SlideShare ist ein Scribd-Unternehmen logo

How To Develop Secure Software

Apps with love
Apps with love

Secure Software Development & Beyond by strong.codes • Software Security ? • Secure Software Development • Man at the End • Software Protection Security Objectives • Financial risks • Reputation risks • Privacy and regulatory risks • SLA • Legal risks Security Design • Security architecture definition • Definition of software attack surface • Threat modeling • Assets • Risks and their likelihood • Definition of countermeasures

Software
1 von 54
Secure Software Development and Beyond Prof. Pascal Junod Apps with love, Bern (Switzerland) December 1st, 2015
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Prof. Pascal Junod • Computer security veteran, MSc ETHZ’00, PhD EPFL’05. • Prof. @ HES-SO / HEIG-VD, co-founder of strong.codes • Research interests: • Industrial cryptography • Software security, software protection • Ethical hacking • http://crypto.junod.info, @cryptopathe
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda • Software Security ? • Secure Software Development • Man at the End • Software Protection
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Security?
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Published Software Vulnerabilities Source:https://web.nvd.nist.gov/view/vuln/statistics
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Trinity of Troubles Complexity ExtensibilityConnectivity
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Complexity millionsofSLOC 0 5.5 11 16.5 22 2001 2003 2009 2010 2012 2015 Linux kernel
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Connectivity • Ubiquitous networking • Service Oriented Architectures, networking of legacy applications
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Extensibility • Plugins, extensions • Loadable OS drivers • Scripting, components, applets, controls • Extensible platforms: J2EE, .NET, etc.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Secure Software Development
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Development Lifecycle • Process advocated by Lipner & Howard, « S. Lipner and M. Howard, «The trustworthy computing security development lifecycle», Microsoft Corp., 2005. • Available on http://msdn.microsoft.com/en-us/ library/ms995349(classic).aspx
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Requirements • « Security from the grounds up » —> integration of security into the development process • Nomination of a security advisor • Identification of key security objectives • Describe security goals, challenges, and plans
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Objectives • Financial risks • Reputation risks • Privacy and regulatory risks • SLA • Legal risks
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Design • Security architecture definition • Definition of software attack surface • Threat modeling • Assets • Risks and their likelihood • Definition of countermeasures
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats etc. • Threat: person or object that is dangerous • Vulnerability: weakness, security hole • Attack/exploit: technique used to exploit a vulnerability
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats • Non-target specifics: viruses, worms, trojans, etc. • Employees • Organized crime, cyber-criminals • Corporation, nations • Natural threats
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Vulnerabilities API abuse // Authentication // Authorization // Availability Code permissions // Code quality // Concurrency Configuration // Cryptography // Encoding // Environmental Error handling // General logic error // Input validation Logging and auditing // Password management // Path // Protocol errors // Range and type errors // Sensitive data protection // Session management // Synchronization and Timing // Unsafe mobile code // Dangerous APIs
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Source:http://www.owasp.org
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Methods • Various methods: • STRIDE • DREAD • TRIKE • CVSS • Generic goals: identify components, data flows, trust boundaries
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Implementation of Security • Application of adapted coding and testing standards • Specialized libraries • Use of static analysis code scanning tools in IDE • Code reviews
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Release • Final security review • Internal / external security audit (white-/black-box « pen-test ») • Answer the question « Is this software ready to go to production from a security standpoint? »
