SlideShare ist ein Scribd-Unternehmen logo

How To Develop Secure Software

Apps with love
Apps with love

Secure Software Development & Beyond by strong.codes • Software Security ? • Secure Software Development • Man at the End • Software Protection Security Objectives • Financial risks • Reputation risks • Privacy and regulatory risks • SLA • Legal risks Security Design • Security architecture definition • Definition of software attack surface • Threat modeling • Assets • Risks and their likelihood • Definition of countermeasures

Software
1 von 54
Secure Software Development and Beyond Prof. Pascal Junod Apps with love, Bern (Switzerland) December 1st, 2015
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Prof. Pascal Junod • Computer security veteran, MSc ETHZ’00, PhD EPFL’05. • Prof. @ HES-SO / HEIG-VD, co-founder of strong.codes • Research interests: • Industrial cryptography • Software security, software protection • Ethical hacking • http://crypto.junod.info, @cryptopathe
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda • Software Security ? • Secure Software Development • Man at the End • Software Protection
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Security?
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Published Software Vulnerabilities Source:https://web.nvd.nist.gov/view/vuln/statistics
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Trinity of Troubles Complexity ExtensibilityConnectivity
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Complexity millionsofSLOC 0 5.5 11 16.5 22 2001 2003 2009 2010 2012 2015 Linux kernel
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Connectivity • Ubiquitous networking • Service Oriented Architectures, networking of legacy applications
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Extensibility • Plugins, extensions • Loadable OS drivers • Scripting, components, applets, controls • Extensible platforms: J2EE, .NET, etc.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Secure Software Development
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Development Lifecycle • Process advocated by Lipner & Howard, « S. Lipner and M. Howard, «The trustworthy computing security development lifecycle», Microsoft Corp., 2005. • Available on http://msdn.microsoft.com/en-us/ library/ms995349(classic).aspx
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Requirements • « Security from the grounds up » —> integration of security into the development process • Nomination of a security advisor • Identification of key security objectives • Describe security goals, challenges, and plans
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Objectives • Financial risks • Reputation risks • Privacy and regulatory risks • SLA • Legal risks
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Design • Security architecture definition • Definition of software attack surface • Threat modeling • Assets • Risks and their likelihood • Definition of countermeasures
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats etc. • Threat: person or object that is dangerous • Vulnerability: weakness, security hole • Attack/exploit: technique used to exploit a vulnerability
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats • Non-target specifics: viruses, worms, trojans, etc. • Employees • Organized crime, cyber-criminals • Corporation, nations • Natural threats
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Vulnerabilities API abuse // Authentication // Authorization // Availability Code permissions // Code quality // Concurrency Configuration // Cryptography // Encoding // Environmental Error handling // General logic error // Input validation Logging and auditing // Password management // Path // Protocol errors // Range and type errors // Sensitive data protection // Session management // Synchronization and Timing // Unsafe mobile code // Dangerous APIs
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Source:http://www.owasp.org
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Methods • Various methods: • STRIDE • DREAD • TRIKE • CVSS • Generic goals: identify components, data flows, trust boundaries
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Implementation of Security • Application of adapted coding and testing standards • Specialized libraries • Use of static analysis code scanning tools in IDE • Code reviews
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Release • Final security review • Internal / external security audit (white-/black-box « pen-test ») • Answer the question « Is this software ready to go to production from a security standpoint? »
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Servicing • Monitoring • Evaluation of reported vulnerabilities • Release of security advisories and patches • Take response actions (review of development process, legal, etc.)
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Basic Security Principles
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Least Privilege Give each component only minimal rights necessary to carry out its task.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defense in Depth Use several redundant protection mechanisms.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 User Participation A security procedure is efficient only if all its users adhere to its principles.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Choke Point A security mechanism is effective only if there is absolutely no means to bypass it.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Deny by Default Forbid everything but what is authorized.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Weakest Link The adversary will always attack the weakest link of the security chain.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Fail Securely Always ensure that an exception does not open a security hole.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 No Security by Obscurity Do not rely on the secret of the implementation to keep the system secure.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Simplicity Everything should be made as simple as possible, but not simpler.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 OK, then? • What happens when you have implemented a perfectly secure software? • It gets hacked!
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Malicious Reverse Engineering Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Digital Rights Managements Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Cloud Computing Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Protection
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defenses • Obfuscate the code, to slow down a reverse engineer • Tamper-proof the code, to prevent modification • Mark the code, to identify illegal distribution
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Attacks • strings • objdump • gdb • jailbreak exploit • IDA Pro • Hopper • Radare • Patch • PirateBay • P2P networks
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.protect • Jailbreak detection • Virtualization detection • Debugger detection • Control flow flattening • Routine split / merge • Bogus control flow insertion • Junk code insertion • Code tamper-proofing • Code watermarking
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 What is actually strong.protect? • strong.protect is a compiler generating native code • It is based on the LLVM compilation framework • A free evaluation version is available as open- source software (see http://o-llvm.org)
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Supported Language and Platforms
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect • Easy to integrate within modern IDEs, such as Eclipse, Xcode, Visual Studio, etc. • Works in your environment, no need to share code with us. • Usable out-of-the-box, no need for particular modification of software development process, compatible with multiple environments • Protection is fully customizable to your particular application needs • No required modification of the source code, applicable to multiple languages
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Solution Features Comparison Feature  name Open  S ource  Version  C ommercial  Version C ode  substitutions  (-­‐sub) 9 24 Bogus  control  flow  (-­‐bcf) 1 8 C ode  flattening  (-­‐fla) static dynamic Function  merging  (-­‐mer) X Tamper  proofing  (-­‐tp) X C onstant  encryption  (-­‐xse) X Anti-­‐debugging  (-­‐ade) X Basic  block  splitting  (-­‐splitbbl) X Integer  substitution  (-­‐subinit) X Obfucation  profiler X Feature  C omparison
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Code Size Increase for ChatSecure App 0 10 20 30 40 50 60 no* protection "2sub*2 subinit" "2fla" "2mer" "2tp" "2fla*2mer* 2sub*2 subinit" Increase(in(binary(code(size Binary*code*size C ompiler)options %)increase no)protection 0.0% "3sub)3subinit" 8.9% "3fla" 18.4% "3mer" 22.9% "3tp" 22.5% "3fla)3mer)3sub)3subinit" 91.8%
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.codes Team
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 https://strong.codes

