TDT4237 Software Security

Introduction

About me

• 2002 – siv.ing. computer science – information security

• 2002-2009 – reserach scientist, information security, SINTEF

• 2004-2009 – PhD, Access Control, NTNU

• 2009 – 2013 – CISO, Lånekassen

• 2013 -> Head of information security section, Difi

• Teaching TDT4237 since 2006

About you

Curriculum

Free!www.owasp.org

Also free! http://www.cl.cam.ac.uk/~rja14/book.html

How it works

• Part 1: Threats & hacking

• Part 2: Building Security In

• Part 3: Classic security + selected topics

• Exercises: Learning By Failing & Fixing– 3 parts

– Groups

Lecture plan (tentative)● 29/8 - Introduction lecture

● 5/9 - OWASP Testing Guide Part 1 - information gathering + injection attacks

● 12/9 - OWASP Testing Guide Part 2 - injection attacks (contd.) + sessions, authentication, authorisation

● 19/9 - OWASP Workshop - hosted by Kantega. NB: 4 hours - 12:00-16:00

● 26/9 - Threat Modelling

● 3/10 - Building Security In Maturity Model (BSIMM)

● 10/10 - Risk Management Framework and Software Security Touchpoints

● 17/10 - Understanding Risk and RMF in-class example. NB: 4 hours - 12:00-16:00

● 24/10 - Risk-based security testing

● 31/10 - Authentication and authorisation

● 7/11 - Cryptography in software

● 14/11 - Security and insecurity

● 21/11 - Summary lecture

Exercises – learning by failing & fixing

● Exercise 1 – Black box + White box testing of vulnerable web app

– Presented 12/9 14:15-16:00 KJL1

– Deadline 25/9

● Exercise 2 - Fixing and extending the vulnerable app

– Presented 26/9 14:15-16:00 KJL1

– Deadline 23/10

● Exercise 3 – Black box + White box testing of another group's fixed (?) app

– Presented 24/10 14:15-16:00 KJL1

– Deadline 13/11

● The timeslot for exercise lectures is only used when announced!

Exercise groups● 4-6 students

● To form a group– Send an e-mail with a list of the names and e-mails of

the group members to tdt4237@idi.ntnu.no

● If you don't have a group– Send an e-mail to tdt4237@idi.ntnu.no

– You will be assigned to a group

● Deadline: September 11th

Evaluation and grading

● Exercises: 30%● Exam: 70%

● You have to pass both!– If have to hand in all the exercises and get a passing

grade to be allowed to take the exam

– If you fail the exam, you will fail the course

RISK

Learning to think like an attacker

To be able to build more secure systems

Risk Management Framework

Software Security Touchpoints

Questions?

Why security matters

NewsBites

NewsBites

China til launch PC operating system this fall

US companies are not implementing Secure Shell (SSH) appropriately or well

Passwords

Q: What is a good password?

Q: And how would you store it?

Threats

Information Security

Avalability

Confidentiality

Integrity

Assets

Software Security

Definition

The Trinity of Trouble

ComplexityConnectivity

Extensibility

The three pillars of software security

No more - «Penetrate & Patch»

10 Guiding Principles for Software Security

1. Secure the weakest link

2. Practice defense in depth

3. Fail securely

4. Follow the principle of least privilege

5. Compartmetalize

6. Keep it simple

7. Promote privacy

8. Remember that hiding secrets is hard

9. Be reluctant to trust

10. Use your community resourcesBuilding Secure Software: How to avoid security problems the right way

(John Viega and Gary McGraw)

Next time:

Panning for gold and injection attacks