Lecture 4, April 8

Reading: [Chr11,OWA13] (These are available in the Resources area of SmartSite; look in the folder “Handouts”)
Due: Homework #1, due April 12, 2013

Discussion question. Microsoft spent February of 2003 teaching its programmers how to check their code for security vulnerabilities and how to introduce common security flaws. Yet many Microsoft programs still have security vulnerabilities. What problems do you think Microsoft encountered, and will encounter, in trying to find and clean up the vulnerabilities in its systems?

Lecture outline.

  1. Greetings and felicitations!
    1. If you have not completed the prerequisites in an earlier term, please fill out the wavier form and send it to me — otherwise the department will drop you from the course!
  2. Some common vulnerabilities
    1. Catalogues: CVE (Common Vulnerabilities and Exposures), CWE (Common Weakness Enumeration)
    2. 2011 MITRE/SANS Top 25 Most Dangerous Software Errors
    3. OWASP Top 10 – 2013 rc1 The Ten Most Critical Web Application Security Risks
  3. MITRE/SANS list
    1. Insecure interactions among components
      1. SQL injection
      2. OS command injection
      3. Cross-site scripting
      4. Unrestricted upload of file with dangerous type
      5. Cross-site request forgery
      6. URL redirect to untrusted site
    2. Risky resource management
      1. Buffer copy without checking size of input
      2. Improper limitation of a pathname to a restricted directory
      3. Download of code without integrity check
      4. Inclusion of functionality from untrusted control sphere
      5. Use of potentially dangerous function
      6. Incorrect calculation of buffer size
      7. Uncontrolled format string
      8. Integer overflow or wraparound
    3. Porous defenses
      1. Missing authentication for critical function
      2. Missing authorization
      3. Use of hard-coded credentials
      4. Missing encryption of sensitive data
      5. Reliance on untrusted inputs in a security decision
      6. Execution with unnecessary privileges
      7. Incorrect authorization
      8. Incorrect permission assignment for critical resource
      9. Use of a broken or risky cryptographic algorithm
      10. Improper restriction of excessive authentication attempts
      11. Use of a one-way hash without a salt
  4. OWASP list
    1. Injection
    2. Broken authentication and session management
    3. Cross-site scripting
    4. Insecure direct object references
    5. Security misconfiguration
    6. Sensitive data exposure
    7. Missing function level access control
    8. Cross-site request forgery
    9. Using known vulnerable components
    10. Unvalidated redirects and forwards
  5. Comparison
    1. Everything on the OWASP list is also on the MITRE/SANS list
    2. Injection is #1 on both lists
    3. The MITRE/SANS list covers vulnerabilities generally; OWASP covers only web vulnerabilities

You can also obtain a PDF version of this. Version of April 9, 2013 at 6:50PM