What is Software Security?

Lect 3
Software

Software is a set of instructions, data or programs used to

operate computers and execute specific tasks.

Opposite of hardware, which describes the physical aspects of a

computer, software is a generic term used to refer
to applications, scripts and programs that run on a device.

Software can be thought of as the variable part of a computer and

hardware the invariable part
What does security mean ?
• → Many (many) possible definitions . . .
o a set of “high-level” security goals:
• CIA = Confidentiality, Integrity, Availability (+ Non
Repudiation + . . . )
o may concern not only the running software itself but also its
whole execution platform (i.e., open a shell, set up a trojan
horse, etc.)
o something beyond safety and fault-tolerance:
• notion of intruder, with specific capabilities
• notion of threats, with a “threat model”
o a definition “by default”:
• functional properties = what the system should do
• security properties = what it should not do/allow . . .
What Is Software Security

Its all about building secure software !

The process of designing, building, and testing software for security

Taking the pro-active approach : building security INTO the software

as opposed to securing it after building it.
Software Security

Software security
Security is necessary
means protecting
to provide availability,
software against
confidentiality, and
malicious attacks and
integrity.
other risks.
 JUST TO CLARIFY ..

S OFTWARE S ECURITY ≠ S ECURITY S OFTWARE !!

What is Software Security?

• Software security is a kind of computer security that

focuses on the secure design and
implementation of software!
• Using the best languages, tools, methods

• Focus of study: the code

• By contrast: Many popular approaches to security

treat software as a black box (ignoring the code)
• OS security, anti-virus, firewalls, etc.
Software (in)security

Software is the main source of security problems.

• – Software is the weakest link in the security chain, with the possible exception of
“the human factor”

Software security does (did?) not get much attention

• – in other security courses, or

• – in programming courses, or indeed, in much of the security literature!

Computer security courses traditionally focus on cryptography…

“if you think your problem can be solved by cryptography,
then you do not understand cryptography and you do not
understand your problem”
“Hacking the machine is almost always
about exploiting software”
Why go in for software security?

Good, secure software • we do not know very well how to write secure SW
is the need of the day. we do not even know how to write correct SW!

Reduction in the expenses incurred in “Fixing bugs”

in a software.

Market value – if your software isn’t secure, it is not

going to stay in the market
Why go in for software security?

Firewalls and anti-virus are Attackers often can bypass

like building walls around a outer defences to attack
weak interior weaknesses within

Software Security aims to address weaknesses directly

Reasons for insecure software

Reliance on networked devices

• Growing internet connectivity makes it easier for hackers

Easily extensible systems

• Extensions increase scope for software vulnerabilities

Increasing complexity of the software needed to be built

• Windows XP had 40 million lines of code!!
What can we do?

Be pro-active in building security into the software

from ground-up

Important to include security into every phase of the

Software Development life cycle.

But WHY ?
Why?

Software security is a system-wide issue that involves both building in security

mechanisms and designing the system to be robust.

You can’t spray paint security features onto a design and expect it to become
secure.

Most approaches in practice today involve securing the software AFTER its been
built.

Not the best approach , and certainly not effective enough as has been proved
(we still have issues with our software being meddled with by hackers don’t we!)
Different Terms
A+T+V=R

• Asset – People, property, and information.

• An asset is what we’re trying to protect.
• Threat – Anything that can exploit a vulnerability, intentionally or
accidentally, and obtain, damage, or destroy an asset.
• A threat is what we’re trying to protect against.
• Vulnerability – Weaknesses or gaps in a security program that can be
exploited by threats to gain unauthorized access to an asset.
• A vulnerability is a weakness or gap in our protection efforts.
• Risk – The potential for loss, damage or destruction of an asset as a result
of a threat exploiting a vulnerability.
• Risk is the intersection of assets, threats, and vulnerabilities.
Security
Concept
Security Concepts

Security is about imposing • “Perfect security” is not necessary

countermeasures to reduce risks to
assets to acceptable levels and costly

A security policy is a specification of

what security requirements/goals
the countermeasures are intended
• secure against what and from whom ?
to achieve

Security mechanisms to enforce the • What actions we should take under an

policy
attack?
Assignment

Q1. Explain the difference

Q2. Being a professional,
between risk, vulnerability
what is more important
and threat using an
Threats or Vulnerabilities? 
example?

Q4. Do you review security

Q3. What are the differences
at each phase of the
between hardware and
software development
software security risks?
lifecycle?