csce548-lect11

csce548-lect11 - CSCE 548 Secure Software Development...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
CSCE 548 CSCE 548 Secure Software Secure Software Development Development Security Operations Security Operations
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 2 Reading Reading This lecture: Security Operations, McGraw: Chapter 9 Bridging the Gap between Software Development and Information Security, Kenneth R. van Wyk and Gary McGraw, http://www.cigital.com/papers/download/bsi10-ops.pdf SANS, Software Security Institute, http://www.sans-ssi.org/ Next lecture: Review for Midterm
Background image of page 2
CSCE 548 - Farkas 3 Application of Touchpoints Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 4 Traditional Software Traditional Software Development Development No information security consideration Highly distributed among business units Lack of understanding of technical security risks
Background image of page 4
CSCE 548 - Farkas 5 Don’t stand so close to me Don’t stand so close to me Best Practices Manageable number of simple activities Should be applied throughout the software development process Problem: Software developers: lack of security domain knowledge limited to functional security Information security professionals: lack of understanding software limited to reactive security techniques
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CSCE 548 - Farkas 6 Software Security Best Practices Software Security Best Practices Abuse cases Business risk analysis Architectural risk analysis Security functionality testing Risk-driven testing Code review Penetration testing Deployment and operations
Background image of page 6
CSCE 548 - Farkas 7 Deployment and Operations Deployment and Operations Configuration and customization of software application’s deployment environment Activities: Network-component-level Operating system-level Application-level
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 8
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/13/2011 for the course CSCE 548 taught by Professor Farkas during the Spring '10 term at South Carolina.

Page1 / 27

csce548-lect11 - CSCE 548 Secure Software Development...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online