course 1 learning plan security overview and patching public vulnerability databases and resources...
TRANSCRIPT
![Page 1: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/1.jpg)
Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment and testing Resource management Trust management
![Page 2: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/2.jpg)
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
![Page 3: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/3.jpg)
Understanding the Security MindsetSecurity as…
an enablera processrisk managementa puzzlea multidisciplinary science
![Page 4: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/4.jpg)
Security as an Enabler Common perspective: Security is an
inconvenient obstacle that forbids actions
Correct perspective: Security enables projects and enterprises that would otherwise be impractical, by lowering risks
Analogy: Are the tracks that a train must follow a restriction, or an
enabler?
![Page 5: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/5.jpg)
Question Provide another example where
something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks
![Page 6: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/6.jpg)
Question Sample Answers Provide another example where
something that can be seen as an inconvenience or a restriction makes something else practical by lowering risksRestraints in amusement park ridesSeat beltsDual-signature checks
![Page 7: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/7.jpg)
Security as a Process “I got software X so I’m safe”
What would you think of a railroad company that laid railroads without checking and maintaining their integrity?
"Old software never dies; it just becomes insecure.“ (Author unknown)
Need design, configuration, inspection, maintenance, management, updates Provide assurance that track quality is acceptable Basis for trust
Processes can provide guarantees
![Page 8: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/8.jpg)
Security as a Process Exercise Discuss why old software can become insecure
![Page 9: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/9.jpg)
Security as a Process Exercise Sample Answers Discuss why old software can become insecure
Security objectives or policies have changed Laws have changed Business model changed Company processes changed
Environment has changed Configuration is out of date Operating system has changed Risks are different Protections have changed (e.g., firewall rules) Employees, units responsibilities have changed
Vulnerabilities have been found Exploits, worms, viruses exploit them
Input has changed e.g., old application made to work online (with a wrapper) Protocol changed
![Page 10: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/10.jpg)
Security as Risk Management How much is an asset worth? How vulnerable is the asset? What are the risks?
Financial costs (contracts, sales, remediation, etc...) Reputation (that alone killed the Arthur Anderson
accounting firm in the Enron scandal) Part of building trust is building secure software
Employee loyalty, productivity and well-being Morale, self-respect
![Page 11: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/11.jpg)
Security as Risk Management Question You maintain a customer credit card database for
your business. Which security questions would you ask to help you manage the risks to the database?
![Page 12: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/12.jpg)
Security as Risk Management Possible Answers You maintain a customer credit card database for your business.
Which security questions would you ask to help you manage the risks to the database? How valuable is the database to an attacker, to your
customers, and to you? Who (and what) has access to the database? How is the database protected?
Is it on a shared or dedicated host? Is there a path to the internet from the database? How well is the software kept up-to-date with patches? Are there applicable risk mitigation strategies?
How long is credit card information kept? Do customers have the option of re-entering their credit
card information every time instead of having it stored?
![Page 13: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/13.jpg)
Security as a Puzzle What can a skilled attacker contrive?
Which assumptions are being made? Are they always true? What guarantees the
assumptions? Is indirect evidence relied upon?
Who and what can be trusted? Who controls, controlled or could control it?
What logic flaws exist? Are all cases handled? (a single hole may sink the
ship) Is there a transformation that makes all the pieces
fall apart? What resources are exposed?
![Page 14: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/14.jpg)
Security as a Puzzle Exercise Give an example of an incorrect assumption
made by an application that inhibits security Example: some email clients assume that the standard
ports for IMAP, POP and SMTP protocols will always be used, and so it rejects server specifications with a port number:
127.0.0.1:1143 is rejected Consequence: the use of encryption through ssh
tunneling is discouraged
![Page 15: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/15.jpg)
Security as a Puzzle Exercise Answers Give an example of an incorrect security
assumption made by an application. Assuming that the file extension and the MIME type are
the same Decide to download something using the file
extension, but the file is processed according to another mime type
IE 5, 6 CAN-2001-0712
Decide how to handle an email attachment based on the MIME type, but the attachment really is an executable that gets launched!