Empfohlen

Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter Indonesia Honeynet Chapter
 
Chapter 8 Job Interviews
Chapter 8 Job InterviewsChapter 8 Job Interviews
Chapter 8 Job Interviewssws4618
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesProtecode
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 

Empfohlen

Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter Indonesia Honeynet Chapter
 
Chapter 8 Job Interviews
Chapter 8 Job InterviewsChapter 8 Job Interviews
Chapter 8 Job Interviewssws4618
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilJonathan Marcil
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesProtecode
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017Jermund Ottermo
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Doryan Mathos
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing ApplicationsMark Harrison
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyAISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyGergana (Kiryakova) Winzer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Josef Noll
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projectsJose Manuel Ortega Candel
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityMohammed Almusaddar
 
G data 10 nov 2010
G data 10 nov 2010G data 10 nov 2010
G data 10 nov 2010Agora Group
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationTI Safe
 
TAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationTAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationHenry Muccini
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
CV | Michele Spagnuolo
CV | Michele SpagnuoloCV | Michele Spagnuolo
CV | Michele SpagnuoloMichele Spagnuolo
 
App Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApp Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApps with love
 
Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Apps with love
 

Weitere ähnliche Inhalte

Ähnlich wie How To Develop Secure Software

The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017Jermund Ottermo
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Skycure
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Doryan Mathos
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing ApplicationsMark Harrison
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyAISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyGergana (Kiryakova) Winzer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Josef Noll
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmapsecurityxploded
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityMohammed Almusaddar
 
