CS6301 W1.1-1.2

What is the primary focus of CS 6301 Secure Software Development?

Engineering software to continue functioning correctly under malicious attacks rather than just achieving normal functionality

What are the three main parts of the CS 6301 course?

• Part I: Secure Software Concepts
• Part II: Secure Coding
• Part III: Program Analysis for Secure Software Development

What programming language experience is required for CS 6301?

C/C++ programming experience is required to understand secure coding topics

What are the 7 Touchpoints in software security?

• Code Review
• Architectural Risk Analysis
• Penetration Testing
• Risk-Based Security Testing
• Abuse Cases
• Security Requirements
• Security Operations

What is the grading breakdown for CS 6301?

• 20% Individual Assignments
• 45% Team Lab Exercises
• 35% Final Exam

How many students are in each lab team?

Teams of 4 students work together on lab exercises

What are the three lab exercises in the course?

• Lab 1: Buffer Overflow Vulnerability
• Lab 2: Format String Vulnerability
• Lab 3: Race Condition Vulnerability

What is the late penalty structure for assignments?

• 10% off within 24h
• 25% off 24-48h
• 50% off 48-72h
• 100% off after 72h

What special allowance do teams get for lab reports?

Each team is allowed one late submission without penalty for lab reports

How does software security differ from correctness?

Correctness focuses on achieving desired behavior under expected circumstances while security prevents undesired behavior under all circumstances including malicious attacks

What is the key difference between normal users and adversaries?

Normal users accidentally find bugs and try to avoid them while adversaries actively seek bugs and deliberately try to exploit them

What are the three factors increasing software security risks?

• Increased complexity
• Increased extensibility
• Increased connectivity

What is the CIA triad in security?

• Confidentiality: prevent improper disclosure
• Integrity: prevent improper modification
• Availability: prevent improper denial of access

Give an example of confidentiality in a commercial setting

An employee should not know their manager's salary

Give an example of integrity in a commercial setting

An employee should not be able to modify their own salary

Give an example of availability in a commercial setting

Paychecks should be printed on time as required by law

What are the three components needed to achieve security?

• Security Policy: what to protect
• Security Mechanism: how to protect
• Security Assurance: how well protection works

What are the three types of security mechanisms?

• Prevention: stop attacks before they happen
• Detection: identify attacks in progress
• Tolerance: continue operating despite attacks

Which type of security mechanism is most fundamental?

Prevention is more fundamental because detection relies on threat of punishment and requires protected audit trails

What are the main security services provided to users?

• Confidentiality
• Authentication
• Integrity
• Non-repudiation
• Access Control
• Monitor and Response

What is the security tradeoff triangle?

Security exists in tension with Functionality and Ease of Use with Cost at the center

Why is security by obscurity problematic?

It's less applicable in a world of open standards widespread computer knowledge and reverse engineering capabilities

Why is security by legislation insufficient?

• Users make mistakes
• Policies can't cover every scenario
• Human behavior is unpredictable under pressure

What is the difference between bugs and flaws in software security?

Bugs are implementation-level vulnerabilities detectable by tools while flaws are design-level vulnerabilities requiring manual analysis

What are examples of software security bugs?

• Buffer overflows
• Null pointer dereferences
• Race conditions

What are examples of software security flaws?

• Authentication bypasses
• Privilege escalation paths
• Architectural design problems

What was the Heartbleed vulnerability?

A bug in OpenSSL versions 1.0.1-1.0.1f that allowed attackers to read server memory potentially exposing passwords and private keys

When was Heartbleed discovered and how long had it existed?

Discovered in March 2014 but had existed in released code since March 2012 for 2 years

Why did traditional security approaches fail against Heartbleed?

• OS security couldn't detect it (not at system call level)
• Firewalls could be bypassed with packet chunking
• Antivirus had nothing to scan

What is the key insight about software security approaches?

Software security addresses the root cause (buggy code) rather than trying to detect or block attacks after the fact

What are the six options for addressing software security?

• Do nothing
• Ad-hoc evaluation
• Add security features after the fact
• Identify vulnerabilities
• Test security levels
• Incorporate security throughout SDLC

Which approach to software security is recommended?

Incorporate security throughout the Software Development Life Cycle (SDLC)

What is the fundamental challenge in security testing?

Correctness testing verifies software does what it should under expected conditions but security testing must verify it doesn't do what it shouldn't under ALL possible conditions

What does a programmer focus on in software security?

Properties of source code such as correctness performance and security

What does a system integrator do?

Integrates new and existing software components to create programs or systems that satisfy customer requirements

What does a system administrator handle?

