SOFTWARE SECURITY EDUCATION
Download
1 / 24

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734. AGENDA. Introduction Security types Certification’s Courses Conclusion. Introduction. What is Security Software Education?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by' - pravat


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

SOFTWARE SECURITY EDUCATION

WHAT NEXT????

Submitted by

Srinath Viswanathan 006329076

Srinivas Gudisagar

006376734


Agenda
AGENDA

  • Introduction

  • Security types

  • Certification’s

  • Courses

  • Conclusion


Introduction
Introduction

  • What is Security Software Education?

    Software security essentially deals with what are the security risks and how would one manage them.

  • Security space can be cleanly divided into two distinct subfields:

    Information Security

    Application Security

  • Information security concerns confidentiality, integrity and availability.


Information security
Information Security

  • Secure both the information and the information systems.

    Classic Threats

  • Disclosure

    • Snooping, Trojan Horses

  • Deception

    • Modification, spoofing, repudiation of origin, denial of receipt

  • Disruption

    • Modification

  • Usurpation

    • Modification, spoofing, delay, denial of service


Application security
Application Security

  • Application security applies security throughout the application’s life cycle.

  • Protect from attacks from design defects, deployment and maintenance of the application.

    Application level security threats.

  • Session Threat: Session Hijacking, Session replay, Man in the middle attack.

  • Auditing and Logging: Non Repudiation

  • Input Threats: Cross Site scripting, SQL injection


Sql injection
SQL Injection

Web

Browser

Web

Server

Database

Username &

Password

Normal Query

SELECT passwd

FROM USERS

WHERE unameIS ‘$username’

01001010101010100101


Sql injection1
SQL Injection

Web

Browser

Web

Server

Database

“Username &

Password”

Malicious Query

SELECT passwd

FROM USERS

WHERE unameIS ‘’; DROP TABLEUSERS; -- '

Eliminates all user accounts


Cross site scripting

/login.html

/authuname=alice&pass=ilovebob

Cookie: sessionid=40a4c04de

Cross Site Scripting

bank.com

Alice

/viewbalanceCookie: sessionid=40a4c04de

“Your balance is $25,000”


Cross site scripting1

/login.html

/authuname=alice&pass=ilovebob

Cookie: sessionid=40a4c04de

/evil.html

<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>

/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de

“OK. Payment Sent!”

Cross Site Scripting

bank.com

evil.com

Alice


Why security certification
Why Security Certification?

  • Professional validation of skills

  • Exposure to industry standards

  • Best practices

  • Baseline skills for a specific role

  • Quality of work & productivity

  • Differentiation of your organization or group


Security certifications
Security Certifications

  • Classifications:

    • Benchmark

      • Wide recognition by professionals in all sectors

      • Advanced level

      • Prerequisite for many senior jobs

    • Foundation

      • Introductory certifications

      • One to four years of experience


Security certifications1
Security Certifications

  • Classifications:

    • Intermediate

      • 3 to 4 years of networking experience

      • 2 years of IT Security experience

    • Advanced

      • Expert level

      • Minimum of 4 years of IT Security experience


Security certifications2
Security Certifications

  • Benchmark certifications:

  • CISSP

    • ISC2.org

    • Common Body of Knowledge

      • Access Control Systems and Methodology

      • Applications & Systems Development

      • Business Continuity Planning

      • Cryptography

      • Law, Investigation & Ethics

        Cost $600

        Average Annual Salary- $115,000


Security certifications3
Security Certifications

  • Foundation level:

  • SANS

  • GIAC Security Essentials (GSEC)

    • Basic understanding of the CBK

    • Basic skills to incorporate good information security practices

  • GIAC IT Security Audit Essentials

    • Developing audit checklists

    • Perform limited risk assessment

      Cost $450

      Average Annual Salary- $70,000


  • Giac secure software programmer
    GIAC Secure Software Programmer:

    • Find Programming flaws.

    • Comes in 3 flavors.

    • Things provided by this certificate:

      a) It teaches some basic security concepts as well as advanced topics.

      b) Learning to write code with security in mind.

      Advantages:

      Learners can demonstrate mastery of security knowledge in the programming language.


    Anti hacking certification
    Anti-Hacking Certification:

    • Thinking in Hackers Perspective.

    • Teaches different network security testing tools.

    • Things provided by this certificate:

      a) Learning Hacking tools like HTTPPort, BackStealth.

      b) Hacking SSL enabled sites.

      Advantages:

      a) It Complements CEH, and learners are able to come out with a complete security education.

      b) Learn to defend network from Trojans, virus.


    Ec council certified security analyst ecsa
    EC-Council Certified Security Analyst (ECSA):

    • Analyze outcome of security tests.

    • Differentiating with Ethical hacker.

    • Things provided by this certificate:

      a) Methods and tool to test security.

      b) Performing network security testing and doing an

      Exhaustive analysis.

    • Advantages:

      a) Boosts your resume, by making you stand out as a

      better security professional.

      b) Makes you skillful in using security tools and techniques.


    Courses wireless security
    Courses:Wireless Security

    • Distinguished based on their range.

    • General threats Denial Of Service, Eaves dropping, man in the middle attack, replaying message, and hacker analyses patterns.

    • Defenses are Encryption, applying algorithms, using timestamp, authentication, IDS.

    • Defenses implemented with the base knowledge of network security.


    Vpn security
    VPN Security

    • Connect different nodes by a virtual network.

    • Methods to keep the communication and data secure are:

      a) Firewall

      b) Encryption

      c) IPSec

      d) Building AAA server.


    Stanford advanced computer security certificate
    Stanford Advanced Computer Security Certificate

    • Six Courses to be done.

    • The courses are:

      a)Using Cryptography Correctly - Avoid Programming mistakes

      b) Writing secure code – Secure code tools.

      c) Security Protocols – Design SSL,WEP, IPSec, Kerberos correctly.

      d) Software Secure Foundation – Secure Programming techniques.

      e) Web Security – Security issues with web 2.0, Face book lab.

      f) Securing Web Application – Secure website design, SQL injection lab.

    • 1100$ at Stanford, 495$ online.

    • participants from organizations like Yahoo! Inc, Cisco Systems, Oracle.


    Conclusion
    Conclusion

    • Software security is every engineer's problem!

    • Certification and some of the courses that we mentioned is a great way to complement the network security course.

    • Better Security for Organizations.


    Reference
    Reference:

    • http://www.eccouncil.org/ECSA.htm

    • http://www.securityuniversity.net/classes_Anti-Hacking_Certificate_Mgrs.php

    • http://www.giac.org/certifications/software/

    • http://permanent.access.gpo.gov/lps96916/Draft-SP800-48r1.pdf

    • http://www.isc2.org/csslp-certification.aspx

    • http://www.cigital.com/ssw/softsec_infosec.pdf

    • http://www.cs.rutgers.edu/~vinodg/teaching/fall-2007-cs673/index.html



    ?


    ad