B1_Chapter 5.pdf - Guiding Principles for Software Security...

  • No School
  • AA 1
  • 31

This preview shows page 1 - 7 out of 31 pages.

Guiding Principles for Software Security Building Secure software Chapter 5 1
Image of page 1

Subscribe to view the full document.

Principle #1: Secure the Weakest Link A software security system is only as secure as its weakest component. Bad guys will attack the weakest parts of your system because they are the parts most likely to be easily broken. Often, the weakest part of your system will be administrators, users, or technical support people who fall prey to social engineering. Banks vs. convenience store. Attackers don’t attack a firewall unless there’s a well-known vulnerability in the firewall itself. Instead , they’ll try to break the applications that are visible through the firewall, because these applications tend to be much easier targets. 2
Image of page 2
Principle #1: Secure the Weakest Link Identifying the weakest component of a system falls directly out of a good risk analysis. Given good risk analysis data, addressing the most serious risk first, instead of a risk that may be easiest to mitigate, is always wise. Sometimes it’s not the software that is the weakest link in your system; sometimes it’s the surrounding infrastructure. 3
Image of page 3

Subscribe to view the full document.

Principle #1: Secure the Weakest Link For example, consider social engineering , an attack in which a bad guy uses social manipulation to break into a system. In a typical scenario, a service center gets a call from a sincere sounding user, who talks the service professional out of a password that should never be given away. This sort of attack is easy to carry out, because customer service representatives don’t like to deal with stress. If they are faced with a customer who seems to be really mad about not being able to get into their account, they may not want to aggravate the situation by asking questions to authenticate the remote user. They instead are tempted just to change the password to something new and be done with it. 4
Image of page 4
Principle #1: Secure the Weakest Link To do this right, the representative should verify that the caller is in fact the user in question who needs a password change. Even if they do ask questions to authenticate the person on the other end of the phone: What are they going to ask? Birth date? Social Security number? Mother’s maiden name ? All of that information is easy for a bad guy to get if they know their target. This problem is a common one and it is incredibly difficult to solve. 5
Image of page 5

Subscribe to view the full document.

Principle #1: Secure the Weakest Link One good strategy is to limit the capabilities of technical support as much as possible. Proposed solution: Before deploying the system, a large list of questions is composed (say, no fewer than 400 questions). Each question should be generic enough that any one person should be able to answer it.
Image of page 6
Image of page 7

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask 0 bonus questions You can ask 0 questions (0 expire soon) You can ask 0 questions (will expire )
Answers in as fast as 15 minutes