SOFTWARE SECURITY EDUCATIONWHAT NEXT????

Submitted bySrinath

Viswanathan 006329076

Srinivas Gudisagar

006376734

1

AGENDA

IntroductionSecurity typesCertification’sCoursesConclusion

2

IntroductionWhat is Security Software Education? Software security essentially deals

with what are the security risks and how would one manage them.

• Security space can be cleanly divided into two distinct subfields:

Information Security Application Security

Information security concerns confidentiality, integrity and availability.

3

Information Security

Secure both the information and the information systems.

Classic Threats Disclosure

◦ Snooping, Trojan Horses Deception

◦ Modification, spoofing, repudiation of origin, denial of receipt

Disruption◦ Modification

Usurpation◦ Modification, spoofing, delay, denial of service

4

Application Security

Application security applies security throughout the application’s life cycle.

Protect from attacks from design defects, deployment and maintenance of the application.

Application level security threats. Session Threat: Session Hijacking, Session

replay, Man in the middle attack.Auditing and Logging: Non Repudiation Input Threats: Cross Site scripting, SQL

injection

5

SQL Injection

Username &Password

SELECT passwdFROM USERS

WHERE uname IS ‘$username’

Normal Query

WebBrowser

WebServer Database

010010

1010101

0100101

SQL Injection

SELECT passwdFROM USERS

WHERE uname IS ‘’; DROP TABLE

USERS; -- '

Malicious Query

Eliminates all user accounts

“Username &Password”

WebBrowser

WebServer Database

Cross Site Scripting

/viewbalanceCookie: sessionid=40a4c04de

“Your balance is $25,000”

Alice bank.com/login.html

/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de

evil.com

Cross Site ScriptingAlice bank.com

/login.html

/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de

/evil.html<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>

/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de

“OK. Payment Sent!”

Why Security Certification? Professional validation of skills• Exposure to industry standards• Best practices• Baseline skills for a specific role• Quality of work & productivity• Differentiation of your organization or group

10

Security CertificationsClassifications:

◦ Benchmark Wide recognition by professionals in all

sectors Advanced level Prerequisite for many senior jobs

◦ Foundation Introductory certifications One to four years of experience

Security CertificationsClassifications:

◦Intermediate 3 to 4 years of networking experience 2 years of IT Security experience

◦Advanced Expert level Minimum of 4 years of IT Security

experience

Security CertificationsBenchmark certifications:• CISSP

ISC2.org Common Body of Knowledge

Access Control Systems and Methodology Applications & Systems Development Business Continuity Planning Cryptography Law, Investigation & EthicsCost $600Average Annual Salary- $115,000

Security CertificationsFoundation level:SANS• GIAC Security Essentials (GSEC)

Basic understanding of the CBK Basic skills to incorporate good

information security practicesGIAC IT Security Audit Essentials

Developing audit checklists Perform limited risk assessment

Cost $450Average Annual Salary- $70,000

GIAC Secure Software Programmer:

Find Programming flaws.

Comes in 3 flavors.

Things provided by this certificate:

a) It teaches some basic security concepts as

well as advanced topics.

b) Learning to write code with security in mind.

Advantages:

Learners can demonstrate mastery of security

knowledge in the programming language.

15

Anti-Hacking Certification:

Thinking in Hackers Perspective.

Teaches different network security testing tools.

Things provided by this certificate:

a) Learning Hacking tools like HTTPPort,

BackStealth.

b) Hacking SSL enabled sites.

Advantages:

a) It Complements CEH, and learners are able to

come out with a complete security education.

b) Learn to defend network from Trojans, virus. 16

EC-Council Certified Security Analyst (ECSA):

Analyze outcome of security tests.

Differentiating with Ethical hacker.

Things provided by this certificate:

a) Methods and tool to test security.

b) Performing network security testing and doing

an

Exhaustive analysis.

Advantages:

a) Boosts your resume, by making you stand out

as a

better security professional.

b) Makes you skillful in using security tools and techniques.

17

Courses:Wireless Security Distinguished based on their range.

General threats Denial Of Service, Eaves

dropping, man in the middle attack,

replaying message, and hacker analyses

patterns.

Defenses are Encryption, applying

algorithms, using timestamp,

authentication, IDS.

Defenses implemented with the base

knowledge of network security.

18

VPN Security

Connect different nodes by a virtual

network.

Methods to keep the communication and

data secure are:

a) Firewall

b) Encryption

c) IPSec

d) Building AAA server.

19

Stanford Advanced Computer Security Certificate Six Courses to be done.

The courses are:

a) Using Cryptography Correctly - Avoid Programming

mistakes

b) Writing secure code – Secure code tools.

c) Security Protocols – Design SSL,WEP, IPSec, Kerberos

correctly.

d) Software Secure Foundation – Secure Programming

techniques.

e) Web Security – Security issues with web 2.0, Face

book lab.

f) Securing Web Application – Secure website design,

SQL injection lab. 1100$ at Stanford, 495$ online.participants from organizations like Yahoo! Inc, Cisco

Systems, Oracle.

20

Conclusion

Software security is every engineer's problem!

Certification and some of the courses that we mentioned is a great way to complement the network security course.

Better Security for Organizations.

21

Reference:

http://www.eccouncil.org/ECSA.htmhttp://www.securityuniversity.net/

classes_Anti-Hacking_Certificate_Mgrs.phphttp://www.giac.org/certifications/software/http://permanent.access.gpo.gov/lps96916/

Draft-SP800-48r1.pdfhttp://www.isc2.org/csslp-certification.aspxhttp://www.cigital.com/ssw/softsec_infosec.p

dfhttp://www.cs.rutgers.edu/~vinodg/teaching/

fall-2007-cs673/index.html

22

THANK YOU

23

?

24