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Servicing • Monitoring • Evaluation of reported vulnerabilities • Release of security advisories and patches • Take response actions (review of development process, legal, etc.)
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Basic Security Principles
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Least Privilege Give each component only minimal rights necessary to carry out its task.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defense in Depth Use several redundant protection mechanisms.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 User Participation A security procedure is efficient only if all its users adhere to its principles.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Choke Point A security mechanism is effective only if there is absolutely no means to bypass it.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Deny by Default Forbid everything but what is authorized.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Weakest Link The adversary will always attack the weakest link of the security chain.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Fail Securely Always ensure that an exception does not open a security hole.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 No Security by Obscurity Do not rely on the secret of the implementation to keep the system secure.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Simplicity Everything should be made as simple as possible, but not simpler.
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 OK, then? • What happens when you have implemented a perfectly secure software? • It gets hacked!
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Malicious Reverse Engineering Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Digital Rights Managements Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Cloud Computing Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Protection
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defenses • Obfuscate the code, to slow down a reverse engineer • Tamper-proof the code, to prevent modification • Mark the code, to identify illegal distribution
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Attacks • strings • objdump • gdb • jailbreak exploit • IDA Pro • Hopper • Radare • Patch • PirateBay • P2P networks
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.protect • Jailbreak detection • Virtualization detection • Debugger detection • Control flow flattening • Routine split / merge • Bogus control flow insertion • Junk code insertion • Code tamper-proofing • Code watermarking
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 What is actually strong.protect? • strong.protect is a compiler generating native code • It is based on the LLVM compilation framework • A free evaluation version is available as open- source software (see http://o-llvm.org)
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Supported Language and Platforms
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect • Easy to integrate within modern IDEs, such as Eclipse, Xcode, Visual Studio, etc. • Works in your environment, no need to share code with us. • Usable out-of-the-box, no need for particular modification of software development process, compatible with multiple environments • Protection is fully customizable to your particular application needs • No required modification of the source code, applicable to multiple languages
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Solution Features Comparison Feature  name Open  S ource  Version  C ommercial  Version C ode  substitutions  (-­‐sub) 9 24 Bogus  control  flow  (-­‐bcf) 1 8 C ode  flattening  (-­‐fla) static dynamic Function  merging  (-­‐mer) X Tamper  proofing  (-­‐tp) X C onstant  encryption  (-­‐xse) X Anti-­‐debugging  (-­‐ade) X Basic  block  splitting  (-­‐splitbbl) X Integer  substitution  (-­‐subinit) X Obfucation  profiler X Feature  C omparison
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Code Size Increase for ChatSecure App 0 10 20 30 40 50 60 no* protection "2sub*2 subinit" "2fla" "2mer" "2tp" "2fla*2mer* 2sub*2 subinit" Increase(in(binary(code(size Binary*code*size C ompiler)options %)increase no)protection 0.0% "3sub)3subinit" 8.9% "3fla" 18.4% "3mer" 22.9% "3tp" 22.5% "3fla)3mer)3sub)3subinit" 91.8%
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.codes Team
Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 https://strong.codes

