Software Development Life Cycle - Threat Modelling Initiation

Slide Note
Embed
Share

Threat modelling should commence at the early stage of the software development life cycle to identify potential security risks and vulnerabilities effectively. It should ideally begin during the requirement analysis and continue throughout development, testing, and maintenance phases to ensure robust security measures are implemented.

ismail
ismail Follow

Uploaded on Apr 16, 2024 | 3 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. EXERCISE #24 SSDLC REVIEW Write your name and answer the following on a piece of paper At what point in the software development life cycle should threat modelling begin? 1

  2. Preparing for Quiz 2 Review session Wednesday at 7:00 9:00 (tentative) We have to talk about Quiz 1 A tale of two classes EECS 677: EECS 700: Highest grade: 50/50 Lowest grade: 25/50 Highest grade: 50/50 Lowest grade: 8/50 ADMINISTRIVIA AND ANNOUNCEMENTS Average grade: ~84% Average grade: ~53% Median grade: ~89% Median grade: ~50%

  3. LINTING EECS 677: Software Security Evaluation Drew Davidson

  4. 4 LAST TIME: SSDLC REVIEW: LAST LECTURE CORRESPONDING SECURITY TASKSFOR THE SOFTWARE DEVELOPMENT LIFECYCLE Requirement Analysis Risk Assessment and Threat models Design Security Design Review Development Automated CodeAnalysis Testing Security Testing and Code Review Maintenance and Evolution Security Assessment and Configuration

  5. 5 CLASS PROGRESS HANDLING THE SOFTER SIDE OF SECURITY EVALUATION We ve described some of the high-level best- practices, let s talk about tool support

  6. LECTURE OUTLINE Background / Context Linting Anti-Patterns Splint

  7. 7 SAD FACT: IT S EASY TO WRITE INSECURE CODE LINTING: BACKGROUND/CONTEXT MANY PROGRAMMINGLANGUAGES HAVEEXPLOITABLECONSTRUCTS Programming constructs that do not operate as intended under unforeseen circumstances Artistic depiction of C programming

  8. 8 RECALL: SECURITY V USABILITY LINTING OVERVIEW MAINSTREAM PL PHILOSOPHY PRIORITIZESSPEEDANDSIMPLICITY C could do more checking, but it doesn t - Bounds checking - Type safety

  9. 9 RECALL: SECURITY V USABILITY LINTING OVERVIEW EXPECTATIONSOFEFFICIENCYAND PERFORMANCEAREHARDTOQUIT! Disallowing unsafe behavior means going back on what s already been accomplished - Rewrite legacy code - Give up on some performance

  10. 10 CASE STUDY: MELTDOWN AND SPECTRE LINTING OVERVIEW THEPROBLEM: BRANCH PREDICTORS ANDSPECULATIVE EXECUTION Impact: leaking secrets THE SOLUTION: MEDIATE SPECULATIVE EXECUTION Early Fix performance: OS Bench: Intel Xeon 84~87% AMD EPYC 91~94%.

  11. 11 RECALL: SECURITY V USABILITY LINTING OVERVIEW WAITINGFORBETTERTOOLS Some feel that the whole of imperative programming is inherently unsafe

  12. 12 RECALL: SECURITY V USABILITY LINTING OVERVIEW

  13. LECTURE OUTLINE Background / Context Linting Anti-Patterns Splint

  14. 14 HEURISTIC TOOLS FOR AN IMPERFECT WORLD LINTING: OVERVIEW TRYNOTTOSHOOTYOURSELFINTHEFOOT Highlight the stuff you probably shouldn t be doing in the first place

  15. 15 CATCH ANTI-PATTERNS HUMAN FACTORS OF SECURITY COMMONLANGUAGE-LEGALPAIN- POINTS Code that is highly situational, or simply shouldn t be legal in hindsight

  16. 16 HISTORY: JOHNSON, 1978 HUMAN FACTORS OF SECURITY CREATEDAPROGRAMCALLED LINT Aided in the development of YACC Originally internal to Bell Labs, eventually open-sourced NAME INSPIREDBY DRYER LINT TRAPS Capture the loose fibers that come off the program Leave the whole of the program intact

  17. 17 PRODUCTION LINTERS LINTING MORE MODERNTOOLS cppcheck open-source linter cpplint Google s in-house (open-source) linter flake8 python linter Also ensures adherence to style guide: https://google.github.io/styleguide/cppguide.html Good reminder that coding is still a human process

