Software Development Life Cycle - Threat Modelling Initiation

Slide Note
Embed
Share

Threat modelling should commence at the early stage of the software development life cycle to identify potential security risks and vulnerabilities effectively. It should ideally begin during the requirement analysis and continue throughout development, testing, and maintenance phases to ensure robust security measures are implemented.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

ismail
ismail Follow

Uploaded on Apr 16, 2024 | 3 Views

Presentation Transcript

  1. EXERCISE #24 SSDLC REVIEW Write your name and answer the following on a piece of paper At what point in the software development life cycle should threat modelling begin? 1

  2. Preparing for Quiz 2 Review session Wednesday at 7:00 9:00 (tentative) We have to talk about Quiz 1 A tale of two classes EECS 677: EECS 700: Highest grade: 50/50 Lowest grade: 25/50 Highest grade: 50/50 Lowest grade: 8/50 ADMINISTRIVIA AND ANNOUNCEMENTS Average grade: ~84% Average grade: ~53% Median grade: ~89% Median grade: ~50%

  3. LINTING EECS 677: Software Security Evaluation Drew Davidson

  4. 4 LAST TIME: SSDLC REVIEW: LAST LECTURE CORRESPONDING SECURITY TASKSFOR THE SOFTWARE DEVELOPMENT LIFECYCLE Requirement Analysis Risk Assessment and Threat models Design Security Design Review Development Automated CodeAnalysis Testing Security Testing and Code Review Maintenance and Evolution Security Assessment and Configuration

  5. 5 CLASS PROGRESS HANDLING THE SOFTER SIDE OF SECURITY EVALUATION We ve described some of the high-level best- practices, let s talk about tool support

  6. LECTURE OUTLINE Background / Context Linting Anti-Patterns Splint

  7. 7 SAD FACT: IT S EASY TO WRITE INSECURE CODE LINTING: BACKGROUND/CONTEXT MANY PROGRAMMINGLANGUAGES HAVEEXPLOITABLECONSTRUCTS Programming constructs that do not operate as intended under unforeseen circumstances Artistic depiction of C programming

  8. 8 RECALL: SECURITY V USABILITY LINTING OVERVIEW MAINSTREAM PL PHILOSOPHY PRIORITIZESSPEEDANDSIMPLICITY C could do more checking, but it doesn t - Bounds checking - Type safety

  9. 9 RECALL: SECURITY V USABILITY LINTING OVERVIEW EXPECTATIONSOFEFFICIENCYAND PERFORMANCEAREHARDTOQUIT! Disallowing unsafe behavior means going back on what s already been accomplished - Rewrite legacy code - Give up on some performance

  10. 10 CASE STUDY: MELTDOWN AND SPECTRE LINTING OVERVIEW THEPROBLEM: BRANCH PREDICTORS ANDSPECULATIVE EXECUTION Impact: leaking secrets THE SOLUTION: MEDIATE SPECULATIVE EXECUTION Early Fix performance: OS Bench: Intel Xeon 84~87% AMD EPYC 91~94%.

  11. 11 RECALL: SECURITY V USABILITY LINTING OVERVIEW WAITINGFORBETTERTOOLS Some feel that the whole of imperative programming is inherently unsafe

  12. 12 RECALL: SECURITY V USABILITY LINTING OVERVIEW

  13. LECTURE OUTLINE Background / Context Linting Anti-Patterns Splint

  14. 14 HEURISTIC TOOLS FOR AN IMPERFECT WORLD LINTING: OVERVIEW TRYNOTTOSHOOTYOURSELFINTHEFOOT Highlight the stuff you probably shouldn t be doing in the first place

  15. 15 CATCH ANTI-PATTERNS HUMAN FACTORS OF SECURITY COMMONLANGUAGE-LEGALPAIN- POINTS Code that is highly situational, or simply shouldn t be legal in hindsight

  16. 16 HISTORY: JOHNSON, 1978 HUMAN FACTORS OF SECURITY CREATEDAPROGRAMCALLED LINT Aided in the development of YACC Originally internal to Bell Labs, eventually open-sourced NAME INSPIREDBY DRYER LINT TRAPS Capture the loose fibers that come off the program Leave the whole of the program intact

  17. 17 PRODUCTION LINTERS LINTING MORE MODERNTOOLS cppcheck open-source linter cpplint Google s in-house (open-source) linter flake8 python linter Also ensures adherence to style guide: https://google.github.io/styleguide/cppguide.html Good reminder that coding is still a human process

  18. LECTURE OUTLINE Background / Context Linting Anti-Patterns Splint

  19. 19 ASSIGNMENT IN PREDICATE LINTING

  20. 20 MACRO POLLUTION LINTING

  21. 21 SEPARATING INITIALIZATION FROM USE LINTING

  22. 22 SEPARATING INITIALIZATION FROM USE LINTING

  23. 23 LINE CONTINUATION WEIRDNESS LINTING

  24. 24 SCOPED INITIALIZATION LINTING

  25. 25 NAMESPACING (GOOD) LINTING

  26. 26 HEURISTIC TOOLS FOR AN IMPERFECT WORLD LINTING: OVERVIEW TRYNOTTOSHOOTYOURSELFINTHEFOOT Highlight the stuff you probably shouldn t be doing in the first place

  27. 27 RECALL: SECURITY V USABILITY LINTING OVERVIEW MANY PROGRAMMINGLANGUAGES HAVEEXPLOITABLECONSTRUCTS Capture the loose fibers that come off the program Leave the whole of the program intact

Related


Prior Exposure to Antiretroviral Therapy in Adult HIV Patients in Sub-Saharan Africa