G data 10 nov 2010
G data 10 nov 2010G data 10 nov 2010
G data 10 nov 2010Agora Group
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationTI Safe
 
TAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationTAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationHenry Muccini
 

Ähnlich wie How To Develop Secure Software (20)

The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyAISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and why
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
 
G data 10 nov 2010
G data 10 nov 2010G data 10 nov 2010
G data 10 nov 2010
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop Presentation
 
TAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationTAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentation
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
CV | Michele Spagnuolo
CV | Michele SpagnuoloCV | Michele Spagnuolo
CV | Michele Spagnuolo
 

Mehr von Apps with love

App Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApp Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApps with love
 
Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Apps with love
 
Vorstellung Apps with love - Full Service Digitalagentur
Vorstellung Apps with love - Full Service DigitalagenturVorstellung Apps with love - Full Service Digitalagentur
Vorstellung Apps with love - Full Service DigitalagenturApps with love
 
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)Apps with love
 
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVEUX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVEApps with love
 
Go! Taxi App Konzept und Design by Apps with love
Go! Taxi App Konzept und Design by Apps with loveGo! Taxi App Konzept und Design by Apps with love
Go! Taxi App Konzept und Design by Apps with loveApps with love
 
Apps with love présentation en français
Apps with love présentation en françaisApps with love présentation en français
Apps with love présentation en françaisApps with love
 
Updraft App Delivery für Betatesting und Enterprise Apps
Updraft App Delivery für Betatesting und Enterprise AppsUpdraft App Delivery für Betatesting und Enterprise Apps
Updraft App Delivery für Betatesting und Enterprise AppsApps with love
 
Event Apps - HowTo - by Apps with love
Event Apps - HowTo - by Apps with love Event Apps - HowTo - by Apps with love
Event Apps - HowTo - by Apps with love Apps with love
 
Chat Bots 101 - by Apps with love
Chat Bots 101 - by Apps with loveChat Bots 101 - by Apps with love
Chat Bots 101 - by Apps with loveApps with love
 
Live Communication and Crossmedia Management
Live Communication and Crossmedia Management Live Communication and Crossmedia Management
Live Communication and Crossmedia ManagementApps with love
 
Digitalization and Innovation - Today and Tomorrow
Digitalization and Innovation - Today and TomorrowDigitalization and Innovation - Today and Tomorrow
Digitalization and Innovation - Today and TomorrowApps with love
 
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAYSELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAYApps with love
 
From Idea to final Design - World Interaction Day
From Idea to final Design - World Interaction DayFrom Idea to final Design - World Interaction Day
From Idea to final Design - World Interaction DayApps with love
 
Event App Entwicklung Factsheet und Angebot
Event App Entwicklung Factsheet und AngebotEvent App Entwicklung Factsheet und Angebot
Event App Entwicklung Factsheet und AngebotApps with love
 

Mehr von Apps with love (15)

App Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApp Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with love
 
Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019
 
Vorstellung Apps with love - Full Service Digitalagentur
Vorstellung Apps with love - Full Service DigitalagenturVorstellung Apps with love - Full Service Digitalagentur
Vorstellung Apps with love - Full Service Digitalagentur
 
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
 
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVEUX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
 
Go! Taxi App Konzept und Design by Apps with love
Go! Taxi App Konzept und Design by Apps with loveGo! Taxi App Konzept und Design by Apps with love
Go! Taxi App Konzept und Design by Apps with love
 
Apps with love présentation en français
Apps with love présentation en françaisApps with love présentation en français
Apps with love présentation en français
 
Updraft App Delivery für Betatesting und Enterprise Apps
Updraft App Delivery für Betatesting und Enterprise AppsUpdraft App Delivery für Betatesting und Enterprise Apps
Updraft App Delivery für Betatesting und Enterprise Apps
 
