Secure Programming Slides PDF
Document Details
Uploaded by Deleted User
Al Ain University
Tags
Summary
These slides provide a foundational overview of secure programming concepts. They cover aspects from security fundamentals to different types of attacks and threats. The document also touches on the role of hardware, software, data, people, procedures, and networks in ensuring the security of an organization's information systems.
Full Transcript
Secure Programming What is Security? “The quality or state of being secure—to be free from danger” A well secured organization should have multiple layers of security in place: Physical security Personal security Operations security ...
Secure Programming What is Security? “The quality or state of being secure—to be free from danger” A well secured organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Secure Programming 2 Information Security The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle was standard based on confidentiality, integrity, and availability Secure Programming 3 Critical Characteristics of Information Confidentiality Disclosure or exposure to unauthorized individuals or system is prevented Integrity Whole, completed, uncorrupted Cornerstone Size of the file, hash values, error- correcting codes, retransmission Availability Required information and services should be available whenever required Secure Programming 4 Components of an Information System Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization Software Perhaps most difficult to secure Easy target Exploitation substantial portion of attacks on information Hardware Physical security policies Securing physical location important Laptops Flash memory Secure Programming 5 Components of an Information System Data Often most valuable asset Main target of intentional attacks People Weakest link Social engineering Must be well trained and informed Procedures Threat to integrity of data Networks Locks and keys won’t work Secure Programming 6 Securing Components Computer can be subject of an attack and/or the object of an attack When the subject of an attack, computer is used as an active tool to conduct attack When the object of an attack, computer is the entity being attacked Types of attack Direct Hacker uses their computer to break into a system Indirect Secure Programming 7 System is compromised and used to attack Threats A threat is an object, person, or other entity that represents a constant danger to an asset Management must be informed of the various kinds of threats facing the organization By examining each threat category in turn, management effectively protects its information through policy, education and training, and technology controls Threat Modeling Secure Programming 8 Attacks An attack is the deliberate act that exploits vulnerability It is accomplished by a threat-agent to damage or steal an organization’s information or physical asset A vulnerability is an identified weakness of a controlled system whose controls are not present or are no longer effective An exploit is a technique to compromise a system An attack is then the use of an exploit to achieve the compromise of a controlled system Secure Programming 9 Basic Problems low problem understanding (awareness) mistakes of human beings (especially when overloaded, stressed, …) human beings have a natural tendency to trust complex interfaces / architectures can mislead the user and originate erroneous behaviors performance decrease due to the application of security ask for the (involuntary) user’s participation to the attack action usually naive users are targeted (e.g. “do change immediately your password with the following one, because your PC is under attack”)... but experienced users are targeted too (e.g. by copying an authentic mail but changing its Secure Programming attachment or URL) 10 Roots of Insecurity “Defensive strategies are reactionary” “Thousands - perhaps millions - of system with weak security are connected to the Internet” “The explosion in use of the Internet is straining our scarse technical talent. The average level of system administrators has decreased dramatically in the last 5 years” “Increasingly complex software is being written by programmers who have no training in writing secure code” Secure Programming 11 ICT security ICT (Information and Communication Technologies) refers to technologies that provide access to information through telecommunications. ICT security is the set of products, services, organization rules and individual behaviors that protect the ICT system of a company. Three main components of any system are: Hardware OS and applications Communication Cloud - (Optional) Secure Programming 12