Managing and securing systems including installing/removing software patches and managing privileges

What does a vulnerability analyst do?

Analyzes vulnerabilities in existing and deployed programs

What does a security analyst focus on?

Properties of security defects and how to identify them

What does an attacker/adversary do?

A malicious actor who exploits vulnerabilities to achieve objectives varying by threat type

What is the first software security design flaw?

Earn or give but never assume trust - trust must be explicitly established and maintained

What should you do regarding trust and client data?

Validate all data from untrusted clients and design systems to handle potential client compromise

What should you avoid with trust assumptions?

Never perform authorization access control or policy enforcement in client code

What is the second software security design flaw?

Use an authentication mechanism that cannot be bypassed or tampered with

What are the "big three" authentication factors?

• Something you are (biometrics)
• Something you have (token)
• Something you know (password)

What should you avoid in authentication?

• Shared resources like IP addresses and MAC addresses as credentials
• Predictable tokens

What is the third software security design flaw?

Authorize after authentication - never assume authorization automatically follows authentication

What is the difference between authentication and authorization?

Authentication verifies who you are while authorization determines what you can do - both checks are necessary

What is the fourth software security design flaw?

Strict separation between data and code - never allow untrusted data to be executed as code

What are examples of code/data separation violations?

• SQL injection
• XSS (cross-site scripting)
• Shell injection using functions like system() and eval()

What is the fifth software security design flaw?

All data are explicitly validated - every piece of input must be validated against expected format and content

What is the difference between whitelisting and blacklisting in validation?

Whitelisting allows known good inputs (preferred) while blacklisting blocks known bad inputs (less secure)

What are canonical mappings in data validation?

Converting all input data to a single standardized format through one validation point rather than having multiple point-to-point validation paths

What is the sixth software security design flaw?

Use cryptography correctly - cryptography is extremely difficult to implement properly

What should you do with cryptographic implementation?

• Use standard algorithms and libraries
• Centralize crypto operations
• Design for crypto agility
• Get expert help

What should you never do with cryptography?

• Never implement your own cryptographic algorithms
• Never use weak randomness sources

What is the seventh software security design flaw?

Identify and protect sensitive data - know what data is sensitive and protect it throughout its lifecycle

What should you consider about data sensitivity?

Data sensitivity is often context-dependent and can change over time

What is the eighth software security design flaw?

Always consider the users - security systems must be usable by real humans in real environments

What should you do regarding users and security?

• Make systems secure by default
• Don't make users responsible for critical security decisions

What is the ninth software security design flaw?

Correctly integrate external components - third-party components inherit their security properties into your system

What should you do with external components?

• Security test all components
• Include dependencies in reviews
• Isolate components when possible

What should you not assume about external components?

Don't assume they're secure just because they're popular or open source

What is the tenth software security design flaw?

Be flexible for future changes - security systems must adapt as threats and technology evolve

What should you plan for in flexible security design?

• Plan for secret compromise recovery
• Plan for crypto algorithm changes
• Plan for security updates

What makes security brittle?

Hardcoding security assumptions that can't be updated or making security so complex that updates won't be applied

What was the Foxconn ransomware attack?

November 2020 attack that encrypted 1200 servers stole 100GB of data deleted 20-30TB of backups and demanded 34 million in Bitcoin

What was the Marriott data breach?

November 2018 breach that exposed 500 million customer records including passport numbers travel info and credit card data

What was the Equifax data breach?

July 2017 breach exposing personal information of 143 million consumers including SSNs birth dates addresses and driver's license numbers

What are the limitations of operating system security?

• Cannot enforce application-specific policies due to semantic gap
• Cannot precisely enforce information-flow policies

What are the limitations of firewall filtering?

• Coarse-grained and unsound
• Port 80 assumed benign but can carry malicious traffic
• Previously benign sources can become malicious

What are the limitations of IDS patterns?

• Fine-grained but still unsound
• Attack traffic can be modified to bypass syntactic filters
• Too much filtering hurts performance

What are the limitations of anti-virus scanners?

• Frequently bypassed by new variants
• Performance overhead limits detection depth
• Ongoing cat-and-mouse game with attackers

What is application security?

Security measures applied after software is built such as sandboxing network-centric approaches and input checking

Why is adding security after the fact problematic?

Adding more code doesn't make faulty software correct - security must be built into the design

What does NOT constitute software security?

• Security software (programs designed to enhance security)
• Application security (added after building)
• Operating system security mechanisms

What IS software security?

Engineering software so it continues to function correctly under malicious attacks focusing on eliminating bugs and design flaw