  18. LECTURE OUTLINE Background / Context Linting Anti-Patterns Splint

  19. 19 ASSIGNMENT IN PREDICATE LINTING

  20. 20 MACRO POLLUTION LINTING

  21. 21 SEPARATING INITIALIZATION FROM USE LINTING

  22. 22 SEPARATING INITIALIZATION FROM USE LINTING

  23. 23 LINE CONTINUATION WEIRDNESS LINTING

  24. 24 SCOPED INITIALIZATION LINTING

  25. 25 NAMESPACING (GOOD) LINTING

  26. 26 HEURISTIC TOOLS FOR AN IMPERFECT WORLD LINTING: OVERVIEW TRYNOTTOSHOOTYOURSELFINTHEFOOT Highlight the stuff you probably shouldn t be doing in the first place

  27. 27 RECALL: SECURITY V USABILITY LINTING OVERVIEW MANY PROGRAMMINGLANGUAGES HAVEEXPLOITABLECONSTRUCTS Capture the loose fibers that come off the program Leave the whole of the program intact

Related


Modelling and Optimization of Quality Attributes in Software Variability

Modelling and Optimization of Quality Attributes in Software Variability

naka_51
Sustainable Development Modelling Tools at ICTP Trieste

Sustainable Development Modelling Tools at ICTP Trieste

kao_bri
Understanding Software Life Cycle Models

Understanding Software Life Cycle Models

bhuvih
Understanding Conceptual and Requirement Modelling Using UML

Understanding Conceptual and Requirement Modelling Using UML

tavish
Understanding the Essence of Software Development Process

Understanding the Essence of Software Development Process

katiely
Opportunities at Modelling Weeks: Join for Real-Life Problem Solving

Opportunities at Modelling Weeks: Join for Real-Life Problem Solving

bhardwaj_d
Initiating and Planning Systems Development Projects

Initiating and Planning Systems Development Projects

euan
Understanding Software Development Life Cycle (SDLC) Phases

Understanding Software Development Life Cycle (SDLC) Phases

borys
Understanding Software Processes and Models

Understanding Software Processes and Models

fatima
Insights into Modelling Intermediate Stops and Tour-Based Models in Transportation Planning

Insights into Modelling Intermediate Stops and Tour-Based Models in Transportation Planning

jessic
Understanding Software Engineering: Concepts and Characteristics

Understanding Software Engineering: Concepts and Characteristics

elle
Comprehensive Guide to Antiretroviral Therapy Initiation and Adherence

Comprehensive Guide to Antiretroviral Therapy Initiation and Adherence

mig_sa
Understanding Software Engineering and Development Processes

Understanding Software Engineering and Development Processes

benici
Understanding the Process of Crack Initiation and Propagation

Understanding the Process of Crack Initiation and Propagation

kkiel
Climate Based Daylight Modelling with Fast and Robust Building Simulation Software

Climate Based Daylight Modelling with Fast and Robust Building Simulation Software

hill_ira
Business Modelling and Innovation for Holistic Understanding and Growth

Business Modelling and Innovation for Holistic Understanding and Growth

mahdi
Tradeoffs Between Water Savings and GHG Emissions in Irrigated Agriculture

Tradeoffs Between Water Savings and GHG Emissions in Irrigated Agriculture

jonas
Stochastic Coastal Regional Uncertainty Modelling II (SCRUM2) Overview

Stochastic Coastal Regional Uncertainty Modelling II (SCRUM2) Overview

aberdeens
Expert Training on The 7 Habits of Highly Effective Cost Modelling

Expert Training on The 7 Habits of Highly Effective Cost Modelling

and_bal
Exploring RNNs and CNNs for Sequence Modelling: A Dive into Recent Trends and TCN Models

Exploring RNNs and CNNs for Sequence Modelling: A Dive into Recent Trends and TCN Models

alry707
Understanding Modelling Knowledge and Knowledge Representation

Understanding Modelling Knowledge and Knowledge Representation

cree_ren
Training Day & Workshops: Software and Hardware Insights by Andreas Grondoudis

Training Day & Workshops: Software and Hardware Insights by Andreas Grondoudis

mumpower_z
Understanding Software Measurement and Metrics in Software Engineering

Understanding Software Measurement and Metrics in Software Engineering

asmodeus
Software Cost Estimation in Software Engineering

Software Cost Estimation in Software Engineering

aislinn

More Related Content