CMPT 473 Software Quality Assurance. Security. Nick Sumner

Similar documents
Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Software Vulnerabilities

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Bypassing Browser Memory Protections in Windows Vista

Modern Binary Exploitation Course Syllabus

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Practical taint analysis for protecting buggy binaries

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Bypassing Memory Protections: The Future of Exploitation

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Web Application Security Considerations

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Application Design and Development

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Thick Client Application Security

Introduction to computer and network security. Session 2 : Examples of vulnerabilities and attacks pt1

Defending Computer Networks Lecture 3: More On Vulnerabili3es. Stuart Staniford Adjunct Professor of Computer Science

CS 155 Final Exam. CS 155: Spring 2013 June 11, 2013

Exploits: XSS, SQLI, Buffer Overflow

Quiz I Solutions MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Department of Electrical Engineering and Computer Science

Return-oriented programming without returns

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

External Network & Web Application Assessment. For The XXX Group LLC October 2012

CS 356 Lecture 23 and 24 Software Security. Spring 2013

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Eugene Tsyrklevich. Ozone HIPS: Unbreakable Windows

What is Web Security? Motivation

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Application Intrusion Detection

Source Code Security Analysis Tool Functional Specification Version 1.0

Advanced Endpoint Protection Overview

Application. Application Layer Security. Protocols. Some Essentials. Attacking the Application Layer. SQL Injection

WHITEPAPER. Nessus Exploit Integration

Testing for Security

Columbia University Web Security Standards and Practices. Objective and Scope

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Coverity Scan. Big Data Spotlight

Bridging the Gap - Security and Software Testing. Roberto Suggi Liverani ANZTB Test Conference - March 2011

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

In the name of God. 1 Introduction. 2 General Plan

What Every (Software) Engineer Needs To Know About Security. -- and -- Where To Learn It

Design of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks

Web Application Vulnerabilities

How To Protect Your Computer From Being Hacked By A Hacker (For A Fee)

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) Twitter: Dave_ReL1K

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Intrusion detection for web applications

Defense in Depth: Protecting Against Zero-Day Attacks

Threat Modeling for Secure Embedded Software

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Introduction to web security Jakob Korherr. Freitag, 11. Mai 12

D. Best Practices D.1. Assurance The 5 th A

Penetration Testing with Kali Linux

elearning for Secure Application Development

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can

Check list for web developers

ERNW Newsletter 51 / September 2015

Improving Software Security at the. Source

Passing PCI Compliance How to Address the Application Security Mandates

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

SAFECode Security Development Lifecycle (SDL)

Securing software by enforcing data-flow integrity

Introduction to Information Security

An Introduction to Application Security In ASP.NET Environments. Houston.NET User Group. February 23 rd, 2006

Linux Kernel. Security Report

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Penetration Test Report

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

Detecting SQL Injection Vulnerabilities in Web Services

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Perl In Secure Web Development

Web Application Security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

RIPS - A static source code analyser for vulnerabilities in PHP scripts

Application Security Testing. Generic Test Strategy

CS Computer Security Thirteenth topic: System attacks. defenses

Webapps Vulnerability Report

Hands-on Hacking Unlimited

Practical Identification of SQL Injection Vulnerabilities

How to Rob an Online Bank (and get away with it)

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

Web application security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Transcription:

CMPT 473 Software Quality Assurance Security Nick Sumner

Security in General Security Maintaining desired properties in the the presence of adversaries

Security in General Security Maintaining desired properties in the the presence of adversaries So what are the desired properties?

Security in General Security Maintaining desired properties in the the presence of adversaries CIA Model classic security properties

Security in General Security Maintaining desired properties in the the presence of adversaries CIA Model classic security properties Confidentiality Information is only disclosed to those authorized to know it

Security in General Security Maintaining desired properties in the the presence of adversaries CIA Model classic security properties Confidentiality Integrity Only modify information in allowed ways by authorized parties

Security in General Security Maintaining desired properties in the the presence of adversaries CIA Model classic security properties Confidentiality Integrity Only modify information in allowed ways by authorized parties Do what is expected

Security in General Security Maintaining desired properties in the the presence of adversaries CIA Model classic security properties Confidentiality Integrity Availability Those authorized for access are not prevented from it

Security in Software Bugs in software can lead to policy violations Information leaks (C)

Security in Software Bugs in software can lead to policy violations Information leaks (C) Data Corruption (I)

Security in Software Bugs in software can lead to policy violations Information leaks (C) Data Corruption (I) Denial of service (A)

Security in Software Bugs in software can lead to policy violations Information leaks (C) Data Corruption (I) Denial of service (A) Remote execution (CIA) arbitrarily bad!

