Software Security Trends

6 Jan. 2013
Tags: Hig

Literature


Dowd, M., McDonald, J., and Schuh, J. (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. (469,- in Mjøsbok)

Info
Individual topics counting 100% of the grade was selected during the first lecture. We are going to present our topics in weeks 14-19 depending on the topic. Final deadline is the 21th of May (2013). Every student must peer review two other topics in order to give feedback.

Lectures

Paper, presentation and code

S2_SoftSecTrends_Man-in-the-browser_presentation
size 339.0 KiB
sha256: 26eaa4da11...25047dc73c


S2_SoftSecTrends_Man-in-the-browser
size 206.6 KiB
sha256: 41a7b5527b...dad420d67a


S2_SoftSecTrends_Man-in-the-browser_source
size 152.2 KiB
sha256: 492c5f9ed1...6516aed4e9

Other sources
See WebGoat project and WebScrab projects of OWASP.

Capture the flag contest during spring

Software Security (Assurance) State of the Art:

Some thoughts... I read most of this paper, and although it was quite boring at times, I found some pages quite interesting:
5.2.2 talks about how "negative" requirements like "the software must not be susceptible to buffer overflows" must be analyzed and converted to actionable requirements like "input validation" and "exception handling".
5.2.3.1 Issues with modeling,
5.2.3.1.1 Microsoft threat modeling,
5.2.3.2.1 Misuse vs abuse cases,
5.3.1 Design principles (as seen in Applied Information Security),
5.5.2.1 White box techniques,
5.5.2.4 Compiler optimizers can introduce new vulnerabilities,
Table 5-14 Software and application security checklists,
7.1.1.1 and 7.1.1.2 Websites and portals to follow,
8.5 Developer liability in 8.5.