Prior Exposure to Antiretroviral Therapy in Adult HIV Patients in Sub-Saharan Africa

krish
Mortar Board Initiation Tips & Tricks Advisor Meet-Up

Mortar Board Initiation Tips & Tricks Advisor Meet-Up

kenzo
Business Modelling and Innovation for Holistic Understanding and Growth

Business Modelling and Innovation for Holistic Understanding and Growth

mahdi
Tradeoffs Between Water Savings and GHG Emissions in Irrigated Agriculture

Tradeoffs Between Water Savings and GHG Emissions in Irrigated Agriculture

jonas
Software Process Workflows and Management Overview

Software Process Workflows and Management Overview

wolfgang
Modern Threat Modeling & Cloud Systems in OWASP Sacramento

Modern Threat Modeling & Cloud Systems in OWASP Sacramento

maven
Understanding Product Life Cycle Costing: A Comprehensive Analysis

Understanding Product Life Cycle Costing: A Comprehensive Analysis

kezia
SYSTEM ANALYSIS AND DESIGN

SYSTEM ANALYSIS AND DESIGN

jon
Hospital-Based Rapid Methadone Initiation Protocol in Fentanyl Era

Hospital-Based Rapid Methadone Initiation Protocol in Fentanyl Era

oslo
Understanding the Water Cycle and Its Importance in Nature

Understanding the Water Cycle and Its Importance in Nature

harbor
Modelling Estuarine Habitats in the Upper Sea Scheldt: Human-Induced Adaptations

Modelling Estuarine Habitats in the Upper Sea Scheldt: Human-Induced Adaptations

morrigan
Modelling and Exploration of Coarse-Grained Reconfigurable Arrays Using CGRA-ME Framework

Modelling and Exploration of Coarse-Grained Reconfigurable Arrays Using CGRA-ME Framework

andie
Artificial Markets in Software Development: A New Paradigm

Artificial Markets in Software Development: A New Paradigm

tianna
Understanding the Carbon Cycle: Reservoirs, Dynamics, and Importance

Understanding the Carbon Cycle: Reservoirs, Dynamics, and Importance

ruri
Evolution of HEC-SSP Analytical Tools and Software Development Team

Evolution of HEC-SSP Analytical Tools and Software Development Team

franklin
SOFTWARE ENGINEERING

SOFTWARE ENGINEERING

bramble
Senior Cycle Subject Options

Senior Cycle Subject Options

clio
NEAT Professional Growth Cycle - Early Childhood Services for Excellence

NEAT Professional Growth Cycle - Early Childhood Services for Excellence

margo
Practical Application of OpenSAMM Methodology in Software Development

Practical Application of OpenSAMM Methodology in Software Development

monica
Installation Guide of GNU Radio on Ubuntu

Installation Guide of GNU Radio on Ubuntu

ford
Architecture Evaluation

Architecture Evaluation

eowyn
Maintenance Context

Maintenance Context

hamilton
Understanding the Product Life Cycle: Stages and Examples

Understanding the Product Life Cycle: Stages and Examples

ryley
Understanding Computer Hardware and Software Fundamentals

Understanding Computer Hardware and Software Fundamentals

zevi

More Related Content

Impact of Performance Management Software on Organizational Goal-Setting
Impact of Performance Management Software on Organizational Goal-Setting
Understanding Software-Defined Radio (SDR) with GNU Radio Introduction
Understanding Software-Defined Radio (SDR) with GNU Radio Introduction
Update on Control System Software Scope by Susanne Regnell at ESS/ICS
Update on Control System Software Scope by Susanne Regnell at ESS/ICS
Exploring GNU Software Radio: A Comprehensive Overview
Exploring GNU Software Radio: A Comprehensive Overview
Evolution of Software Engineering in the Era of Artificial Intelligence
Evolution of Software Engineering in the Era of Artificial Intelligence
Understanding Typosquatting in Language-Based Package Ecosystems
Understanding Typosquatting in Language-Based Package Ecosystems
Understanding Information Flow in Software Security
Understanding Information Flow in Software Security
Managing Product Life Cycle: Growth, Maturity, Decline Stages
Managing Product Life Cycle: Growth, Maturity, Decline Stages
Understanding Data Lifecycle and Mining for Business Intelligence
Understanding Data Lifecycle and Mining for Business Intelligence
Asian Hornets
Asian Hornets
Role of AI in Threat Detection and Zero-day Attacks
Role of AI in Threat Detection and Zero-day Attacks
Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response
Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response
Strategic Planning Analysis for Starbucks Hong Kong
Strategic Planning Analysis for Starbucks Hong Kong
Comprehensive Review on Medical Separations and Direct Threat Assessments for Health Staff
Comprehensive Review on Medical Separations and Direct Threat Assessments for Health Staff
Porter's Five Forces Analysis: Templates and Example
Porter's Five Forces Analysis: Templates and Example
Exploring Learning Theories and Nudging Theory in Educational Technology
Exploring Learning Theories and Nudging Theory in Educational Technology
Nepal MFMod Standalone Installation Guide
Nepal MFMod Standalone Installation Guide
Aspirational Panchayat Development Programme (APDP) in Jammu & Kashmir
Aspirational Panchayat Development Programme (APDP) in Jammu & Kashmir
Orientation to Emergency Operations in Douglas County
Orientation to Emergency Operations in Douglas County
Understanding Multimedia Systems: Hardware and Software Components
Understanding Multimedia Systems: Hardware and Software Components
Requirements Elicitation in Software Engineering
Requirements Elicitation in Software Engineering
SBS Software and Analysis System Overview
SBS Software and Analysis System Overview
Understanding Microprocessor Architecture and Software Design
Understanding Microprocessor Architecture and Software Design
Understanding Decision Table Testing in Software Development
Understanding Decision Table Testing in Software Development