Security in Software Bugs in software can lead to policy violations Bugs make software vulnerable to attack

Security in Software Bugs in software can lead to policy violations Bugs make software vulnerable to attack XSS SQL Injection Buffer overflow Path replacement Integer overflow Race conditions (TOCTOU Time of Check to Time of Use) Unsanitized format strings All create attack vectors for a malicious adversary

Why Is This Special? Poor security comes from unintended behavior. Quality software shouldn't allow such actions anyway. 15

Why Is This Special? Poor security comes from unintended behavior. Quality software shouldn't allow such actions anyway. While our testing techniques so far find some security issues, many slip through! Why? 16

Why Is This Special? Poor security comes from unintended behavior. Quality software shouldn't allow such actions anyway. While our testing techniques so far find some security issues, many slip through! Why? We cannot test everything 17

Why Is This Special? Poor security comes from unintended behavior. Quality software shouldn't allow such actions anyway. While our testing techniques so far find some security issues, many slip through! Why? We cannot test everything Concessions form part of an attack surface Networks, Software, People 18

Why Is This Special? Poor security comes from unintended behavior. Quality software shouldn't allow such actions anyway. While our testing techniques so far find some security issues, many slip through! Why? We cannot test everything Concessions form part of an attack surface Networks, Software, People Need additional policies & testing methods that specifically address security 19

What Could Possible Go Wrong? Many ways to attack different programs MITRE groups the most common into: 20

What Could Possible Go Wrong? Many ways to attack different programs MITRE groups the most common into: Insecure Interaction Data sent between components in an insecure fashion 21

What Could Possible Go Wrong? Many ways to attack different programs MITRE groups the most common into: Insecure Interaction Data sent between components in an insecure fashion Risky Resource Management Bad creation, use, transfer, & destruction of resources 22

What Could Possible Go Wrong? Many ways to attack different programs MITRE groups the most common into: Insecure Interaction Data sent between components in an insecure fashion Risky Resource Management Bad creation, use, transfer, & destruction of resources Porous Defenses Standard security practices that are missing or incorrect [http://cwe.mitre.org/top25/#categories] 23

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/]

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory]

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory] Dangling or OOB * Read or Write

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory] Dangling or OOB * Read or Write Δ Data *

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory] Dangling or OOB * Read or Write Δ Data * Δ Code Code Corruption

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory] Dangling or OOB * Read or Write Δ Data * Δ Code Δ Code * Use * in call/jmp/ret Code Corruption Control Flow Hijack

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory] Dangling or OOB * Read or Write Δ Data * Δ Code Δ Code * Use * in call/jmp/ret Δ Data Use Data Code Corruption Control Flow Hijack Data Only Attack

Memory Safety Unsafe memory accesses are a longstanding vector Memory Safety [http://www.pl-enthusiast.net/2014/07/21/memory-safety/] Provide common attack patterns [Eternal War in Memory] Dangling or OOB * Read or Write Δ Data * Δ Code Δ Code * Δ Data Output Data Use * in call/jmp/ret Use Data Code Corruption Control Flow Hijack Data Only Attack Info Leak

Code Corruption def foo(): # original code def foo(): # malicious code How can we prevent this?

Code Corruption def foo(): # original code def foo(): # malicious code How can we prevent this? What problems does this solution create?

Control Flow Hijacking void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } How many of you recall what a stack frame looks like?

Data Only Attacks 0xFFF Stack void foo(char *input) { unsigned securedata; Previous Frame char buffer[16]; strcpy(buffer, input); } Addresses 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } Stack frame for foo 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } What can go wrong? 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } input = normal input + insecuredata 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } input = normal input + insecuredata buffer overflow attack 0x000

Data Only Attacks 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } input = normal input + insecuredata The integrity of the secure data is corrupted. 0x000

Control Flow Hijacking 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } 0x000

Control Flow Hijacking 0xFFF Addresses Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } input = input + payload address + payload (shell code) 0x000

Control Flow Hijacking 0xFFF Addresses 0x000 Stack Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Stack Growth void foo(char *input) { unsigned securedata; char buffer[16]; strcpy(buffer, input); } input = input + payload address + payload (shell code) On return, we'll execute the shell code

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0]

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Previous Frame Return Address Canary Old Frame Ptr securedata buffer[15] buffer[14] buffer[0]

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Previous Frame Return Address Canary Old Frame Ptr securedata buffer[15] buffer[14] buffer[0]

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Previous Frame Return Address Canary Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Abort because canary changed!

