quartz/content/notes/21-SE-in-IA-2.md

title	aliases	tags	sr-due	sr-interval	sr-ease
21-SE-in-IA-2		comp210 lecture	2023-01-20	67	270

need in all phases

• often overlooked in feasability stages
• security requirements not defined
• built without thinking about security
• tests do not take security into account
• without security evolution can become cumbersome

more costly to fix bug in development than in design

• the later we fix it the more costly it is

from the start

• hire right people
• with hacking mindset
  • so they alwasys think about security
• invite customers to training and seminars
  • testing could uncover security issues

questions during feasability

• 
• what are the implications for users if assets are lost
  • some information is more high risk that other information

during design

• should be designed in iterative manner
• threat modelling
  • 
  • Data Flow Diagram (DFD)
    • 
    • high or low level
    • want to be nimble
    • dont want to go overboard
    • 
• potential threats
• STRIDE
  • 
  • can identify parts system using DFD that are threatened by these things
    • 
    • 
      • defines the potential dcisions that are performed by the attacker
    • 
    • risk = criticality * likligood of occurance
      • should be consistent
      • can also use DREAD
        • 

example

• 

responsing to threats

• do nothing

• inform user

• remove problem

• fix problem

• design choice sto counter threats

  • 

during development

• techniques vary based on type of software

• sytem

• firmware

• drive

• programming software

• common vulnerabilities

  • 

example connection string

• 
• can provide extraneous parameters to fiind the right ones

example SQL injection

• 

tips for vailidation and preventing overruns

• 

during evolution

• assign security evagelist
• plan "security days"
• learn from mistakes
• minize attack surface

stack overflow

• 

summary