Event Apps - HowTo - by Apps with love
Event Apps - HowTo - by Apps with love Event Apps - HowTo - by Apps with love
Event Apps - HowTo - by Apps with love
 
Chat Bots 101 - by Apps with love
Chat Bots 101 - by Apps with loveChat Bots 101 - by Apps with love
Chat Bots 101 - by Apps with love
 
Live Communication and Crossmedia Management
Live Communication and Crossmedia Management Live Communication and Crossmedia Management
Live Communication and Crossmedia Management
 
Digitalization and Innovation - Today and Tomorrow
Digitalization and Innovation - Today and TomorrowDigitalization and Innovation - Today and Tomorrow
Digitalization and Innovation - Today and Tomorrow
 
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAYSELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
 
From Idea to final Design - World Interaction Day
From Idea to final Design - World Interaction DayFrom Idea to final Design - World Interaction Day
From Idea to final Design - World Interaction Day
 
Event App Entwicklung Factsheet und Angebot
Event App Entwicklung Factsheet und AngebotEvent App Entwicklung Factsheet und Angebot
Event App Entwicklung Factsheet und Angebot
 

Kürzlich hochgeladen

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durbanmasabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 

Kürzlich hochgeladen (20)

The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 

How To Develop Secure Software

  • 1. Secure Software Development and Beyond Prof. Pascal Junod Apps with love, Bern (Switzerland) December 1st, 2015
  • 2. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Prof. Pascal Junod • Computer security veteran, MSc ETHZ’00, PhD EPFL’05. • Prof. @ HES-SO / HEIG-VD, co-founder of strong.codes • Research interests: • Industrial cryptography • Software security, software protection • Ethical hacking • http://crypto.junod.info, @cryptopathe
  • 3. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda
  • 4. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda • Software Security ? • Secure Software Development • Man at the End • Software Protection
  • 5. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Security?
  • 6. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Published Software Vulnerabilities Source:https://web.nvd.nist.gov/view/vuln/statistics
  • 7. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Trinity of Troubles Complexity ExtensibilityConnectivity
  • 8. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Complexity millionsofSLOC 0 5.5 11 16.5 22 2001 2003 2009 2010 2012 2015 Linux kernel
  • 9. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Connectivity • Ubiquitous networking • Service Oriented Architectures, networking of legacy applications
  • 10. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Extensibility • Plugins, extensions • Loadable OS drivers • Scripting, components, applets, controls • Extensible platforms: J2EE, .NET, etc.
  • 11. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Secure Software Development
  • 12. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 13. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Development Lifecycle • Process advocated by Lipner & Howard, « S. Lipner and M. Howard, «The trustworthy computing security development lifecycle», Microsoft Corp., 2005. • Available on http://msdn.microsoft.com/en-us/ library/ms995349(classic).aspx
  • 14. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Requirements • « Security from the grounds up » —> integration of security into the development process • Nomination of a security advisor • Identification of key security objectives • Describe security goals, challenges, and plans
  • 15. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Objectives • Financial risks • Reputation risks • Privacy and regulatory risks • SLA • Legal risks
  • 16. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Design • Security architecture definition • Definition of software attack surface • Threat modeling • Assets • Risks and their likelihood • Definition of countermeasures
  • 17. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats etc. • Threat: person or object that is dangerous • Vulnerability: weakness, security hole • Attack/exploit: technique used to exploit a vulnerability
  • 18. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats • Non-target specifics: viruses, worms, trojans, etc. • Employees • Organized crime, cyber-criminals • Corporation, nations • Natural threats
  • 19. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Vulnerabilities API abuse // Authentication // Authorization // Availability Code permissions // Code quality // Concurrency Configuration // Cryptography // Encoding // Environmental Error handling // General logic error // Input validation Logging and auditing // Password management // Path // Protocol errors // Range and type errors // Sensitive data protection // Session management // Synchronization and Timing // Unsafe mobile code // Dangerous APIs
  • 20. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Source:http://www.owasp.org
  • 21. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Methods • Various methods: • STRIDE • DREAD • TRIKE • CVSS • Generic goals: identify components, data flows, trust boundaries
  • 22. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Implementation of Security • Application of adapted coding and testing standards • Specialized libraries • Use of static analysis code scanning tools in IDE • Code reviews
