SOFTWARE SECURITY EDUCATION
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734. AGENDA. Introduction Security types Certification’s Courses Conclusion. Introduction. What is Security Software Education?

Download Presentation

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Software security education what next submitted by

SOFTWARE SECURITY EDUCATION

WHAT NEXT????

Submitted by

Srinath Viswanathan 006329076

Srinivas Gudisagar

006376734


Agenda

AGENDA

  • Introduction

  • Security types

  • Certification’s

  • Courses

  • Conclusion


Introduction

Introduction

  • What is Security Software Education?

    Software security essentially deals with what are the security risks and how would one manage them.

  • Security space can be cleanly divided into two distinct subfields:

    Information Security

    Application Security

  • Information security concerns confidentiality, integrity and availability.


Information security

Information Security

  • Secure both the information and the information systems.

    Classic Threats

  • Disclosure

    • Snooping, Trojan Horses

  • Deception

    • Modification, spoofing, repudiation of origin, denial of receipt

  • Disruption

    • Modification

  • Usurpation

    • Modification, spoofing, delay, denial of service


Application security

Application Security

  • Application security applies security throughout the application’s life cycle.

  • Protect from attacks from design defects, deployment and maintenance of the application.

    Application level security threats.

  • Session Threat: Session Hijacking, Session replay, Man in the middle attack.

  • Auditing and Logging: Non Repudiation

  • Input Threats: Cross Site scripting, SQL injection


Sql injection

SQL Injection

Web

Browser

Web

Server

Database

Username &

Password

Normal Query

SELECT passwd

FROM USERS

WHERE unameIS ‘$username’

01001010101010100101


Sql injection1

SQL Injection

Web

Browser

Web

Server

Database

“Username &

Password”

Malicious Query

SELECT passwd

FROM USERS

WHERE unameIS ‘’; DROP TABLEUSERS; -- '

Eliminates all user accounts


Cross site scripting

/login.html

/authuname=alice&pass=ilovebob

Cookie: sessionid=40a4c04de

Cross Site Scripting

bank.com

Alice

/viewbalanceCookie: sessionid=40a4c04de

“Your balance is $25,000”


Cross site scripting1

/login.html

/authuname=alice&pass=ilovebob

Cookie: sessionid=40a4c04de

/evil.html

<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>

/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de

“OK. Payment Sent!”

Cross Site Scripting

bank.com

evil.com

Alice


Why security certification

Why Security Certification?

  • Professional validation of skills

  • Exposure to industry standards

  • Best practices

  • Baseline skills for a specific role

  • Quality of work & productivity

  • Differentiation of your organization or group


Security certifications

Security Certifications

  • Classifications:

    • Benchmark

      • Wide recognition by professionals in all sectors

      • Advanced level

      • Prerequisite for many senior jobs

    • Foundation

      • Introductory certifications

      • One to four years of experience


Security certifications1

Security Certifications

  • Classifications:

    • Intermediate

      • 3 to 4 years of networking experience

      • 2 years of IT Security experience

    • Advanced

      • Expert level

      • Minimum of 4 years of IT Security experience


Security certifications2

Security Certifications

  • Benchmark certifications:

  • CISSP

    • ISC2.org

    • Common Body of Knowledge

      • Access Control Systems and Methodology

      • Applications & Systems Development

      • Business Continuity Planning

      • Cryptography

      • Law, Investigation & Ethics

        Cost $600

        Average Annual Salary- $115,000


Security certifications3

Security Certifications

  • Foundation level:

  • SANS

  • GIAC Security Essentials (GSEC)

    • Basic understanding of the CBK

    • Basic skills to incorporate good information security practices

  • GIAC IT Security Audit Essentials

    • Developing audit checklists

    • Perform limited risk assessment

      Cost $450

      Average Annual Salary- $70,000


  • Giac secure software programmer

    GIAC Secure Software Programmer:

    • Find Programming flaws.

    • Comes in 3 flavors.

    • Things provided by this certificate:

      a) It teaches some basic security concepts as well as advanced topics.

      b) Learning to write code with security in mind.

      Advantages:

      Learners can demonstrate mastery of security knowledge in the programming language.


    Anti hacking certification

    Anti-Hacking Certification:

    • Thinking in Hackers Perspective.

    • Teaches different network security testing tools.

    • Things provided by this certificate:

      a) Learning Hacking tools like HTTPPort, BackStealth.

      b) Hacking SSL enabled sites.

      Advantages:

      a) It Complements CEH, and learners are able to come out with a complete security education.

      b) Learn to defend network from Trojans, virus.


    Ec council certified security analyst ecsa

    EC-Council Certified Security Analyst (ECSA):

    • Analyze outcome of security tests.

    • Differentiating with Ethical hacker.

    • Things provided by this certificate:

      a) Methods and tool to test security.

      b) Performing network security testing and doing an

      Exhaustive analysis.

    • Advantages:

      a) Boosts your resume, by making you stand out as a

      better security professional.

      b) Makes you skillful in using security tools and techniques.


    Courses wireless security

    Courses:Wireless Security

    • Distinguished based on their range.

    • General threats Denial Of Service, Eaves dropping, man in the middle attack, replaying message, and hacker analyses patterns.

    • Defenses are Encryption, applying algorithms, using timestamp, authentication, IDS.

    • Defenses implemented with the base knowledge of network security.


    Vpn security

    VPN Security

    • Connect different nodes by a virtual network.

    • Methods to keep the communication and data secure are:

      a) Firewall

      b) Encryption

      c) IPSec

      d) Building AAA server.


    Stanford advanced computer security certificate

    Stanford Advanced Computer Security Certificate

    • Six Courses to be done.

    • The courses are:

      a)Using Cryptography Correctly - Avoid Programming mistakes

      b) Writing secure code – Secure code tools.

      c) Security Protocols – Design SSL,WEP, IPSec, Kerberos correctly.

      d) Software Secure Foundation – Secure Programming techniques.

      e) Web Security – Security issues with web 2.0, Face book lab.

      f) Securing Web Application – Secure website design, SQL injection lab.

    • 1100$ at Stanford, 495$ online.

    • participants from organizations like Yahoo! Inc, Cisco Systems, Oracle.


    Conclusion

    Conclusion

    • Software security is every engineer's problem!

    • Certification and some of the courses that we mentioned is a great way to complement the network security course.

    • Better Security for Organizations.


    Reference

    Reference:

    • http://www.eccouncil.org/ECSA.htm

    • http://www.securityuniversity.net/classes_Anti-Hacking_Certificate_Mgrs.php

    • http://www.giac.org/certifications/software/

    • http://permanent.access.gpo.gov/lps96916/Draft-SP800-48r1.pdf

    • http://www.isc2.org/csslp-certification.aspx

    • http://www.cigital.com/ssw/softsec_infosec.pdf

    • http://www.cs.rutgers.edu/~vinodg/teaching/fall-2007-cs673/index.html


    Thank you

    THANK YOU


    Software security education what next submitted by

    ?


  • Login