Transcript Slide 1
SOFTWARE SECURITY EDUCATION
WHAT NEXT????
Submitted by
Srinath Viswanathan
006329076
Srinivas Gudisagar
006376734
1
AGENDA
Introduction
Security types
Certification’s
Courses
Conclusion
2
Introduction
What is Security Software Education?
Software security essentially deals with what
are the security risks and how would one
manage them.
• Security space can be cleanly divided into two
distinct subfields:
Information Security
Application Security
Information security concerns confidentiality,
integrity and availability.
3
Information Security
Secure both the information and the
information systems.
Classic Threats
Disclosure
◦ Snooping, Trojan Horses
Deception
◦ Modification, spoofing, repudiation of origin, denial of
receipt
Disruption
◦ Modification
Usurpation
◦ Modification, spoofing, delay, denial of service
4
Application Security
Application security applies security throughout
the application’s life cycle.
Protect from attacks from design defects,
deployment and maintenance of the application.
Application level security threats.
Session Threat: Session Hijacking, Session replay, Man in
the middle attack.
Auditing and Logging: Non Repudiation
Input Threats: Cross Site scripting, SQL injection
5
SQL Injection
Web
Browser
Web
Server
Username &
Password
Database
Normal Query
SELECT passwd
FROM USERS
WHERE uname
IS ‘$username’
010010
1010101
0100101
SQL Injection
Web
Browser
Web
Server
“Username &
Password”
Database
Malicious Query
SELECT passwd
FROM USERS
WHERE uname
IS ‘’; DROP TABLE
USERS; -- '
Eliminates all
user accounts
Cross Site Scripting
Alice
/login.html
/auth
uname=alice&pass=ilovebob
Cookie: sessionid=40a4c04de
/viewbalance
Cookie: sessionid=40a4c04de
“Your balance is $25,000”
bank.com
Cross Site Scripting
Alice
/login.html
/auth
uname=alice&pass=ilovebob
Cookie: sessionid=40a4c04de
/evil.html
<IMG SRC=http://bank.com/paybill?
addr=123 evil st & amt=$10000>
/paybill?addr=123 evil st, amt=$10000
Cookie: sessionid=40a4c04de
“OK. Payment Sent!”
bank.com evil.com
Why Security Certification?
Professional validation of skills
• Exposure to industry standards
• Best practices
• Baseline skills for a specific role
• Quality of work & productivity
• Differentiation of your organization or
group
10
Security Certifications
Classifications:
◦
Benchmark
Wide recognition by professionals in all sectors
Advanced level
Prerequisite for many senior jobs
◦
Foundation
Introductory certifications
One to four years of experience
Security Certifications
Classifications:
◦ Intermediate
3 to 4 years of networking experience
2 years of IT Security experience
◦ Advanced
Expert level
Minimum of 4 years of IT Security experience
Security Certifications
Benchmark
•
certifications:
CISSP
ISC2.org
Common Body of Knowledge
Access Control Systems and Methodology
Applications & Systems Development
Business Continuity Planning
Cryptography
Law, Investigation & Ethics
Cost $600
Average Annual Salary- $115,000
Security Certifications
Foundation
level:
SANS
• GIAC Security Essentials (GSEC)
Basic understanding of the CBK
Basic skills to incorporate good information
security practices
GIAC IT Security Audit Essentials
Developing audit checklists
Perform limited risk assessment
Cost $450
Average Annual Salary- $70,000
GIAC Secure Software Programmer:
Find Programming flaws.
Comes in 3 flavors.
Things provided by this certificate:
a) It teaches some basic security concepts as well as
advanced topics.
b) Learning to write code with security in mind.
Advantages:
Learners can demonstrate mastery of security knowledge in
the programming language.
15
Anti-Hacking Certification:
Thinking in Hackers Perspective.
Teaches different network security testing tools.
Things provided by this certificate:
a) Learning Hacking tools like HTTPPort, BackStealth.
b) Hacking SSL enabled sites.
Advantages:
a) It Complements CEH, and learners are able to come out
with a complete security education.
b) Learn to defend network from Trojans, virus.
16
EC-Council Certified Security Analyst
(ECSA):
Analyze outcome of security tests.
Differentiating with Ethical hacker.
Things provided by this certificate:
a) Methods and tool to test security.
b) Performing network security testing and doing an
Exhaustive analysis.
Advantages:
a) Boosts your resume, by making you stand out as a
better security professional.
b) Makes you skillful in using security tools and techniques.
17
Courses:
Wireless Security
Distinguished based on their range.
General threats Denial Of Service, Eaves dropping,
man in the middle attack, replaying message, and
hacker analyses patterns.
Defenses are Encryption, applying algorithms, using
timestamp, authentication, IDS.
Defenses implemented with the base knowledge of
network security.
18
VPN Security
Connect different nodes by a virtual network.
Methods to keep the communication and data secure
are:
a) Firewall
b) Encryption
c) IPSec
d) Building AAA server.
19
Stanford Advanced Computer Security
Certificate
Six Courses to be done.
The courses are:
a) Using Cryptography Correctly - Avoid Programming mistakes
b) Writing secure code – Secure code tools.
c) Security Protocols – Design SSL,WEP, IPSec, Kerberos correctly.
d) Software Secure Foundation – Secure Programming techniques.
e) Web Security – Security issues with web 2.0, Face book lab.
f) Securing Web Application – Secure website design, SQL injection lab.
1100$ at Stanford, 495$ online.
participants from organizations like Yahoo! Inc, Cisco Systems, Oracle.
20
Conclusion
Software security is every engineer's
problem!
Certification and some of the courses
that we mentioned is a great way to
complement the network security course.
Better Security for Organizations.
21
Reference:
http://www.eccouncil.org/ECSA.htm
http://www.securityuniversity.net/classes_AntiHacking_Certificate_Mgrs.php
http://www.giac.org/certifications/software/
http://permanent.access.gpo.gov/lps96916/Draft-SP80048r1.pdf
http://www.isc2.org/csslp-certification.aspx
http://www.cigital.com/ssw/softsec_infosec.pdf
http://www.cs.rutgers.edu/~vinodg/teaching/fall-2007cs673/index.html
22
THANK YOU
23
?
24