Professional Documents
Culture Documents
Multi session
What is Software Security?
3
Remote Access
Threats
Firewall and OS
Physical Protection Security Wireless Networks
Software Security Research Landscape
5
Application software
security
Network
security
VoIP security A Software Flaw is
Wireless network &
a software security
platform security error in the design
Software components
Convergence A Software Bug is a
Network security
& architecture security software security
error left in the
Software security implementation
Service-oriented
Cloud & Web Architecture
services
security
security
Open source
component security
https://app.box.com/s/qg0tofy8yzl06vwikg3o2fbbkmlrvmd7
Application Security
6
Availability
Knowledge
Integrity
Software security
touchpoints
Confidentiality
Risk Management
Compliance
Software Security Engineering
9
Software
Requirements Design Code Testing Quality
Engineering
Assurance
Secured
Systems/
Products
Software
Security Design for Security Security Security
Requirements Security analysis Testing Assurance
Secure Requirements and Design: Identify sensitive and possible threats, data, resources, and define security
requirements like confidentiality, integrity, and availability. Apply threat modelling, abuse, and misuse cases.
Apply principle secure software design by integrating security requirements into design and to prevent, mitigate possible
security breaches and cyber attacks. Main categories of secure principles are: Simplicity, Design for security (Build
Security In (BSI), Build Trust In (BTI), and Defend in Depth (all possible defence against security attacks). Example:
very Secure FTP Daemon (vsftpd: is a lightweight, stable and secure FTP server for UNIX-like systems),
https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon
Software Security Techniques
10
Security
Risk External Review, Static Penetration
Abuse cases, analysis & and Risk based analysis testing &
security test for code Security
security inspection, Architectural
Risk analysis security Breaks
and security
modelling Analysis
Microsoft’s Security Development Lifecycle (SDL)
11
Secure Implementation Techniques: Apply secure coding rules and tools to prevent, mitigate,
and detect all possible security attacks.
Apply automated code review techniques such as static analysis, vulnerability analysis, and
symbolic execution which underlies whitebox fuzz testing.
Apply penetration testing to find potential flaws in the real system in a deployment
environment.
Apply fuzz testing and attack patterns.
Methods Micros McGraw’ OWAS VCGs (Byers S2D-ProM UMLSec
oft s P’s and (Essafi, (Jurjen
SDL Touchpoi CLASP Shahmehri Labed, and 2005)
Features (Howar nts (2006) 2007) Ghezala
d and (McGraw 2007)
Lipner 2004 &
2006) 2006)
Process Full set Range of A set of VCG based Risk based UML
stages/act of activities activitie based
ivities activitie s profiling
s and
support formalism
ed
Risk Part of Aspect of Aspect Not explicitly Risk based Aspect of
managem of
SSE ent
Security Threat
technique modelli
Threat
modelling
Threat
modelli
Process is
based on
Attack tree and
labelled
UMLsec
Methods s ng ng specific to
Vulunerability
Cause Graphs
directed graph
with
goals/intention
Compariso
(VCGs) s(state
transitions
diagrams)
Lifecycle
n
support
Iterative
12
Secure Mobile Cloud Computing (MCC)
Architecture
13
A.N. Khan et al. Towards secure mobile cloud computing: A survey/ Future Generation
Computer Systems 29 (2013) 1278–1299
Security services on different layers
14
In addition to security and privacy, the secure cloud application services provide the user management, key
management, encryption on demand, intrusion detection, authentication, and authorization services to mobile users.
There is a need for a secure communication channel between cloud and the mobile device. The secure routing
protocols can be used to protect the communication channel between the mobile device and cloud. Virtualization
improves the utilization of cloud resources but introduces new security issues due to the lack of perfect isolation of
virtual machines hosted on a single server.
Key points
15
17