Secure Software
1 like333 views
The document summarizes a presentation on secure software development. It defines common security terms like threats, vulnerabilities, and attacks. It also describes the STRIDE framework for categorizing security risks as spoofing, tampering, repudiation, information disclosure, denial of service, or elevation of privileges. Finally, it provides examples of mitigation techniques like authentication, authorization, encryption, and limiting privileges to address each type of risk.
Secure Software
- 1. Secure Software Presenter: Bhavya Siddappa
- 2. Agenda Why security? Terms used STRIDE Response to threats Mitigation
- 3. Why security? There are some malignant users in the world They can extract valuable information from system and misuse it They can shut down the server for fun They can make the system behave abnormally They can enter unwanted information or incorrect information in the system They can flood the database with a lot of data They do it just for fun Your system can be next victim The trouble to fix the problem would be too much after it is hacked The data loss could be painful Customer satisfaction is affected along with your goodwill
- 4. Terms Threats: The potential event that can cause unwelcome outcome are threats. Vulnerabilities: the weakness (code bug, design flaw) in the system is called vulnerability Attack: when an attacker takes advantage of the vulnerability with a motive
- 5. STRIDE Spoofing of identity Using another users authentication by illegal access Tampering with data Malicious modification of data in database or data in transit Repudiation A user can deny performing an action w/o proof Information disclosure Access to information that is not supposed to be accessed by a user or to data in transit Denial of service Deny service to valid users Elevation of privileges Unprivileged user can get privileged access
- 6. Response to threats Do nothing Inform the user of threat Remove the problem Fix the problem
- 7. Mitigation Spoofing identity Authentication Protect secrets Don’t store secrets
- 8. Mitigation Tampering with Data Authorization Hashes (cryptographic function) Message authentication codes Digital signatures Tamper resistant protocols
- 9. Mitigation Repudiation Digital signatures Timestamps Audit trails
- 10. Mitigation Information disclosure Authorization Privacy-enhanced protocols Encryption Protect secrets Don’t store secrets
- 11. Mitigation Denial of service Authentication Authorization Filtering before accepting the data Throttling Limiting no of requests to the system Quality of service Preference to specific traffic e.g. streaming media
- 12. Mitigation Elevation of privileges Run with least privilege
- 13. Thank You
Editor's Notes
- #2: Title slide The title slide is available as a ‘title master’ where the corporate signature is fixed. Pre-formatted placeholders are set into the master for editable text. Type in your title which is set in Arial 24pt. Slides should be used only as a prompt for the presenter. Header and Footers Placeholders for these have been inserted into the masters, and have been set to the same colour as the background (white). They are only apparent when printing black and white. They enable you to identify: 1. Slide or page number, 2. A copyright symbol, DeLaval endorsement and year, 3. A unique presentation reference name /job number. 4. Day / time reference. Go to View then Headers and Footers. They can be turned on and off by the tick boxes. Type in your name / job reference etc in field indicated after the © DeLaval and year.