  • 23. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Release • Final security review • Internal / external security audit (white-/black-box « pen-test ») • Answer the question « Is this software ready to go to production from a security standpoint? »
  • 24. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Servicing • Monitoring • Evaluation of reported vulnerabilities • Release of security advisories and patches • Take response actions (review of development process, legal, etc.)
  • 25. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Basic Security Principles
  • 26. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Least Privilege Give each component only minimal rights necessary to carry out its task.
  • 27. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defense in Depth Use several redundant protection mechanisms.
  • 28. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 User Participation A security procedure is efficient only if all its users adhere to its principles.
  • 29. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Choke Point A security mechanism is effective only if there is absolutely no means to bypass it.
  • 30. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Deny by Default Forbid everything but what is authorized.
  • 31. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Weakest Link The adversary will always attack the weakest link of the security chain.
  • 32. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Fail Securely Always ensure that an exception does not open a security hole.
  • 33. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 No Security by Obscurity Do not rely on the secret of the implementation to keep the system secure.
  • 34. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Simplicity Everything should be made as simple as possible, but not simpler.
  • 35. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End
  • 36. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 OK, then? • What happens when you have implemented a perfectly secure software? • It gets hacked!
  • 37. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 38. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 39. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Malicious Reverse Engineering Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 40. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Digital Rights Managements Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 41. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Cloud Computing Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 42. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Protection
  • 43. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 44. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defenses • Obfuscate the code, to slow down a reverse engineer • Tamper-proof the code, to prevent modification • Mark the code, to identify illegal distribution
  • 45. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Attacks • strings • objdump • gdb • jailbreak exploit • IDA Pro • Hopper • Radare • Patch • PirateBay • P2P networks
  • 46. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.protect • Jailbreak detection • Virtualization detection • Debugger detection • Control flow flattening • Routine split / merge • Bogus control flow insertion • Junk code insertion • Code tamper-proofing • Code watermarking
  • 47. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 What is actually strong.protect? • strong.protect is a compiler generating native code • It is based on the LLVM compilation framework • A free evaluation version is available as open- source software (see http://o-llvm.org)
  • 48. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Supported Language and Platforms
  • 49. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect • Easy to integrate within modern IDEs, such as Eclipse, Xcode, Visual Studio, etc. • Works in your environment, no need to share code with us. • Usable out-of-the-box, no need for particular modification of software development process, compatible with multiple environments • Protection is fully customizable to your particular application needs • No required modification of the source code, applicable to multiple languages
  • 50. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Solution Features Comparison Feature  name Open  S ource  Version  C ommercial  Version C ode  substitutions  (-­‐sub) 9 24 Bogus  control  flow  (-­‐bcf) 1 8 C ode  flattening  (-­‐fla) static dynamic Function  merging  (-­‐mer) X Tamper  proofing  (-­‐tp) X C onstant  encryption  (-­‐xse) X Anti-­‐debugging  (-­‐ade) X Basic  block  splitting  (-­‐splitbbl) X Integer  substitution  (-­‐subinit) X Obfucation  profiler X Feature  C omparison
  • 51. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Code Size Increase for ChatSecure App 0 10 20 30 40 50 60 no* protection "2sub*2 subinit" "2fla" "2mer" "2tp" "2fla*2mer* 2sub*2 subinit" Increase(in(binary(code(size Binary*code*size C ompiler)options %)increase no)protection 0.0% "3sub)3subinit" 8.9% "3fla" 18.4% "3mer" 22.9% "3tp" 22.5% "3fla)3mer)3sub)3subinit" 91.8%
  • 52. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect
  • 53. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.codes Team
  • 54. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 https://strong.codes