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries DEP Data Execution Prevention / W X

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries DEP Data Execution Prevention / W X shell code: Previous Frame Return Address Canary Old Frame Ptr securedata buffer[15] buffer[14] buffer[0]

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries DEP Data Execution Prevention / W X shell code: Previous Frame Return Address Canary Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Abort because W but not X

Control Flow Hijacking How can we prevent this basic approach? Stack Canaries DEP Data Execution Prevention / W X But these are still easily bypassed!

Return to libc Attacks Reuse existing code to bypass W X

Return to libc Attacks Reuse existing code to bypass W X Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Fake Argument Ptr To Function Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] /usr/bin/minesweeper system()

Return to libc Attacks Reuse existing code to bypass W X Previous Frame Return Address Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] Fake Argument Ptr To Function Old Frame Ptr securedata buffer[15] buffer[14] buffer[0] /usr/bin/minesweeper system() Even construct new functions piece by piece!

Return to libc Attacks Reuse existing code to bypass W X Return Oriented Programming Build new functionality from pieces of existing functions

Return to libc Attacks Reuse existing code to bypass W X Return Oriented Programming Build new functionality from pieces of existing functions Ptr To Gadget void a() { } void b() { } void c() { } void d() { } void e() { } void f() { } void g() { } void h() { }

ASLR Address Space Layout Randomization You can't use it if you can't find it! NCurses Stack Heap Stack Heap LibC LibC Program NCurses Program Run 1 Run 2

ASLR Address Space Layout Randomization You can't use it if you can't find it! NCurses Stack Heap LibC Program Stack Heap LibC NCurses Program But even this is easily broken Run 1 Run 2

Control Flow Integrity Restrict indirect control flow to needed targets Jmp */call */ret foo = foo();

Control Flow Integrity Restrict indirect control flow to needed targets Jmp */call */ret foo = if foo not in [] abort() foo(); Ptr To Gadget void a() { } void b() { }

Control Flow Integrity Restrict indirect control flow to needed targets Jmp */call */ret foo = if foo not in [] abort() foo(); Ptr To Gadget void a() { } void b() { } clang -flto -fsanitize=cfi -fsanitize=safe-stack clang -fsanitize=safe-stack

Memory Safety Vulnerabilities come from reading/writing/freeing Out of bounds pointers Dangling pointers 65

Memory Safety Vulnerabilities come from reading/writing/freeing Out of bounds pointers Dangling pointers Why doesn't Java face this issue? 66

Memory Safety Vulnerabilities come from reading/writing/freeing Out of bounds pointers Dangling pointers Why doesn't Java face this issue? Is this intrinsic to languages like C++? Why/Why not? 67

Memory Safety Vulnerabilities come from reading/writing/freeing Out of bounds pointers Dangling pointers Why doesn't Java face this issue? Is this intrinsic to languages like C++? Why/Why not? Are these still a real issue? 68

Memory Safety Vulnerabilities come from reading/writing/freeing Out of bounds pointers Dangling pointers Why doesn't Java face this issue? Is this intrinsic to languages like C++? Why/Why not? Are these still a real issue? http://www.symantec.com/security_response/vulnerability.jsp?bid=70332 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0015 http://seclists.org/oss-sec/2016/q1/645 69

Another Case: SQL Injection SQL a query language for databases Queries like: SELECT grade,id FROM students WHERE name= + username; 70

Another Case: SQL Injection SQL a query language for databases Queries like: SELECT grade,id FROM students WHERE name= + username; ID Name Grade 0 Alice 92 1 Bob 87 2 Mallory 75 71

Another Case: SQL Injection SQL a query language for databases Queries like: SELECT grade,id FROM students WHERE name= + username; ID Name Grade 0 Alice 92 1 Bob 87 2 Mallory 75 Values for name, grade often come from user input. 72

