Exercise #23: Program Slicing Review

Slide Note
Embed
Share

Explore the necessity of multi-function analysis in real-world programs. Consider human factors and security processes for software development. Learn about retrofitted security solutions and vulnerabilities in practice.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

marija
marija Follow

Uploaded on Mar 06, 2024 | 0 Views

Presentation Transcript

  1. EXERCISE #23 PROGRAM SLICING REVIEW Write your name and answer the following on a piece of paper Draw the forward slice from line 2 in following program: 1

  2. ADMINISTRIVIA AND ANNOUNCEMENTS

  3. SSDLC EECS 677: Software Security Evaluation Drew Davidson

  4. 4 CLASS PROGRESS WE VE EXPLORED FORMAL TECHNIQUES TO GUARANTEE ABSENCE OF CERTAIN EXPLOITS In practice, these tools are part of a larger discipline of secure software development We ll (briefly) explore some of these concepts

  5. 5 LAST TIME: PROGRAM SLICING REVIEW: LAST LECTURE EXTRACTASUB-PROGRAMOFINTEREST BASEDONONE (ORMORE) STATEMENTS Forward slice Capture all code influenced by a given statement Backwards slide Capture all code that influences a given statement

  6. 6 OVERVIEW WE VE SEEN THE NECESSITY OF MULTI- FUNCTION ANALYSIS IN REAL-WORLD PROGRAMS TIME TO CONSIDER HOW IT IS DONE

  7. LECTURE OUTLINE Human Factors of Security Security as Process The Secure Software Development Lifecycle

  8. 8 SECURING SOFTWARE IS HARD! HUMAN FACTORS OF SECURITY SURPRISING THREAT MODELS SECURITY-DEFICIENTTOOLING

  9. 9 BOLT-ON SECURITY LIFECYCLES ATTEMPTINGTORETROFITASECURITY SOLUTIONONTOALEGACYSYSTEM Sometimes necessary Ideally avoided

  10. 10 VULNERABILITIES IN THE WILD HUMAN FACTORS OF SECURITY

  11. 11 VULNERABILITIES IN THE WILD HUMAN FACTORS OF SECURITY

  12. LECTURE OUTLINE Human Factors of Security Security as Process The Secure Software Development Lifecycle

  13. 13 PROCESS IS PROGRESS SECURITY AS PROCESS

  14. 14 CORPORATE SNAKE OIL SECURITY AS PROCESS

  15. 15 LIFECYCLES

  16. 16 SECURITY VS USABILITY SECURITY AS PROCESS A FUNDAMENTALTENSION Occurs within the implementation of software, occurs within the processes guiding software development CONSIDERWHATWEOWEUSERS Negative externalities

  17. LECTURE OUTLINE Human Factors of Security Security as Process The Secure Software Development Lifecycle

  18. 18 THE REGULAR SDLC LIFECYCLES SOFTWARE DEVELOPMENT LIFE CYCLE Requirement analysis Design Development Testing and verification Deployment Maintenance and evolution The circle of (software) life

  19. 19 AGILE DEVELOPMENT SDLC: LIFECYCLES

  20. 20 RISK ASSESSMENT AND THREAT MODELS THE SSDLC COMPONENTS COMPANIONTO REQUIREMENT PHASE Functional requirement: User must verify their own contact information Security consideration: Mechanism misuse - Users may attempt to access the contact information of others - Users may attempt to subvert the verification mechanism for harassment

  21. 21 SECURITY DESIGN REVIEW THE SSDLC COMPONENTS COMPANIONTOTHE DESIGN PHASE Cancel my account Functional requirement: Page should retrieve user s name, email, etc. from customer_info table in database Security concern: Verify that user has a valid session token before retrieving information from database Destroy the database CONSIDER SECURITY DESIGN PRINCIPLES Principle of least privilege: Do entities in the system have exactly the privileges they need? Bad design for a button panel

  22. 22 (AUTOMATED) CODE ANALYSIS THE SSDLC COMPONENTS COMPANIONTO DEVELOPMENT Apply best practices - Accessing databases via read-only parameterized queries - Validating user queries before processing them - Chaos Engineering Secure programming - Assume a function might be misused - Check arguments for reasonable values - Canonicalize data

  23. 23 SECURITY TESTING AND CODE REVIEW THE SSDLC COMPONENTS COMPANIONTO VERIFICATION Ensure proper use of APIs - Crypto library invocations - Holistic audits Test the test suite: - Evaluate the coverage of your suite - Ensure treatment of critical functionality Value automation: - Repeatability / reproducibility - Static analysis! - Monkey testing

  24. 24 SECURITY ASSESSMENT AND CONFIGURATION THE SSDLC COMPONENTS COMPANIONTO MAINTENANCE AND EVOLUTION Logging Capture the behavior of the system (expected AND unexpected) Metrics Articulate needs of the system, measure expectations against reality Auditing Periodic retrospective analysis over codebase and configuration

  25. WRAP-UP Human Factors of Security Security as Process The Secure Software Development Lifecycle

Related


EXERCISE ADDICTION AND DISORDERED EATING IN ADOLESCENTS

EXERCISE ADDICTION AND DISORDERED EATING IN ADOLESCENTS

bodhi
Exercise Evaluation Training

Exercise Evaluation Training

teddy
Fitness and Exercise After Stroke: Importance and Guidelines

Fitness and Exercise After Stroke: Importance and Guidelines

kuba
Business Continuity Exercise Information and NHS England Emergency Preparedness

