to identify potential issues. 4. Inspections o Formal, detailed examination of artifacts like code or design documents. o Example: Examining an API’s design against performance requirements. 5. Testing o Unit testing, integration testing, and system testing ensure the product functions as intended. o Example: Running automated tests to verify individual components work correctly. Validation and Verification in the SDLC 1. Requirements Phase o Validate requirements by involving stakeholders and conducting reviews. o Verify that requirements are clear, consistent, and feasible. 2. Design Phase o Validate design prototypes to ensure alignment with user needs. o Verify that the design adheres to technical and architectural standards. 3. Development Phase o Validate early versions of software through iterative testing with users. o Verify correctness using static analysis and code reviews. 4. Testing Phase o Validate system functionality and usability through user-focused testing. o Verify component integration and end-to-end functionality through system tests. 5. Deployment Phase o Validate deployment readiness through operational testing. o Verify proper configuration of the software in the target environment.

Use Quizgecko on...
Browser
Browser