software security education what next???? submitted by srinath viswanathan 006329076 srinivas...
TRANSCRIPT
![Page 1: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/1.jpg)
SOFTWARE SECURITY EDUCATIONWHAT NEXT????
Submitted bySrinath
Viswanathan 006329076
Srinivas Gudisagar
006376734
1
![Page 2: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/2.jpg)
AGENDA
IntroductionSecurity typesCertification’sCoursesConclusion
2
![Page 3: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/3.jpg)
IntroductionWhat is Security Software Education? Software security essentially deals
with what are the security risks and how would one manage them.
• Security space can be cleanly divided into two distinct subfields:
Information Security Application Security
Information security concerns confidentiality, integrity and availability.
3
![Page 4: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/4.jpg)
Information Security
Secure both the information and the information systems.
Classic Threats Disclosure
◦ Snooping, Trojan Horses Deception
◦ Modification, spoofing, repudiation of origin, denial of receipt
Disruption◦ Modification
Usurpation◦ Modification, spoofing, delay, denial of service
4
![Page 5: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/5.jpg)
Application Security
Application security applies security throughout the application’s life cycle.
Protect from attacks from design defects, deployment and maintenance of the application.
Application level security threats. Session Threat: Session Hijacking, Session
replay, Man in the middle attack.Auditing and Logging: Non Repudiation Input Threats: Cross Site scripting, SQL
injection
5
![Page 6: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/6.jpg)
SQL Injection
Username &Password
SELECT passwdFROM USERS
WHERE uname IS ‘$username’
Normal Query
WebBrowser
WebServer Database
010010
1010101
0100101
![Page 7: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/7.jpg)
SQL Injection
SELECT passwdFROM USERS
WHERE uname IS ‘’; DROP TABLE
USERS; -- '
Malicious Query
Eliminates all user accounts
“Username &Password”
WebBrowser
WebServer Database
![Page 8: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/8.jpg)
Cross Site Scripting
/viewbalanceCookie: sessionid=40a4c04de
“Your balance is $25,000”
Alice bank.com/login.html
/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de
![Page 9: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/9.jpg)
evil.com
Cross Site ScriptingAlice bank.com
/login.html
/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de
/evil.html<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>
/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de
“OK. Payment Sent!”
![Page 10: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/10.jpg)
Why Security Certification? Professional validation of skills• Exposure to industry standards• Best practices• Baseline skills for a specific role• Quality of work & productivity• Differentiation of your organization or group
10
![Page 11: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/11.jpg)
Security CertificationsClassifications:
◦ Benchmark Wide recognition by professionals in all
sectors Advanced level Prerequisite for many senior jobs
◦ Foundation Introductory certifications One to four years of experience
![Page 12: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/12.jpg)
Security CertificationsClassifications:
◦Intermediate 3 to 4 years of networking experience 2 years of IT Security experience
◦Advanced Expert level Minimum of 4 years of IT Security
experience
![Page 13: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/13.jpg)
Security CertificationsBenchmark certifications:• CISSP
ISC2.org Common Body of Knowledge
Access Control Systems and Methodology Applications & Systems Development Business Continuity Planning Cryptography Law, Investigation & EthicsCost $600Average Annual Salary- $115,000
![Page 14: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/14.jpg)
Security CertificationsFoundation level:SANS• GIAC Security Essentials (GSEC)
Basic understanding of the CBK Basic skills to incorporate good
information security practicesGIAC IT Security Audit Essentials
Developing audit checklists Perform limited risk assessment
Cost $450Average Annual Salary- $70,000
![Page 15: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/15.jpg)
GIAC Secure Software Programmer:
Find Programming flaws.
Comes in 3 flavors.
Things provided by this certificate:
a) It teaches some basic security concepts as
well as advanced topics.
b) Learning to write code with security in mind.
Advantages:
Learners can demonstrate mastery of security
knowledge in the programming language.
15
![Page 16: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/16.jpg)
Anti-Hacking Certification:
Thinking in Hackers Perspective.
Teaches different network security testing tools.
Things provided by this certificate:
a) Learning Hacking tools like HTTPPort,
BackStealth.
b) Hacking SSL enabled sites.
Advantages:
a) It Complements CEH, and learners are able to
come out with a complete security education.
b) Learn to defend network from Trojans, virus. 16
![Page 17: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/17.jpg)
EC-Council Certified Security Analyst (ECSA):
Analyze outcome of security tests.
Differentiating with Ethical hacker.
Things provided by this certificate:
a) Methods and tool to test security.
b) Performing network security testing and doing
an
Exhaustive analysis.
Advantages:
a) Boosts your resume, by making you stand out
as a
better security professional.
b) Makes you skillful in using security tools and techniques.
17
![Page 18: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/18.jpg)
Courses:Wireless Security Distinguished based on their range.
General threats Denial Of Service, Eaves
dropping, man in the middle attack,
replaying message, and hacker analyses
patterns.
Defenses are Encryption, applying
algorithms, using timestamp,
authentication, IDS.
Defenses implemented with the base
knowledge of network security.
18
![Page 19: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/19.jpg)
VPN Security
Connect different nodes by a virtual
network.
Methods to keep the communication and
data secure are:
a) Firewall
b) Encryption
c) IPSec
d) Building AAA server.
19
![Page 20: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/20.jpg)
Stanford Advanced Computer Security Certificate Six Courses to be done.
The courses are:
a) Using Cryptography Correctly - Avoid Programming
mistakes
b) Writing secure code – Secure code tools.
c) Security Protocols – Design SSL,WEP, IPSec, Kerberos
correctly.
d) Software Secure Foundation – Secure Programming
techniques.
e) Web Security – Security issues with web 2.0, Face
book lab.
f) Securing Web Application – Secure website design,
SQL injection lab. 1100$ at Stanford, 495$ online.participants from organizations like Yahoo! Inc, Cisco
Systems, Oracle.
20
![Page 21: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/21.jpg)
Conclusion
Software security is every engineer's problem!
Certification and some of the courses that we mentioned is a great way to complement the network security course.
Better Security for Organizations.
21
![Page 22: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/22.jpg)
Reference:
http://www.eccouncil.org/ECSA.htmhttp://www.securityuniversity.net/
classes_Anti-Hacking_Certificate_Mgrs.phphttp://www.giac.org/certifications/software/http://permanent.access.gpo.gov/lps96916/
Draft-SP800-48r1.pdfhttp://www.isc2.org/csslp-certification.aspxhttp://www.cigital.com/ssw/softsec_infosec.p
dfhttp://www.cs.rutgers.edu/~vinodg/teaching/
fall-2007-cs673/index.html
22
![Page 23: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/23.jpg)
THANK YOU
23
![Page 24: SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1](https://reader030.vdocument.in/reader030/viewer/2022032802/56649e025503460f94aed3db/html5/thumbnails/24.jpg)
?
24