Software Security Lecture Notes PDF

Software Security Chapter 1: Introduction to Software Security Dr. Mohammad N Aladwan Software Security Chapter 1: Introduction to Software Security Dr. Mohammad N Aladwan Dr. Mohammad Aladwan Software Security Marks: 30 marks for the following: o Classwork o Participations o Assignments and Quiz o Presentations and projects 30 marks , Midterm exam 40 marks , Final exam Dr. Mohammad Aladwan 3 Software Security Main Chapters for this Semester: Introduction to Software Security SDLC Framework for Software Development Real Life Examples of Software Vulnerabilities Security Requirement of Software Implement secure software and architecture Secure Coding, Cryptography and Error Handling. Security Tools , AppScan, Fortify, web Inspect, Various Test (SAST,DAST Single sign-on and encryption) Dr. Mohammad Aladwan 4 What Is Security?  Security is protection from adversaries, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the actions of others to unwanted action.  A successful organization should have multiple layers of security in place: ⚫ Physical security ⚫ Personal security ⚫ Operations security ⚫ Software security ⚫ Communications security ⚫ Network security Slide 5 Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Information Security Dr. Mohammad Aladwan Software Security “Software security: refers to a set of practices that help protect software applications and digital solutions from attackers. Developers incorporate these techniques into the software development life cycle and testing processes. As a result, companies can ensure their digital solutions remain secure and are able to function in the event of a malicious attack.” Dr. Mohammad Aladwan What Is the Difference Between Software Security and Cybersecurity?  While the terms “software security” and “cybersecurity” may sound interchangeable, they refer to two different concepts. Software security protects or secures software programs from malicious threats, such as viruses or malware.  Cybersecurity is much broader. Also known as computer security or information security, cybersecurity protects networks, systems and programs. Cybersecurity threats may include trojan horse and ransomware attacks. Dr. Mohammad Aladwan Why Is Software Security Important?  Secure software development is incredibly important because there are always people out there who seek to exploit business data. As businesses become more reliant on software, these programs must remain safe and secure. With strong software security protocols in place, you can prevent attackers from stealing potentially sensitive information such as credit card numbers and trade secrets and build trust among users. Dr. Mohammad Aladwan Why Is Software Security Important?  The theft of critical data can be catastrophic for customers and businesses alike. Malicious actors can abuse sensitive information and even steal users’ identities. Additionally, companies can face legal penalties in the event of a data breach and suffer reputational harm.  Businesses can work to protect critical data by implementing software security techniques into their development life cycles. Applying security techniques enables organizations to proactively identify system vulnerabilities and better protect their software. Dr. Mohammad Aladwan Software Security Issues  In today’s complex information technology (IT) landscape, software is an integral tool and more widespread than ever. However, security issues are just as prevalent, making it necessary to prioritize software security. Dr. Mohammad Aladwan Why Security Is a Software Issue  Businesses constantly use software to manage finances, sell products, track customer data, collaborate on projects and communicate with teammates. With so much business activity happening via digital channels, it is critical to protect them.  System vulnerabilities are security flaws or weaknesses that appear in a software’s code. Hackers can exploit these vulnerabilities to access software programs, steal valuable data and destroy important systems.  To prevent a software threat, security must be a critical part of software development and testing. By integrating security best practices with these processes, developers can identify and fix vulnerabilities before hackers have a chance to find them. Dr. Mohammad Aladwan Software Security Objective Dr. Mohammad Aladwan Security Objectives: CIA  Confidentiality (or secrecy) ⚫ unauthorized users cannot read information  Integrity ⚫ unauthorized users cannot alter information  Availability ⚫ authorized users can always access information  Non-repudiation for accountability ⚫ authorized users cannot deny actions  Others ⚫ Privacy, anonymity… Dr. Mohammad Aladwan How to Realize Security Objectives?  Authentication ⚫ who are you?  Access control/Authorization ⚫ control who is allowed to do what ⚫ this requires a specification of who is allowed to do what  Auditing ⚫ check if anything went wrong  Action ⚫ if so, take action Dr. Mohammad Aladwan How to Realize Security Objectives?  Other names for the last three A's ⚫ Prevention  measures to stop breaches of security goals ⚫ Detection  measures to detect breaches of security goals ⚫ Reaction  measures to recover assets, repair damage, and persecute (and deter) offenders  Good prevention does not make detection & reaction superfluous ⚫ E.g., breaking into any house with windows is trivial; despite this absence of prevention, detection & reaction still deter burglars Dr. Mohammad Aladwan  We focus on software security, but don’t forget that security is about many things: ⚫ people  human computer interaction, HCI  Attackers, users, employees, sys-admins, programmers ⚫ access control, passwords, biometrics ⚫ cryptology, protocols ⚫ Monitoring, auditing, risk management ⚫ Policy, legislation ⚫ public relations, public perception ⚫ …. Dr. Mohammad Aladwan  The software security is primarily aimed at people interested in security software development Dr. Mohammad Aladwan Software and Security  Security is always a secondary concern ⚫ Primary goal of software is to