IE 5 CAN-2001-0154
![Page 16: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/16.jpg)
Security as a Multidisciplinary ScienceSocial Engineering Social engineering is used to exploit human trust
through deception Poor user interface design may facilitate social
engineering Example: In some email programs, someone could be fooled
into thinking that an attachment was a safe file, and open it. What appeared as "resume.txt" was in reality
"resume.txt .exe" User interface design affects the security of
applications!
![Page 17: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/17.jpg)
Security as a Multidisciplinary Science Social Engineering You get a phone call from the CFO, on a trip, "I
can't remember the VPN password, and I need a document now!"
Your account will be terminated tomorrow unless you take action, as described in this attachment!
Please help me get my money out of this crazy country!
Oh, no, I forgot my key/badge/token! Please, hold the door, I have my hands full!
Thanks!
![Page 18: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/18.jpg)
Security as a Multidisciplinary ScienceSocial Engineering Most problems are related to identification
without authentication By phone Online
Identification by impression and persuasion Social mechanisms
Helpfulness Ingratiation (a.k.a. "brown-nosing") Conformity, peer pressure Diffusion of responsibility Friendliness
Employees can do it even if they know they shouldn't!
![Page 19: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/19.jpg)
Security as a Multidisciplinary ScienceSocial Engineering (continued) Physical Security
Dumpster diving Recon for attack
Phone books, calendars, etc... Backdoors, tailing someone through a door Stealing documents...
Reverse Social Engineering Instead of asking for information and help, you provide it
initially Of course they need help because of something the
attacker did Read more: Granger S. (2001, 2002) Security Focus
"Infocus" articles
![Page 20: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/20.jpg)
Security as a Multidisciplinary ScienceExercise: Social Engineering Team up in groups of 2 or 3 and make up a skit to
demonstrate a social engineering technique; your "victim" will be another student in the audience who will "fall for it". Follow it up with a second version showing the correct response. Do try to obtain the most outrageous results possible (while being convincing). After the skit, explain the preparation you would have needed to conduct the attack. You can get inspiration from the table of correct
responses (Granger 2002): http://www.securityfocus.com/infocus/1533
![Page 21: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/21.jpg)
Security as a Multidisciplinary SciencePsychological Effects Security features (or the lack thereof) have
psychological effects SPAM: loss of value and control over an important
communication medium Panoptical effects (feeling of being watched)
Can affect motivation, focus People perform differently
Intellectual performance is typically lower under surveillance
![Page 22: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/22.jpg)
Exercises Identify a user interface limitation that may allow
social engineering
Identify a security mechanism that may cause users to feel that they are being watched
![Page 23: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/23.jpg)
Example Answers Identify a user interface limitation that may allow
social engineering Phishing email scams
Look-alike web sites that capture passwords
Identify a security mechanism that may cause users to feel that they are being watched Windows login banners "Possibly" recorded phone calls to help centers
![Page 24: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/24.jpg)
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
![Page 25: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/25.jpg)
Vulnerability A flaw in a system that allows a policy to be
violated Example policy: the content on a web site is
restricted to authenticated users. Vulnerability: the web site relies on JavaScript to
be executed on the client browser for access control
Exploit: Disable JavaScript An abundance of vulnerable sites exist
![Page 26: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/26.jpg)
Exploit An exploit is the act of exercising a vulnerability Also used to refer to an actual program, binary or script
that automates an attack
![Page 27: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/27.jpg)
Latent Vulnerabilities Sometimes, a vulnerability can be protected by a
change that leaves the vulnerable code in place: some change external to the application (firewall) a configuration change (disabling an option) a code wrapper that blocks exploit attempts
A vulnerability that is not exploitable at the moment is a latent vulnerability
![Page 28: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/28.jpg)
Potential Vulnerabilities Bad practices, quality defects and other flaws
that could result in vulnerabilities in a different code context are potential vulnerabilities
![Page 29: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/29.jpg)
Exploitability Difficult to establish whether a vulnerability is exploitable, latent or potential in complex systems
A latent or potential vulnerability can become exploitable when The software is used in a different context sometime
after its design The configuration is changed The code is changed Someone thinks of something you didn't
Is a memory leak exploitable? It depends!
