csce548-lect5.b

csce548-lect5.b - CSCE 522 Building Secure Software...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
CSCE 522 CSCE 522 Building Secure Software Building Secure Software
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 2 Reading Reading This lecture McGraw: Ch. 3 G. McGraw, Software Security , http://www.cigital.com/papers/download/bsi1-swsec.pdf Ted Demopoulos, Worst Practices in Developing Secure Software, http://www.demop.com/articles/developing-secure-software.html Next Lecture McGraw: Ch. 4 (overview, we’ll cover code review in details later)
Background image of page 2
CSCE 548 - Farkas 3 Three Pillars of Software Security Three Pillars of Software Security Risk Management Software Security Touchpoints Knowledge
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 4 Risk Management Risk Management How much effort to invest in security Consequences of security breaches Acceptable-level of security Tracking and mitigating risk throughout the full SDLC
Background image of page 4
CSCE 548 - Farkas 5 Touchpoints Touchpoints System-wide activity: from design to testing and feedback Focus on security from ground up Touchpoints: 1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security testing 5. Abuse cases 6. Security requirements 7. Security operations 8. External Analysis
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 6 Knowledge Knowledge Gathering, encapsulating, and sharing security knowledge Knowledge catalogs: principles, guidelines, rules, vulnerabilities, exploits, attack patterns, historical risks Knowledge categories: Prescriptive knowledge Diagnostic knowledge Historical knowledge Applied along the SDLC
Background image of page 6
CSCE 548 - Farkas 7 Security Engineering Security Engineering Reduce the need for reactive technologies (e.g., intrusion detection) by safer products Understand software Need for: Software developers Operations people Administrators Users Executives
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 8 Software Security Touchpoints Software Security Touchpoints Best Practices Both White Hat (constructive) and Black Hat (destructive) activities Throughout the SDLC
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/13/2011 for the course CSCE 548 taught by Professor Farkas during the Spring '10 term at South Carolina.

Page1 / 22

csce548-lect5.b - CSCE 522 Building Secure Software...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online