provide functionalities or services ⚫ Managing associated risks is a derived/secondary concern  There is often a trade-off/conflict between ⚫ security ⚫ functionality & convenience  Security achievement is hard to evaluate when nothing bad happens Dr. Mohammad Aladwan Security Concept Dr. Mohammad Aladwan Starting Point for Ensuring Security  Any discussion of security should start with an inventory of ⚫ the stakeholders (owners, companies…) ⚫ their assets (data, service, customer info…) ⚫ the threats to these assets (erase, steal…) ⚫ Attackers  employees, clients, script kiddies, criminals  Any discussion of security without understanding these issues is meaningless Dr. Mohammad Aladwan Security Concepts  Security is about imposing countermeasures to reduce risks to assets to acceptable levels ⚫ “Perfect security” is not necessary and costly  A security policy is a specification of what security requirements/goals the countermeasures are intended to achieve ⚫ secure against what and from whom ?  Security mechanisms to enforce the policy ⚫ What actions we should take under an attack? Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Dr. Mohammad Aladwan Major Concerns with Software Security  A security vulnerability can have major implications for organizations, companies and more. It is important to identify these concerns and proactively to avoid malicious attacks.  Below are some of the top software security issues businesses are facing: Phishing: Phishing happens when an attacker poses as someone else in an attempt to gain personal information, such as software credentials. Distributed denial of service (DDoS) Attacks: A DDoS attack happens when an attacker overloads servers with packets, causing the software to crash. Dr. Mohammad Aladwan Major Concerns with Software Security Cloud service attacks: Companies are increasingly relying on cloud-based services to support remote workers. Some cloud infrastructure has vulnerabilities hackers can exploit. Software supply chain attacks: Some pieces of software are critical in the business supply chain, especially for e-commerce. A software supply chain attack happens when hackers exploit a third-party service to access data about a business. Dr. Mohammad Aladwan Software Security Tools and Responsibilities  Building secure software is a group effort. All stakeholders in software development, from developers to executives, need to understand how software security practices benefit them. They must also understand the risks of not implementing them and allocate proper resources to security tasks. Dr. Mohammad Aladwan Software Security Tools and Responsibilities  There are several tools that an organization can leverage for software security: Static application security testing: This tool examines source code at rest and flags vulnerabilities for developers to fix. Dynamic application security testing: This tool examines an application’s code while it is running and detects weaknesses in the software. Dr. Mohammad Aladwan Software Security Tools and Responsibilities Software composition analysis: This tool checks for vulnerabilities against a software’s governance guidelines. Software composition analysis is especially valuable for open-source software. Mobile application security testing: This tool analyzes mobile code to identify specific vulnerabilities that could lead to unique security risks, such as improper platform usage and insecure data storage. Dr. Mohammad Aladwan Implementing Software Security  From the beginning of development, it is important to implement foundational security best practices. Here are a few examples: Implement least privilege: Least privilege refers to the practice of giving software users limited access to a program. A hacker will not be able to access features, rights and controls that a user does not have, helping minimize the impact of an attack. Encrypt software data: Data encryption transforms readable data into an unreadable, protected format. If a hacker is able to access this information, they would not be able to use it unless they have the encryption key. Make sure to encrypt all software data at rest and in transit. Dr. Mohammad Aladwan Implementing Software Security  From the beginning of development, it is important to implement foundational security best practices. Here are a few examples: Automate software security tasks: It can be difficult to monitor your entire infrastructure for vulnerabilities. Consider investing in security software that performs these tasks for you. With automation, you can reduce human error and increase the scope of your security protocol. Implement two-factor authentication: This security protocol requires a user to provide two pieces of information in order to log into their account, such as sending a text to their phone. A hacker won’t be able to access the system even if they have one set of credentials. Dr. Mohammad Aladwan Implementing Software Security  From the beginning of development, it is important to implement foundational security best practices. Here are a few examples: Perform employee training: All employees need to be aware of the importance of software security and know how to protect themselves and their data. Software security teams can host regular training sessions to keep everyone up to date. Dr. Mohammad Aladwan Ensuring and Improving Software Security  Secure software development is an ongoing process. All new features, tools and software should adhere to security protocol and be free of vulnerabilities. To ensure and improve software security, it is important to: Embed security improvements in the development life cycle. Implement security best practices into the design and development of new features. Perform regular application testing to identify potential weaknesses. Patch or fix a vulnerability as soon as someone detects it. Regularly update security protocol to stay ahead of evolving software security threats. Dr. Mohammad Aladwan Thank you Dr. Mohammad Aladwan

Software Security Lecture Notes PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue