Scribd
Upload
8 views

FSS CH-1

Uploaded by

noveyis180
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views

FSS CH-1

Uploaded by

noveyis180
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

JIGJIGA UNIVERSITY

Chapter One
Introduction to Software Security

Kedra Hussen

1
Terminologies
• Plaintext: Intelligible data that has meaning and can be read or acted upon without the
application of decryption. Also known as cleartext.

• Ciphertext: Ciphertext is encrypted text transformed from plaintext using an encryption


algorithm. Ciphertext can't be read until it has been converted into plaintext (decrypted) with
a key.

• Threat: Any action that can damage or compromise an asset

• Vulnerability: An inherent weakness that may enable threat to harm system or networks.

• Risk: Probability that something bad is going to happen to an asset.


• Software?
It is a set of instructions, data or programs used to operate computers and
execute specific tasks.
• Malicious Software
Malicious software also known as malware is a code that can damage our
software so as to steal personal or financial information
• Software Security
 It is the concept of implementing mechanism in the construction of
security to help it remain functional or resistant to attacks or malware.
 It refers to a set of practices that help protect software applications and
digital solutions from attackers.
 It is an idea implemented to protect software against malicious attacks
and other hacker risks so that the software continues to function correctly
under such potential risks.
Types of Software Security
• There are four main types of security:
1. Network Security – the security between devices located on the
same network.
2. End-Point Security – in this situation, security is focused on the
devices used i.e. phones, tablets, computers…
3. Internet Security – this is what is commonly known as Cyber security
and deals with the transit and use of information. Various layers of
encryption and authentication are typically used to stop attacks.
4. Cloud Security – revolves around lowering software security risks
within the cloud.
• Attack
It occurs when someone attempts to exploit a vulnerability. An attack can
either be:
• Passive Attack: attempts to learn or make use of information.

Ex: Eavesdropping
• Active Attacks: attempts to alter or modify system resources.

Ex: Denial of Service (DoS)


Common Software Security Threats

• What is Threat?
It is a potential violation of security.

• Classes of Threats
1. Interruption (Disruption) – prevention of correct operation. Ex: DoS attack

2. Interception (Disclosure) – unauthorized access to information. Ex: Snooping

3. Modification – an unauthorized party not only gains access to but modify an asset. Ex:
Spoofing

4. Fabrication – unauthorized party inserts fake resources/inputs to the system.


• Challenges of Software Security
• Requires Constant Monitoring

• Not integral

• One must consider potential (unexpected) attack

• Ransom ware evolution

• Insider Attacks
Security Goals and Principles
• Security Goals
There are 3 main goals known as CIA.

1. Confidentiality – Designed to prevent sensitive information from unauthorized


access attempts.

2. Integrity – Involves Maintaining the consistency, accuracy and trustworthiness


of data.

3. Availability – means information should be consistently and readily accessible


for authorized parties.
The CIA Triangle
Security Breach
• What is Security Breach
Any event that results in a violation of any of the CIA security intents is
know as security breach.

Some security breaches disrupt system services on purpose. Some are


accidental and may result from hardware or software failures.
• Activities that cause Security Breaches
• Denial of Service (DoS) attacks

• Distributed Denial of Service (DDoS) attacks

• Unacceptable web-browsing behavior

• Wiretapping

• Use of backdoor to access resources

• Accidental data modifications


1. Denial of Service Attack
• A coordinated attempt to deny service by occupying a computer to
perform large amounts of unnecessary tasks
o We protect from DoS using :
• Intrusion Prevention System (IPS)
• Intrusion Detection System (IDS)
o The attack is launched using
• SYN Flood
• Smurfing
2. Distributed Denial of Service Attack

• Overloads computers and prevents legitimate users from gaining access

• DdoS is a cybercrime in which the attacker floods a server with internet traffic
o More difficult to stop than a DoS attack because DDoS originates from
different sources
3. Unacceptable Web Browsing
• Unacceptable use can include:

o Unauthorized users searching files or storage directories

o Users visiting prohibited websites


4. Wiretapping

• Wiretapping is the surreptitious electronic monitoring of telephone, telegraph,


cellular, fax or Internet-based communications.

• Wiretapping is achieved either through the placement of a monitoring device


informally known as a bug on the wire in question or through built-in mechanisms
in other communication technologies.
5. Backdoors
• Hidden access included by developers
• Attackers can use them to gain access
6. Data Modifications
• Purposely or accidentally modified
• Incomplete
• Truncated
• Secure Design Principles
1. Minimize attack surface area
• Every time a programmer adds a feature to their application, they are increasing the risk of a security
vulnerability.

2. Establish secure defaults


• This principle states that the application must be secure by default. That means a new user must take steps
to obtain higher privileges and remove additional security measures (if allowed)

3. The principle of Least privilege


• The Principle of Least Privilege (POLP) states that a user should have the minimum set of privileges
required to perform a specific task.
4. The principle of Defence in depth
• The principle of defense in depth states that multiple security controls that
approach risks in different ways are the best option for securing an
application.

5. Don’t trust services


• Many web applications use third-party services for accessing additional
functionality or obtaining additional data. This principle states that you should
never trust these services from a security perspective.
Thank
Thank You
You ...
...

You might also like