SecurityInSE - Department of Computer Science

advertisement
Security in Software
Engineering
PRESENTED BY
ROHIT MUKHERJEE AND RAMAKRISHNA VEERAVALLI
Goal
 Minimize the number of security vulnerabilities design,
implementation and documentation
 Identify and remove vulnerabilities in the development
lifecycle as early as possible!!!
Motivation
This application development process in its essence fails to address
security issues.
very small number of companies invest in application security
strategy, design, and code review services.
Overview
How much security ?
Security in SDLC
Privacy and Protection
Security Measurement Analysis
Reusing quality requirements
What is Software Security ?
Protect software against malicious attack and other hacker risks
Function correctly under such potential risks.
Provide integrity, authentication and availability.
Continued..
“100 Times More Expensive to Fix Security Bug at Production Than
Design” – IBM Systems Sciences Institute
Example :
SQL injections can be used to bypass login credentials.
Sometimes SQL injections fetch important information from a database
or delete all important data from a database.
Threats and Vulnerability
What are threats and vulnerability ?
Threats refers to anything that cause serious harm to a computer system.
A threat is something that may or may not happen, but has the potential to
cause serious damage.
Vulnerability refers to a flaw in a system that can leave it open to attack.
A vulnerability is anything that leaves information security exposed to a
threat.
How much security ?
Total security is unachievable.
More security means higher cost and less convenience and
functionality.
Security should not irritate users
Example: forcing a password change frequently.
Effect : users stop using it.
Choose security level according to your needs.
Security in SDLC
Introduce security at every stage of software development .
 Requirement analysis
 Design
 Implementation
 Testing
 Deployment.
Continued..
All security issues must be addressed
Risk analysis - Identifying the threats
Design - Use case diagrams for security
Implementation – follow coding standards
Code reviews
Through testing –software is secured or not
SOFTWARE PRIVACY AND PROTECTION
Software privacy is one of the challenges in software engineering
Security in software system has a significant financial impact
Security goals of a software system need to be satisfied by users
who use the system, equipment around the software
Security Engineering Techniques
 Encryption
 Utilization of tamper resistant hardware
 Mobile code
 Watermarking
Continued
Each software product has license file .
License file has product key in order to authenticate the product.
 Software product checks for the product key and system properties
before starting functional operations.
Self-destruct approaches can be used when pirated copies of
software product found.
 Software will be stored in encrypted form on any machine and
decrypted prior to execution using an independently stored key.
software security measurement
analysis(SSMA)
Software assurance means how much extent the software is free
from vulnerabilities.
SSMA addresses two questions.
 How much extent the software system is secured to perform
operational needs.
 Ascertain the degree, whether the software system achieved the
intended level of security or not.
17 drivers were provided to measure security in SSMA.
Drivers will check whether objectives or not.
[4]
SECURITY QUALITY REQUIREMENTS
ENGINEERING(SQUARE)
SQUARE involves the communication between requirement
engineering team and stakeholders.
Requirement team carefully analyzes the requirements
Categorize and prioritize the requirements for management use.
Final stage is inspection .This stage verifies security requirements,
whether they are consistent or not.
By applying SQUARE, vulnerabilities, potential attacks and threats
can be removed
The life time of the product will be increased.
Activity-Based Quality Model(ABQM)
Activities describe actions that can be performed on or with the support
of the system.
Allows the efficient reuse of quality requirements.
Efficiently support the reuse of requirements among differing volatile
project environments
ABQM needs a notion of projects and its goals and parameters
[2]
Conclusion
Security must be addressed in every phase of SDLC.
Total security is unachievable.
By applying SQUARE , threats can be detected at the earlier phases.
Reuse of quality requirements by using ABQM.
References
[1] Baca , Dejan., Carlsson , Bengt ., Agile development with security engineering activities ,Proceeding ICSSP
'11 Proceedings of the 2011 International Conference on Software and Systems Process ,New York, NY, USA , 05-212011 , Pages 149-158.
[2] Luckey , Markus., Baumann , Andrea., Méndez , Daniel., Wagner ,Stefan., Reusing security requirements using an
extended quality model , Proceeding SESS '10 Proceedings of the 2010 ICSE Workshop on Software Engineering for
Secure Systems, New York, NY, USA, 05-02-2010 , Pages 1-7.
[3] M Kiran Kumar , T., A Road Map to the Software Engineering Security, Proceeding ICCEE '09 Proceedings of the
2009 Second International Conference on Computer and Electrical Engineering - Volume 02, IEEE Computer
Society Washington, DC, USA , 12-28-2009, pages 306-310.
[4] Mead, Nancy R., Measuring the Software Security Requirements Engineering Process , Proceedings Computer
Software and Applications Conference Workshops (COMPSACW), 2012 IEEE 36th Annual, Izmir, Turkey, 07-16-2012,
Pages 583 – 588.
[5] Radack , Shirley., The System Development life cycle , Communication Research Student Conference (CRSC) on
software life cycle security 2009, Federal Information Processing Standards(FIPS) and Information Technology
Laboratory (ITL) Bulletins, Italy , Rome,04-21-2009.pages 231-235.
[6]Walden ,James ., E Frank ,Charles ., Secure software engineering teaching modules , Proceeding InfoSeCD ’06
proceedings of the 3rd annual conference on information security curriculum development, New York, USA, 09-22-2006,
pages 19-23.
Download