Empfohlen

Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter
Indonesia Honeynet Chapter
 
Chapter 8 Job Interviews
Chapter 8 Job InterviewsChapter 8 Job Interviews
Chapter 8 Job Interviews
sws4618
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
Minded Security
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
Protecode
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 

Empfohlen

Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter Charles Lim - Honeynet Indonesia Chapter
Charles Lim - Honeynet Indonesia Chapter
Indonesia Honeynet Chapter
 
Chapter 8 Job Interviews
Chapter 8 Job InterviewsChapter 8 Job Interviews
Chapter 8 Job Interviews
sws4618
 
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan MarcilOWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
OWASP Québec: Threat Modeling Toolkit - Jonathan Marcil
Jonathan Marcil
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Matteo meucci Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
Minded Security
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
Protecode
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
Christian Martorella
 
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
Jermund Ottermo
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Skycure
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
Doryan Mathos
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
Mark Harrison
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyAISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and why
Gergana (Kiryakova) Winzer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
Kaspersky
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...
Josef Noll
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
Jose Manuel Ortega Candel
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
Mohammed Almusaddar
 
G data 10 nov 2010
G data 10 nov 2010G data 10 nov 2010
G data 10 nov 2010
Agora Group
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop Presentation
TI Safe
 
TAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationTAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentation
Henry Muccini
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
CV | Michele Spagnuolo
CV | Michele SpagnuoloCV | Michele Spagnuolo
CV | Michele Spagnuolo
Michele Spagnuolo
 
App Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApp Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with love
Apps with love
 
Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019
Apps with love
 

Weitere ähnliche Inhalte

Ähnlich wie How To Develop Secure Software

The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
Jermund Ottermo
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyAISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and why
Gergana (Kiryakova) Winzer
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
Marco Morana
 
G data 10 nov 2010
G data 10 nov 2010G data 10 nov 2010
G data 10 nov 2010
Agora Group
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 

Ähnlich wie How To Develop Secure Software (20)

The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017
 
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...
 
Antivirus Comparative junio 2014
Antivirus Comparative junio 2014Antivirus Comparative junio 2014
Antivirus Comparative junio 2014
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
AISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and whyAISA Sydney Presentation - Would PT add value to the SDLC and why
AISA Sydney Presentation - Would PT add value to the SDLC and why
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin on What is NOT Working in Security 2004
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
How to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network SecurityHow to Use Open Source Tools to Improve Network Security
How to Use Open Source Tools to Improve Network Security
 
G data 10 nov 2010
G data 10 nov 2010G data 10 nov 2010
G data 10 nov 2010
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop Presentation
 
TAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentationTAROT2013 Testing School - Antonia Bertolino presentation
TAROT2013 Testing School - Antonia Bertolino presentation
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
CV | Michele Spagnuolo
CV | Michele SpagnuoloCV | Michele Spagnuolo
CV | Michele Spagnuolo
 

Mehr von Apps with love

App Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApp Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with love
Apps with love
 

Mehr von Apps with love (15)

App Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with loveApp Marketing Strategie und Knowhow - Apps with love
App Marketing Strategie und Knowhow - Apps with love
 
Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019Testing bei Apps with love - Swiss testing Day 2019
Testing bei Apps with love - Swiss testing Day 2019
 
Vorstellung Apps with love - Full Service Digitalagentur
Vorstellung Apps with love - Full Service DigitalagenturVorstellung Apps with love - Full Service Digitalagentur
Vorstellung Apps with love - Full Service Digitalagentur
 
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
APP MARKETING STRATEGIE & APP STORE OPTIMIERUNG (ASO)
 
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVEUX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
UX & USER RESEARCH - WORKSHOP PRÄSENTATION VON APPS WITH LOVE
 
Go! Taxi App Konzept und Design by Apps with love
Go! Taxi App Konzept und Design by Apps with loveGo! Taxi App Konzept und Design by Apps with love
Go! Taxi App Konzept und Design by Apps with love
 
Apps with love présentation en français
Apps with love présentation en françaisApps with love présentation en français
Apps with love présentation en français
 
Updraft App Delivery für Betatesting und Enterprise Apps
Updraft App Delivery für Betatesting und Enterprise AppsUpdraft App Delivery für Betatesting und Enterprise Apps
Updraft App Delivery für Betatesting und Enterprise Apps
 
Event Apps - HowTo - by Apps with love
Event Apps - HowTo - by Apps with love Event Apps - HowTo - by Apps with love
Event Apps - HowTo - by Apps with love
 
Chat Bots 101 - by Apps with love
Chat Bots 101 - by Apps with loveChat Bots 101 - by Apps with love
Chat Bots 101 - by Apps with love
 
Live Communication and Crossmedia Management
Live Communication and Crossmedia Management Live Communication and Crossmedia Management
Live Communication and Crossmedia Management
 
Digitalization and Innovation - Today and Tomorrow
Digitalization and Innovation - Today and TomorrowDigitalization and Innovation - Today and Tomorrow
Digitalization and Innovation - Today and Tomorrow
 
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAYSELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
SELF-ORGANIZATION AND AGILITY - THE WAY WE COLLABORATE TODAY
 
