What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1
Recent Security Incidents Garmin ● Ransomware -- $10 million ○ Sync servers down for many days ○ Jack Daniels ● 1TB of data stolen ○ Unauthorized access detected and blocked before data could be ○ encrypted Intel ● 20GB of Intellectual Property (IP) and internal documents leaked ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 2
Software Security and You Find 2 other people near you ● Introduce yourself ○ What is your favorite software development technology? ○ (language, tool, library, etc.) Have you ever written software where security mattered? How ○ did you address security then? SWEN-331: Engineering Secure Software Benjamin S Meyers 3
Discussion Increased airport security measures ● TSA agents, full-body scanners, removing shoes, etc. ○ Are we safer because of these measures? ○ If so, it it worthwhile? ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 4
Discussion Takeaways Security is not black-and-white ● Security is “until proven insecure” ● Security “Theater” ● Feeling safer vs. being safer ○ People act on their perception of reality, not necessarily on ○ reality Protection can be costly ● Eliminating a Threat vs. Protection ● Vulnerability vs. Exploit vs. Threat ● SWEN-331: Engineering Secure Software Benjamin S Meyers 5
An Engineer’s Concern In SE we teach you how to build software… but not as much ● about breaking software How do you know that you have a built a system that cannot ● be broken into? What evidence do you look for? ○ How do you know you’re done? ○ How do you prioritize security against everything else that’s ○ taking up your time? SE is a zero-sum game ● “If I need to focus more energy on security, what should we take ○ away?” SWEN-331: Engineering Secure Software Benjamin S Meyers 6
What is a Vulnerability? Informally: a bug with security consequences ● A design flaw or poor coding that may allow an attacker to ● exploit software for a malicious purpose Non-software equivalent to “lack of shoe-examining at the ○ airport” e.g. allowing easily-guessed passwords (poor coding) ○ e.g. complete lack of passwords when needed (design flaw) ○ McGraw: 50% are coding mistakes, 50% are design flaws ○ Alternative definition: “an instance of a fault that violates an ● [implicit or explicit] security policy” SWEN-331: Engineering Secure Software Benjamin S Meyers 7
What are Exploits and Threats? Exploit: a piece of software, chunk of data, or sequence of ● commands that takes advantage of a vulnerability in an effort to cause unintended or unanticipated behavior i.e. maliciously using a vulnerability ○ Can be manual or automated ○ Viruses are just automated exploits ○ Many different ways to exploit just one vulnerability ○ Threat -- two usages ● An actor or agent that is a source of danger, capable of violating ○ confidentiality, availability, or integrity of information assets and security policy -- e.g. black-hat hackers A class of exploits -- e.g. spoofing (phishing, hijacking, etc.) ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 8
Exploit/Threat/Vulnerability Protection Protection against exploits? ● Anti-virus software, intrusion detection systems, firewalls, etc. ○ Protection against threats? ● Use forensics to find and eliminate ○ Policy, incentives, deterrents, etc. ○ Protection against vulnerabilities? ● Engineer secure software! ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 9
Software Security is... NOT a myth, but a reality ● Insecure software causes immeasurable harm ● Examples: Sony, NSA, Equifax, Anthem/Premera, Android, ● Browers, Mueller Report -- just read the news SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10
In the News ● 2019-02-22: Critical Vulnerabilities Uncovered in ● 2019-04-30: The Key Lessons of the Triton Malware Password Managers Cyberattack You Need to Learn ● 2019-02-25: b0r0nt0k Ransomware Infects Linux Servers ● 2019-05: Stolen NSA Tool Wreaks Havoc 2019-02-26: New Browser Attack Lets Hackers Run Bade 2019-07: Microsoft Confirms Windows Great Duke of Hell ● ● Code After User Leaves a Web Page Malware Attack 2019-03-12: Study Shows Programmers Will Take the Easy 2019-08-20: Hackers Planted Backdoor in Webmin Utility ● ● Way Out and Not Implement Proper Password Security for Linux Servers ● 2019-03-23: Norsk Hydro Will Not Pay Ransom Demand 2019-09-10: Weakness in Intel Chips Lets Researchers ● and Will Restore from Backups Steal Encrypted SSH Keystrokes ● 2019-03-22: Facebook Left Hundreds of Millions of User ● 2019-10-14: Teamviewer Hack Might Have Accessed Passwords Unencrypted Billions of Devices ● 2019-04-20: Active Windows Zero-Day Exploits 2020-02-25: Exchange Stores User Credentials in Plain ● Text, No Hashing 2019-04-29: Security Flaw Lets Attackers Recover Private ● Keys from Qualcomm Chips ● 2020-06-08: Vulnerabilities in Popular Open Source Projects Doubled in 2019 SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11
Number of Vulnerabilities by Year SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12
Software Security is... NOT an arcane black art ● Much of it seems arcane ● Finding a severe vulnerability without access to the source code ○ Crafting an exploit ○ Endless clever ways to break software ○ But you have much more knowledge than the attackers do ● You wrote your code ○ Don’t just leave it to the experts, take responsibility for ● knowing security SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13
Code Complexity in the Linux Kernel Source: https://www.linuxcounter.net/statistics/kernel SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14
Complexity, Vulnerabilities, and Incidents Source: Gary McGraw (after Dan Geer) SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15
Software Security is... NOT a dire, apocalyptic future ● Fear-mongering will not be tolerated here ● Risk management dictates that we deal in the probable more ● than the possible SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16
Software Security is... NOT a set of features ● Secure software > Security software ● Tools and experts are helpful, but: ● You can’t just deploy a magical tool and expect all vulnerabilities ○ to disappear You can’t outsource all of your security knowledge ○ Even if you are using a security library, you need to know how ● to use it properly SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17
Software Security is... NOT a problem for mathematicians ● Cryptography ● Is important and necessary ○ Cannot solve all of your security problems ○ e.g. pick-proof lock vs. open window ○ Proofs, access control rules, and verification are helpful, but ● inherently incomplete SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18
Software Security is... NOT a problem for just networking and operating systems ● Software has security problems long before we had the ● internet, but the internet accelerates the problems spreading Holistic - if you are defending your castle, you don’t just stop ● at locking the windows (drawbridge, moat, turrets, etc.) SWEN-331: Engineering Secure Software Benjamin S Meyers 19 19
Software Security is... A reality that everyone must face ● Not just developers, all stakeholders ○ A learnable mindset for software engineers ● The ability to prevent unintended functionality ● At all layers of the stack ○ In all parts of your system ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 20 20
Student Security Maturity 1. Denial: 3. Bag of tricks: I don’t have to think about Let’s just try these tricks ● ● this, just let me code that worked in the past Leave it to the experts We’ve done these 10 ● ● I could never understand things… that’s a lot… close ● this anyway enough, right? 2. Irrational fear, superstition: 4. Reasoned, balanced, EVERYTHING IS POSSIBLE defensive mindset: ● NOW!!! If we do X, we mitigate Y, ● EVERY MITIGATION IS ● which is worthwhile NECESSARY!!! because of Z ENCRYPT EVERYTHING!!! ● SWEN-331: Engineering Secure Software Benjamin S Meyers 21 21
Recommend
More recommend
