conklin_4e_PPT_ch18
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Process Models
• The waterfall model is characterized by a multistep process in which steps follow each other in a linear, one-way fashion, like water over a waterfall. • The spiral model has steps in phases that execute in a spiral fashion, repeating at different levels with each revolution of the model. • The agile model is characterized by iterative development, where requirements and solutions evolve through an ongoing collaboration between self-organizing cross-functional teams.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
PrinciBiblioteka les of Computer Security, Fourth Edition
Secure Development Lifecycle (continued)
Principles of Computer Security, Fourth Edition
Secure Software Development
Chapter 18
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
– Requirements, design, coding, and testing phases
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
• Cryptographically random • CWE/SANS Top 25 Most Dangerous Software Errors • Deprecated function • Evolutionary model • Fuzzing • Grey-box testing
Principles of Computer Security, Fourth Edition
Requirements Phase
• The requirements phase should define the specific security requirements if there is any expectation of them being designed into the project.
Secure Development Lifecycle
• Secure coding is creating code that does what it is supposed to do, and only what it is supposed to do.
– Firms are now recognizing need to include secure coding principles into the development process.
• Microsoft has Security Development Lifecycle (SDL). • The Software Assurance Forum for Excellence in Code (SAFECode) is an organization formed by some of the leading software development firms with the objective of advancing software assurance through better development methods.
– The waterfall model, the spiral model, and the evolutionary model are major examples.
• Integrating security in the software development lifecycle process requires:
• Two important tools have come from the secure coding revolution:
– Attack surface area minimization is a strategy to reduce the places where code can be attacked. – Threat modeling is the process of analyzing threats and their potential effects on software in a very finely detailed fashion.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Key Terms
• • • • • • Agile model Black-box testing Buffer overflow Canonicalization error Code injection Common Vulnerabilities and Exposures (CVE) • Common Weakness Enumeration (CWE)
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Requirements Phase (continued)
• The cost of adding security at a later time rises exponentially. • The development of both functional and nonfunctional security requirements occurs in tandem with other requirements through the:
Principles of Computer Security, Fourth Edition
Key Terms (continued)
• Least privilege • Requirements phase • Secure development lifecycle (SDL) model • Spiral model • SQL injection • • • • • • Testing phase Top 25 list Use case Waterfall model White-box testing Zero-day
– The process is all about completing the requirements. – The objective of the secure coding process is to properly implement this and all other requirements, so that the resultant software performs as desired and only as desired. – Requirements process is a key component of security in software development.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
The Software Engineering Process
• There are several major categories of software engineering processes.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Process Models (continued)
• The evolutionary model is an iterative model designed to enable the construction of increasingly complex versions of a project. • From a secure coding perspective, a secure development lifecycle (SDL) model is essential to success. • Four primary items of interest in software creation are:
– Inclusion of security requirements and measures in the specific process model being used – Use of secure coding methods to prevent opportunities to introduce security failures into the software’s design
• The output of the threat model process is a compilation of threats and how they interact with the software.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Objectives
• Describe how secure coding can be incorporated into the software development process. • List the major types of coding errors and their root causes. • Describe good software development practices and explain how they impact application security. • Describe how using a software development process enforces security inclusion in a project. • Learn about application hardening techniques.
Principles of Computer Security, Fourth Edition
Process Models
• The waterfall model is characterized by a multistep process in which steps follow each other in a linear, one-way fashion, like water over a waterfall. • The spiral model has steps in phases that execute in a spiral fashion, repeating at different levels with each revolution of the model. • The agile model is characterized by iterative development, where requirements and solutions evolve through an ongoing collaboration between self-organizing cross-functional teams.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
PrinciBiblioteka les of Computer Security, Fourth Edition
Secure Development Lifecycle (continued)
Principles of Computer Security, Fourth Edition
Secure Software Development
Chapter 18
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
– Requirements, design, coding, and testing phases
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
• Cryptographically random • CWE/SANS Top 25 Most Dangerous Software Errors • Deprecated function • Evolutionary model • Fuzzing • Grey-box testing
Principles of Computer Security, Fourth Edition
Requirements Phase
• The requirements phase should define the specific security requirements if there is any expectation of them being designed into the project.
Secure Development Lifecycle
• Secure coding is creating code that does what it is supposed to do, and only what it is supposed to do.
– Firms are now recognizing need to include secure coding principles into the development process.
• Microsoft has Security Development Lifecycle (SDL). • The Software Assurance Forum for Excellence in Code (SAFECode) is an organization formed by some of the leading software development firms with the objective of advancing software assurance through better development methods.
– The waterfall model, the spiral model, and the evolutionary model are major examples.
• Integrating security in the software development lifecycle process requires:
• Two important tools have come from the secure coding revolution:
– Attack surface area minimization is a strategy to reduce the places where code can be attacked. – Threat modeling is the process of analyzing threats and their potential effects on software in a very finely detailed fashion.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Key Terms
• • • • • • Agile model Black-box testing Buffer overflow Canonicalization error Code injection Common Vulnerabilities and Exposures (CVE) • Common Weakness Enumeration (CWE)
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Requirements Phase (continued)
• The cost of adding security at a later time rises exponentially. • The development of both functional and nonfunctional security requirements occurs in tandem with other requirements through the:
Principles of Computer Security, Fourth Edition
Key Terms (continued)
• Least privilege • Requirements phase • Secure development lifecycle (SDL) model • Spiral model • SQL injection • • • • • • Testing phase Top 25 list Use case Waterfall model White-box testing Zero-day
– The process is all about completing the requirements. – The objective of the secure coding process is to properly implement this and all other requirements, so that the resultant software performs as desired and only as desired. – Requirements process is a key component of security in software development.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
The Software Engineering Process
• There are several major categories of software engineering processes.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Principles of Computer Security, Fourth Edition
Process Models (continued)
• The evolutionary model is an iterative model designed to enable the construction of increasingly complex versions of a project. • From a secure coding perspective, a secure development lifecycle (SDL) model is essential to success. • Four primary items of interest in software creation are:
– Inclusion of security requirements and measures in the specific process model being used – Use of secure coding methods to prevent opportunities to introduce security failures into the software’s design
• The output of the threat model process is a compilation of threats and how they interact with the software.
Copyright © 2016 by McGraw-Hill Education. All rights reserved.
Objectives
• Describe how secure coding can be incorporated into the software development process. • List the major types of coding errors and their root causes. • Describe good software development practices and explain how they impact application security. • Describe how using a software development process enforces security inclusion in a project. • Learn about application hardening techniques.