From Idea to final Design - World Interaction Day
From Idea to final Design - World Interaction DayFrom Idea to final Design - World Interaction Day
From Idea to final Design - World Interaction Day
 
Event App Entwicklung Factsheet und Angebot
Event App Entwicklung Factsheet und AngebotEvent App Entwicklung Factsheet und Angebot
Event App Entwicklung Factsheet und Angebot
 

Kürzlich hochgeladen

Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
Natan Silnitsky
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Marc Lester
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
Prakhyath Rai
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Lisi Hocke
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
Andrea Goulet
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Maxim Salnikov
 

Kürzlich hochgeladen (20)

Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
^Clinic ^%[+27788225528*Abortion Pills For Sale In harare
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4jGraphSummit Milan - Visione e roadmap del prodotto Neo4j
GraphSummit Milan - Visione e roadmap del prodotto Neo4j
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 

How To Develop Secure Software

  • 1. Secure Software Development and Beyond Prof. Pascal Junod Apps with love, Bern (Switzerland) December 1st, 2015
  • 2. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Prof. Pascal Junod • Computer security veteran, MSc ETHZ’00, PhD EPFL’05. • Prof. @ HES-SO / HEIG-VD, co-founder of strong.codes • Research interests: • Industrial cryptography • Software security, software protection • Ethical hacking • http://crypto.junod.info, @cryptopathe
  • 3. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda
  • 4. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Agenda • Software Security ? • Secure Software Development • Man at the End • Software Protection
  • 5. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Security?
  • 6. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Published Software Vulnerabilities Source:https://web.nvd.nist.gov/view/vuln/statistics
  • 7. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Trinity of Troubles Complexity ExtensibilityConnectivity
  • 8. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Complexity millionsofSLOC 0 5.5 11 16.5 22 2001 2003 2009 2010 2012 2015 Linux kernel
  • 9. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Connectivity • Ubiquitous networking • Service Oriented Architectures, networking of legacy applications
  • 10. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Extensibility • Plugins, extensions • Loadable OS drivers • Scripting, components, applets, controls • Extensible platforms: J2EE, .NET, etc.
  • 11. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Secure Software Development
  • 12. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 13. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Development Lifecycle • Process advocated by Lipner & Howard, « S. Lipner and M. Howard, «The trustworthy computing security development lifecycle», Microsoft Corp., 2005. • Available on http://msdn.microsoft.com/en-us/ library/ms995349(classic).aspx
  • 14. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Requirements • « Security from the grounds up » —> integration of security into the development process • Nomination of a security advisor • Identification of key security objectives • Describe security goals, challenges, and plans
  • 15. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Objectives • Financial risks • Reputation risks • Privacy and regulatory risks • SLA • Legal risks
  • 16. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Design • Security architecture definition • Definition of software attack surface • Threat modeling • Assets • Risks and their likelihood • Definition of countermeasures
  • 17. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats etc. • Threat: person or object that is dangerous • Vulnerability: weakness, security hole • Attack/exploit: technique used to exploit a vulnerability
  • 18. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threats • Non-target specifics: viruses, worms, trojans, etc. • Employees • Organized crime, cyber-criminals • Corporation, nations • Natural threats
  • 19. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Vulnerabilities API abuse // Authentication // Authorization // Availability Code permissions // Code quality // Concurrency Configuration // Cryptography // Encoding // Environmental Error handling // General logic error // Input validation Logging and auditing // Password management // Path // Protocol errors // Range and type errors // Sensitive data protection // Session management // Synchronization and Timing // Unsafe mobile code // Dangerous APIs
  • 20. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Source:http://www.owasp.org
  • 21. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Threat Modeling Methods • Various methods: • STRIDE • DREAD • TRIKE • CVSS • Generic goals: identify components, data flows, trust boundaries
  • 22. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Implementation of Security • Application of adapted coding and testing standards • Specialized libraries • Use of static analysis code scanning tools in IDE • Code reviews
  • 23. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Release • Final security review • Internal / external security audit (white-/black-box « pen-test ») • Answer the question « Is this software ready to go to production from a security standpoint? »