![Page 30: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/30.jpg)
Exercise Evaluate your security stance and risk tolerance.
For each potential, latent and exploitable vulnerability you find, would you:
a) Ignore the problem to save money and development time
b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database
c) Bring immediate attention to the problem
![Page 31: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/31.jpg)
Exercise Typical Answera) Ignore the problem to save money and
development time
b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database
c) Bring immediate attention to the problem Option c) should be done first and serves as an
assessment step. Then, both b) and a) may also be done for the same issue. Ignoring the problem (temporarily?) can be justified depending on its severity and business circumstances (e.g., support for an end-of-life product ends sooner than the time required for a fix).
![Page 32: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/32.jpg)
Exposure An exposure is an information leak that may
assist an attacker. Examples:
Software identification and version number released when connecting to a service, which may be used to select the most effective attack.
When web pages display SQL error messages When an IT person is having trouble (e.g., with their
firewall) and posts questions to public mailing lists with their company's email address
Sun's "tar" utility disclosed part of the password file
![Page 33: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/33.jpg)
Exercise Identify other examples of information leaks that
may assist an attacker
![Page 34: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/34.jpg)
Exercise Sample Answers Identify other examples of information leaks that
may assist an attacker Finger may release information about who is online, e.g.,
administrators Source code leaks (if the code contains vulnerabilities) Directory listings Wireless networks that broadcast their existence
![Page 35: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/35.jpg)
Security Objective A security objective is a high-level description of
what the program or system must accomplish. Federal regulations drive many of these objectives
HIPAA (Health Insurance Portability and Accountability Act)
etc... Examples:
all money transfers must be legal the system must pass EAL4 Common Criteria
certification
![Page 36: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/36.jpg)
Policy Policies specify which activities, states and
processes are allowed. Examples:
All users must be authenticated Money transfers can only be requested by the
account owner Also refers to security models that specify rules Famous policies (e.g., see Bishop 2002):
The Bell-LaPadula confidentiality model The Biba integrity model The Clark-Wilson integrity model
![Page 37: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/37.jpg)
Risks to Confidentiality, Integrity and Availability Confidentiality is threatened when information
can be revealed in violation of a policy Examples: eavesdropping and inadequate access control
Integrity is threatened when information can be manipulated by an attacker. Example: "man-in-the-middle" attack
Availability is threatened when a resource can be disabled or made unavailable.
Assets can be classified according to these
![Page 38: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/38.jpg)
Example An FTP server is read-only. If passwords are sent
in clear text, what is threatened if transmissions are captured? Confidentiality of the passwords
Confidentiality of the documents on the FTP server Confidentiality, Integrity and Availability of other
resources that use the same password!
![Page 39: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/39.jpg)
Question Privacy fits best into which category?a) Confidentialityb) Integrityc) Availability
![Page 40: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/40.jpg)
Question Privacy fits best into which category?a) Confidentiality (not a perfect fit)b) Integrityc) Availability
Note that some organizations prefer to put emphasis on privacy separately from CIA (e.g., Purdue University's Security and Privacy office). Also, privacy advocates consider it important to be able to verify the integrity of personal information, especially when that information can be used against them (e.g., credit reports).
![Page 41: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/41.jpg)
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
![Page 42: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/42.jpg)
Security Organizations Security companies and organizations are held to
a higher standard of security
Reputation
Would you buy from an HVAC company that has broken A/C equipment in their offices?
Employees are responsible to protect the credibility of the company
![Page 43: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/43.jpg)
Exercise Name an industry sector, and something that
would make you avoid a company working in that sector.
![Page 44: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/44.jpg)
People Want Software That: Is produced with security assurance
Analogy: some applications exposed to the internet are like disguised cartons of eggs on the sidewalk
Lowers security risks To comply with laws mandating low security risks
HIPAA GLBA (Gramm-Leach Bliley) FERPA
To protect trade secrets and other valuable company information
Has fewer maintenance headaches (patching) and costs
Protects their reputation
![Page 45: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/45.jpg)
Exercise Identify risks that would cause you to stop using
a product. Be specific.
