the importance of secure programming

The Importance of Secure Programming

"the cyber threat is one of the most serious economic and national security challenges we face as a nation"

and “America's economic prosperity in the 21st century will depend on cybersecurity.”

President Obama, www.whitehouse.gov

“The next Pearl Harbor we confrontcould very well be a cyber attack

that cripples our grid

our security systems

our financial systems

our governmental systems.”

In 2013: January 31: The New York Times and the

Wall Street Journal revealed their respective websites had been the target of a well-coordinated hacking effort.

Feb 1: Hackers targeted Twitter, gaining “limited” access to around 250,000 user accounts, including “usernames, email addresses, session tokens and encrypted/salted versions of passwords”

Feb 4: “Energy Department Hit In The Most Dangerous Cyber Attack Yet”

Feb 6: “Federal Reserve Hit by Cyber Attack”

“Here a Hack, There a Hack, Everywhere a Cyber Attack”

“Super Bowl Blackout Wasn’t Caused by Cyberattack”

Software vulnerabilities

Vulnerability – weakness in the software Estimated 1 to 7 defects per thousand lines

of code For large system with millions of lines of

code => thousands of vulnerabilities

Big Three

Three programming errors are responsible for 85% of vulnerabilities (SANS)

Buffer overflow - 23% increase

Integer overflow Input validation

http://upload.wikimedia.org/wikipedia/commons/thumb/d/d0/Buffer_overflow_basicexample.svg/502px-Buffer_overflow_basicexample.svg.png

Software Security begins with education

It is our job to teach secure coding

“I think the most critically important part of delivering secure systems is raising awareness through security education.”

Bill Gates, Microsoft

http://images.google.com/imgres?imgurl=http://celebrity-pics.movieeye.com/celebrity_pictures/Bill_Gates_718639.jpg&imgrefurl=http://www.movieeye.com/celebrity_addresses/details/15533/Bill_Gates.html&h=350&w=350&sz=62&hl=en&start=4&sig2=Zlr9YpiIXN8FyVIOuz45jw&um=1&tbnid=9j9mtWtosllIuM:&tbnh=120&tbnw=120&ei=z7L3R8-rO4_aecW_pLcB&prev=/images?q=bill+gates&um=1&hl=en&rlz=1T4GFRC_enUS206US207&sa=N

“The ability to write secure code should be as fundamental to a university computer science undergraduate as basic literacy.”

Matt Bishop, UC Davis

http://nob.cs.ucdavis.edu/bishop/images/Bishop_head.jpg

“The first and foremost strategy for reducing securing related coding flaws is to educate developers how to avoid creating vulnerable code.”

Robert C. Seacord, CERT

http://images.google.com/imgres?imgurl=http://www.informit.com/ShowCover.aspx?isbn=0321335724&type=f&imgrefurl=http://www.informit.com/store/product.aspx?isbn=0321335724&h=212&w=160&sz=20&hl=en&start=16&sig2=3XhgI0kfPeP-_uuI2ZVyiA&um=1&tbnid=aAWzLDRSsRhfYM:&tbnh=106&tbnw=80&ei=gbH3R678L42meqX25YcB&prev=/images?q=robert+seacord&um=1&hl=en&rlz=1T4GFRC_enUS206US207&sa=N

The current state of undergraduate security education…

• Security tracks • Security classes• Reaches only a

subset of students• Courses occur late

in curriculum• After students have

learned fundamental coding and design

Too little, too late

http://images.google.com/imgres?imgurl=http://www.informit.com/ShowCover.aspx?isbn=0321335724&type=f&imgrefurl=http://www.informit.com/store/product.aspx?isbn=0321335724&h=212&w=160&sz=20&hl=en&start=16&sig2=3XhgI0kfPeP-_uuI2ZVyiA&um=1&tbnid=aAWzLDRSsRhfYM:&tbnh=106&tbnw=80&ei=gbH3R678L42meqX25YcB&prev=/images?q=robert+seacord&um=1&hl=en&rlz=1T4GFRC_enUS206US207&sa=N

Early andOften

Create a Security Mindset

Secure coding education in a perfect world …

the importance of secure programming

Documents