Another Case: SQL Injection SQL a query language for databases Queries like: SELECT grade,id FROM students WHERE name= + username; ID Name Grade 0 Alice 92 1 Bob 87 2 Mallory 75 Values for name, grade often come from user input. Why is this a problem? 73

Another Case: SQL Injection username = 'bob'; DROP TABLE students What happens? 74

SQL Injection [http://xkcd.com/327/] [http://bobby-tables.com/] The user may include commands in their input! 75

SQL Injection [http://xkcd.com/327/] [http://bobby-tables.com/] The user may include commands in their input! Need to sanitize the input before use 76

SQL Injection [http://xkcd.com/327/] [http://bobby-tables.com/] The user may include commands in their input! Need to sanitize the input before use How would you prevent this problem? 77

A Subtle Problem in General The problems may be much more subtle: User A can read files X,Y,Z and write to S,T User B can read files X,Y,S and write to Z,T 78

A Subtle Problem in General The problems may be much more subtle: User A can read files X,Y,Z and write to S,T User B can read files X,Y,S and write to Z,T How can we ensure that no information from A is ever written to Z? 79

A Subtle Problem in General The problems may be much more subtle: User A can read files X,Y,Z and write to S,T User B can read files X,Y,S and write to Z,T How can we ensure that no information from A is ever written to Z? Can you envision a scenario that creates this problem? 80

A Subtle Problem in General The problems may be much more subtle: User A can read files X,Y,Z and write to S,T User B can read files X,Y,S and write to Z,T How can we ensure that no information from A is ever written to Z? Care may be required to enforce access control policies 81

A Subtle Problem in General The problems may be much more subtle: User A can read files X,Y,Z and write to S,T User B can read files X,Y,S and write to Z,T How can we ensure that no information from A is ever written to Z? Care may be required to enforce access control policies Discretionary access control owner determines access 82

A Subtle Problem in General The problems may be much more subtle: User A can read files X,Y,Z and write to S,T User B can read files X,Y,S and write to Z,T How can we ensure that no information from A is ever written to Z? Care may be required to enforce access control policies Discretionary access control owner determines access Mandatory access control clearance determines access 83

Assuring Security Make risky operations someone else's job e.g. Google Checkout, PayPal, Amazon, etc. 84

Assuring Security Make risky operations someone else's job e.g. Google Checkout, PayPal, Amazon, etc. Define rigorous security policies What are your CIA security criteria? 85

Assuring Security Make risky operations someone else's job e.g. Google Checkout, PayPal, Amazon, etc. Define rigorous security policies What are your CIA security criteria? Follow secure design & coding policies And include them in your review criteria 86

Assuring Security Make risky operations someone else's job e.g. Google Checkout, PayPal, Amazon, etc. Define rigorous security policies What are your CIA security criteria? Follow secure design & coding policies And include them in your review criteria Apple secure coding policies CERT Top 10 Practices Mitre Mitigation Strategies 87

Assuring Security Make risky operations someone else's job e.g. Google Checkout, PayPal, Amazon, etc. Define rigorous security policies What are your CIA security criteria? Follow secure design & coding policies And include them in your review criteria Formal certification 88

Common Proactive Approaches How are these techniques applied? 89

Common Proactive Approaches How are these techniques applied? Security must be part of design Prepared Statements, Safe Arrays, etc. 90

Common Proactive Approaches How are these techniques applied? Security must be part of design Prepared Statements, Safe Arrays, etc. Regular security audits Retrospective analysis & suggestions 91

Common Proactive Approaches How are these techniques applied? Security must be part of design Prepared Statements, Safe Arrays, etc. Regular security audits Retrospective analysis & suggestions Penetration testing (Pen Testing) Can someone skilled break it? 92

Security Overall Security is now a pressing concern for all software 93

Security Overall Security is now a pressing concern for all software Old software was designed in an era of naiveté and is often vulnerable/broken 94

Security Overall Security is now a pressing concern for all software Old software was designed in an era of naiveté and is often vulnerable/broken New software is built to perform sensitive operations in a multiuser and networked environment. 95

Security Overall Security is now a pressing concern for all software Old software was designed in an era of naiveté and is often vulnerable/broken New software is built to perform sensitive operations in a multiuser and networked environment. Not planning for security concerns from the beginning is a broken approach to development 96

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information