Business Continuity Exercise Information and NHS England Emergency Preparedness

emiliana
Paladin Security Tabletop Exercise Template

Paladin Security Tabletop Exercise Template

navi
Understanding IRB Review Process for Expedited Research

Understanding IRB Review Process for Expedited Research

avni
Enhancing Program Performance through Strategic Metrics Review

Enhancing Program Performance through Strategic Metrics Review

annora
JUDICIAL REVIEW OF NATIONAL ACTION BY UNCLOS COURTS AND TRIBUNALS

JUDICIAL REVIEW OF NATIONAL ACTION BY UNCLOS COURTS AND TRIBUNALS

octavius
Comprehensive Guide to Exercise Planning and Execution

Comprehensive Guide to Exercise Planning and Execution

leta
Conducting an Outcomes Review Meeting for Program Analysis

Conducting an Outcomes Review Meeting for Program Analysis

rayden
ERCOT RTC+B Program Review Updates

ERCOT RTC+B Program Review Updates

sariya
Importance of literature review

Importance of literature review

madeleine
Rapid Review of BSL Commissioning Arrangements by Dr. Michael Brady

Rapid Review of BSL Commissioning Arrangements by Dr. Michael Brady

soledad
RTC+B Task Force Update - Program Review and Market Trials Planning

RTC+B Task Force Update - Program Review and Market Trials Planning

tarak
Welcome to Columbus State Nursing Program, Autumn 2023

Welcome to Columbus State Nursing Program, Autumn 2023

endellion
3D Printing Tutorial: From Computer Model to Real-Life Object

3D Printing Tutorial: From Computer Model to Real-Life Object

husna
PhD Program in Computer and Control Engineering Review

PhD Program in Computer and Control Engineering Review

nikola
Annual Reviews and Standard Review Processes

Annual Reviews and Standard Review Processes

septimus
The NIH Peer Review Process

The NIH Peer Review Process

casen
Simplified Review Framework

Simplified Review Framework

annabelle
Georgia State University Admissions Background Review Process

Georgia State University Admissions Background Review Process

safa
Understanding IRB Review Process for Research Studies

Understanding IRB Review Process for Research Studies

kendra
NSLP 101: An Overview of the National School Lunch Program

NSLP 101: An Overview of the National School Lunch Program

ethel
Academic Program Choices and Subject Selection Guidelines for High School Students

Academic Program Choices and Subject Selection Guidelines for High School Students

vasili

More Related Content

Update on DoD Travel Card Program by Alec Cloyd, Chief of Travel Operations at DTMO
Update on DoD Travel Card Program by Alec Cloyd, Chief of Travel Operations at DTMO
Nutrition and Health Program Progress in Lao PDR
Nutrition and Health Program Progress in Lao PDR
Rural Hospital Flexibility Program in Montana: Enhancing Quality Care
Rural Hospital Flexibility Program in Montana: Enhancing Quality Care
Chaffey College Vocational Nursing Program Information Session
Chaffey College Vocational Nursing Program Information Session
VPCCS Nursing Program Details for Spring 2023 Admission
VPCCS Nursing Program Details for Spring 2023 Admission
Connecticut Energy Assistance Program Informational Forum
Connecticut Energy Assistance Program Informational Forum
Corporate Compliance Program: Ensuring Ethical Practices
Corporate Compliance Program: Ensuring Ethical Practices
Lower Your Patients' Risk of Type 2 Diabetes with CDC's National DPP Lifestyle Change Program
Lower Your Patients' Risk of Type 2 Diabetes with CDC's National DPP Lifestyle Change Program
Agriculture, Food, and Natural Resources Education MA Program Overview
Agriculture, Food, and Natural Resources Education MA Program Overview
Comparison Between Static and Dynamic Program Instrumentation
Comparison Between Static and Dynamic Program Instrumentation
Detroit Police Victim Assistance Program Overview
Detroit Police Victim Assistance Program Overview
Support for Low-Income Veterans Enrolled in Medi-Cal
Support for Low-Income Veterans Enrolled in Medi-Cal
Overview of Herd Humanities Program at Marshall University
Overview of Herd Humanities Program at Marshall University
McCrory Gifted and Talented Program Overview
McCrory Gifted and Talented Program Overview
GENNEX: Enhancing Global Research Collaboration in Sports, Exercise, and Health Sciences
GENNEX: Enhancing Global Research Collaboration in Sports, Exercise, and Health Sciences
Pregnancy Guidelines for Student-Athletes
Pregnancy Guidelines for Student-Athletes
Essential Types of Exercise for Lifelong Health & Fitness
Essential Types of Exercise for Lifelong Health & Fitness
Progress Update on PCBS Program Recommendations (2018-2020)
Progress Update on PCBS Program Recommendations (2018-2020)
Magnet Kindergarten Program Review and Discussion
Magnet Kindergarten Program Review and Discussion
RTC+B Tack Force. High-Level Overview
RTC+B Tack Force. High-Level Overview
Maternal and Perinatal Death Surveillance and Response Orientation Program
Maternal and Perinatal Death Surveillance and Response Orientation Program
SN65DSI85-Q1 Layout Review
SN65DSI85-Q1 Layout Review
Enhancing Online Education: ASCCC Online Course Review
Enhancing Online Education: ASCCC Online Course Review
CSE 122 Winter 2024 - Lecture 18: Putting It All Together Review
CSE 122 Winter 2024 - Lecture 18: Putting It All Together Review