  • 24. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Security Servicing • Monitoring • Evaluation of reported vulnerabilities • Release of security advisories and patches • Take response actions (review of development process, legal, etc.)
  • 25. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Basic Security Principles
  • 26. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Least Privilege Give each component only minimal rights necessary to carry out its task.
  • 27. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defense in Depth Use several redundant protection mechanisms.
  • 28. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 User Participation A security procedure is efficient only if all its users adhere to its principles.
  • 29. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Choke Point A security mechanism is effective only if there is absolutely no means to bypass it.
  • 30. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Deny by Default Forbid everything but what is authorized.
  • 31. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Weakest Link The adversary will always attack the weakest link of the security chain.
  • 32. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Fail Securely Always ensure that an exception does not open a security hole.
  • 33. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 No Security by Obscurity Do not rely on the secret of the implementation to keep the system secure.
  • 34. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Simplicity Everything should be made as simple as possible, but not simpler.
  • 35. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End
  • 36. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 OK, then? • What happens when you have implemented a perfectly secure software? • It gets hacked!
  • 37. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Usual Threat Model Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 38. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 39. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Malicious Reverse Engineering Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 40. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Digital Rights Managements Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 41. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Cloud Computing Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 42. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Software Protection
  • 43. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Man at the End Source:Collberg,Nagra,« SurreptitiousSoftware »,Addison-Wesley,2009
  • 44. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Defenses • Obfuscate the code, to slow down a reverse engineer • Tamper-proof the code, to prevent modification • Mark the code, to identify illegal distribution
  • 45. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Attacks • strings • objdump • gdb • jailbreak exploit • IDA Pro • Hopper • Radare • Patch • PirateBay • P2P networks
  • 46. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.protect • Jailbreak detection • Virtualization detection • Debugger detection • Control flow flattening • Routine split / merge • Bogus control flow insertion • Junk code insertion • Code tamper-proofing • Code watermarking
  • 47. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 What is actually strong.protect? • strong.protect is a compiler generating native code • It is based on the LLVM compilation framework • A free evaluation version is available as open- source software (see http://o-llvm.org)
  • 48. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Supported Language and Platforms
  • 49. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect • Easy to integrate within modern IDEs, such as Eclipse, Xcode, Visual Studio, etc. • Works in your environment, no need to share code with us. • Usable out-of-the-box, no need for particular modification of software development process, compatible with multiple environments • Protection is fully customizable to your particular application needs • No required modification of the source code, applicable to multiple languages
  • 50. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Solution Features Comparison Feature  name Open  S ource  Version  C ommercial  Version C ode  substitutions  (-­‐sub) 9 24 Bogus  control  flow  (-­‐bcf) 1 8 C ode  flattening  (-­‐fla) static dynamic Function  merging  (-­‐mer) X Tamper  proofing  (-­‐tp) X C onstant  encryption  (-­‐xse) X Anti-­‐debugging  (-­‐ade) X Basic  block  splitting  (-­‐splitbbl) X Integer  substitution  (-­‐subinit) X Obfucation  profiler X Feature  C omparison
  • 51. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 Code Size Increase for ChatSecure App 0 10 20 30 40 50 60 no* protection "2sub*2 subinit" "2fla" "2mer" "2tp" "2fla*2mer* 2sub*2 subinit" Increase(in(binary(code(size Binary*code*size C ompiler)options %)increase no)protection 0.0% "3sub)3subinit" 8.9% "3fla" 18.4% "3mer" 22.9% "3tp" 22.5% "3fla)3mer)3sub)3subinit" 91.8%
  • 52. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 How to Use strong.protect
  • 53. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 strong.codes Team
  • 54. Prof. Pascal Junod, « Software Security and Beyond », Apps with love, Bern (Switzerland), December 1st, 2015 https://strong.codes