![Page 46: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/46.jpg)
Exercise Example Answers Frequencies of vulnerabilities and patches Absence of patches (or slow turnover) for known
issues Severity of vulnerabilities Criticality of the application Unreliability of patches
Patches that break previous fixes Patches that are incompatible with other software Downtime while applying patches
Unreliable file systems (non-journaled) Which matter most (for whom)?
![Page 47: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/47.jpg)
Your motivation as a participant in software development How important is quality?
Quality assurance is inclusive of secure programming techniques
How much design?
Information assurance happens by design
How risk-averse?
Security problems in your projects and code can hurt your reputation as well as your employer's
![Page 48: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/48.jpg)
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on Symantec of insecure software products
Understand patching costs
![Page 49: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/49.jpg)
Cost of Patching Cost of evaluating vulnerability claims Cost of patch development and testing Cost of patch notification and download system NIST recommendation on applying patches (s.p.
800-40) Patch and Vulnerability Group (customer's cost)
test patches notify administrators monitor application of patches by system
administrators Vulnerability scanning to verify or enforce
![Page 50: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/50.jpg)
Question Patches incur costs to?a) the vendorb) the customerc) both
![Page 51: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/51.jpg)
Question Patches incur costs to?a) the vendorb) the customerc) both
![Page 52: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/52.jpg)
Cost of Patching vs Preventing Flaws Security bugs are introduced at 3 different
stages: Design and architecture
Implementation
Operations
Fixing security bugs with a patch costs 60 times more than catching them at design time*
*: IBM System Sciences Institute statistics, cited by Kevin Soo Hoo, Andrew W. Sudbury and Andrew R. Jaquith in "Tangible ROI through Secure Software Engineering," Secure Business Quarterly, Volume 1, Issue 2.
![Page 53: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/53.jpg)
Question If it costs $100,000 to issue each security patch,
approximately how much could have been saved by correcting the problem at design time?
a) $9,800b) $98,000c) $980
![Page 54: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/54.jpg)
Question If it costs $100,000 to issue each security patch,
approximately how much could have been saved by correcting the problem at design time?
a) $9,800b) $98,000c) $980
• Note: It isn’t possible to catch all security flaws at design time.
![Page 55: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/55.jpg)
Results from Current Software Engineering Methods >1000 reported vulnerabilities each year
About 50% of vulnerabilities are commonly repeated mistakes
About 25% of vulnerabilities could be avoided by applying secure design principles at design time
Need new methods
Patches created using the same development methods that created the buggy software, are likely buggy themselves!
“We can't solve problems by using the same kind of thinking we used when we created them.” (Albert Einstein)
![Page 56: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/56.jpg)
Question Approximately what percentage of documented
vulnerabilities are common repeated mistakes?a) 25%b) 50%c) 75%
![Page 57: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/57.jpg)
Question Approximately what percentage of documented
vulnerabilities are common repeated mistakes?a) 25%b) 50%c) 75%
![Page 58: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/58.jpg)
Question (guess) How much money does a developer for a large
software project typically save a company when catching and fixing a vulnerability during development instead of patching?
a) $1,000b) $10,000c) $100,000
A vulnerability fixed before release may take one hour, compared to weeks of several people's time to fix it after release.
![Page 59: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/59.jpg)
Answer c) $100,000
Without counting 1) costs to customers
Especially if revenue-generating activities are interrupted!
2) intangible costs
![Page 60: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/60.jpg)
Motivation and Definitions: End
Scrabble copyright Hasbro
![Page 61: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/61.jpg)
About These Slides You are free to copy, distribute, display, and perform the work;
and to make derivative works, under the following conditions. You must give the original author and other contributors credit The work will be used for personal or non-commercial educational uses
only, and not for commercial activities and purposes For any reuse or distribution, you must make clear to others the terms
of use for this work Derivative works must retain and be subject to the same conditions,
and contain a note identifying the new contributor(s) and date of modification
For other uses please contact the Purdue Office of Technology Commercialization.
Developed thanks to the support of Symantec Corporation
![Page 62: Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment](https://reader034.vdocuments.us/reader034/viewer/2022051619/56649e155503460f94afeed6/html5/thumbnails/62.jpg)
Pascal [email protected]
Contributors: Jared Robinson, Alan Krassowski, Craig
Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera