Notes - MCS
Robust Software
Notes - MCS
Robust Software
  • Robust Software
  • Secure Software Design Principles
    • Motivation
    • Secure and Resilient/Robust Software
    • Best Practices for Resilient Applications
    • Designing Applications for Security and Resilience
    • Architecture for the Web/Cloud
  • Software Security Lifecycle
    • Motivation
    • Secure Development Lifecycle
    • Software Security Touchpoints
    • Software Assurance Forum for Excellence in Code (SAFECode)
    • Secure SW Lifecycle Processes Summary
    • Adaptations of the Secure Software Lifecycle
    • Assessing the Secure Software Lifecycle
    • Recommendations
  • Software Quality Attributes
    • Motivation
    • Software Quality Assurance
    • Software Quality Standards
    • Software Quality Attributes
    • Extra Software Quality Assurance Properties
  • Security Requirements
    • Motivation
    • Security Requirements
    • Threats
    • Defenses
    • Confidentiality
    • Integrity
    • Availability
    • What about other goals/properties?
    • Security Requirements Engineering
    • Types of Security Requirements
    • Security Policy
    • Precision
    • Completeness and Consistency
    • Examples of Non-Functional Requirements
    • Goals and Requirements
    • Measures
    • Requirements Interaction
    • Natural Language Requirements
    • Best Practices
  • Common Software Attacks
    • Objectives
    • 10 Major Cyber-Attacks of 21st Century
    • Software Security Basics
    • Defenses Methods
    • SANS SWAT Checklist
  • Safe Programming
    • Secure Coding Practices
    • Top 10 Secure Coding Practices (CERT/SEI)
    • 7 Pernitious Kingdoms
  • Robustness, PenTest, Fuzzy and Static Code Analysis
    • Security/Robustness Testing
    • Robustness Tests Checklist Example
    • Penetration Testing
    • Penetration Testing Roadmap
    • Tools
    • Fuzz Testing
    • Static Code Analysis
    • Side Channels
  • Safety (and Security)
    • Safety
    • A safety Lifecycle Example
    • Risk Management Process
    • System Definition
    • Hazard Identification and Classification
    • Desk-based Hazard Identification
    • Workshop-based Hazard Identification
    • HAZOP
    • Hazard Identification and Classification
      • Broadly acceptable risks
    • Risk Evaluation and Risk Acceptance
    • Use of codes of practice
    • Use of reference system
    • Explicit risk estimation
    • Qualitative risk estimation
    • Quantitative risk estimation
    • Safety measures
    • Safety requirements
    • Hazard Management
    • Hazard life cycle
    • Independent Assessment
    • Safety Plan
    • Safety Case
    • FMEA Example
    • DevSecOps
Powered by GitBook
On this page
  • Threats
  • Vulnerabilities
  • Data vulnerabilities
  • Software Vulnerabilities
  • Security Goals (CIA):
  1. Common Software Attacks

Software Security Basics

Last updated 1 year ago

Vulnerability is a weakness in the security system.

  • (i.e., in procedures, design, or implementation), that might be exploited to cause loss or harm.

A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

  • a potential violation of security.

A human (criminal) who exploits a vulnerability perpetrates an attack on the system.

How do we address these problems?

  • We use a control as a protective measure.

  • That is, a control is an action, device, procedure, or technique that removes or reduces a vulnerability.

Threats

Vulnerabilities

Data vulnerabilities

Software Vulnerabilities

  • Software Deletion

  • Software Modification

  • Software Theft

Logic Bomb

A program works well most of the time but it fails in specific circumstances.

Trojan Horse

A program that overtly does one thing while covertly doing another.

Virus

A piece of code that is used to spread from one computer to another.

Trapdoor

A program that has a secret entry point.

Information Leaks

A piece of code that makes information accessible to unauthorized people or programs.

Security Goals (CIA):

  • Confidentiality ensures that computer-related assets are accessed only by authorized parties.

    • i.e. reading, viewing, printing, or even knowing their existence.

    • Secrecy or privacy.

  • Integrity means that assets can be modified only by authorized parties or only in authorized ways.

    • i.e. writing, changing, deleting, creating.

  • Availability means that assets are accessible to authorized parties at appropriate times.

    • i.e. often, availability is known by its opposite, denial of service.