The Software Security Problem
Date: 01-19-2024
Software vs Application Security
System Weakness (from the "safety domain") ***
Bugs
Flaws
Defects encompass both implementation (bugs) and design (flaws) problems
- May lie dormat for years and surface later in a fielded system
- Give way to major consequences
There was a flaw in the requirements. A defect in the design in the design or the requirements can lead to an issue int he system as built
Security Definition ***
If a system has a vulnerability, given that it's being deployed in a hostile environment. The internet is a highly hostile environment. What is it's ability to withstand the effects?
Basic definition of Vulnerability
Cyber Vulnerability (CISSP BoK)
- A flaw* (aka weakness) exists in the system
- Attacker has access to the flaw, and
- Attack has capability to exploit the flaw
- Examples
- Lack of security
- Lack of current virus definitions
- Software Bug
- Lax physical security
- Examples
The Software Security Problem
Security Features != Secure Features
Unintended Functionality
Penetration Test
Software Development Phase
Maintenance Phase
I can have a system that is functionally behaving as expected, but the environment around it has changedFor example, we have an OS with no vulnerability defects. Next week, someone has discovered a new vulnerability. We now have a zero day. The environment has changed
If I can't tell you how many failed logins I've had over the past week, then I'm not auditing
Displosal Phase
Date: 01-26-2024
The Seven Pernicious Kingdoms
Input Validation and Representation ***
API Abuse
Security Features
Time and State
It's hard to make a system deterministic these days