Information Security 12 Software Security Chapter 3 in security in computing Charles p pfleeger, Shari Lawrence pfleeger Pearson edition 復里大软件学院 LiT
1 LiJT Information Security 12 Software Security Chapter 3 in Security in Computing, Charles P. Pfleeger, Shari Lawrence Pfleeger, Pearson Edition
Why Software? Why is software as important to security as crypto, access control and protocols? Virtually all of information security is implemented in software If your software is subject to attack, your security is broken Regardless of strength of crypto access control or protocols Software is a poor foundation for security 復里大软件学院 LiT
2 LiJT Why Software? • Why is software as important to security as crypto, access control and protocols? • Virtually all of information security is implemented in software • If your software is subject to attack, your security is broken – Regardless of strength of crypto, access control or protocols • Software is a poor foundation for security
What does it mean? secure program: means different things to different people is it secure if? takes too long to break through security controls runs for a long time without failure t conforms to specification free from all faults 復里大软件学院 LiT
3 LiJT What does it mean? • “secure” program: means different things to different people • is it secure if ? – takes too long to break through security controls – runs for a long time without failure – it conforms to specification – free from all faults
ete Fixing Faults - Testing · Which is better: finding and fixing 20 faults in a module? finding and fixing 100 faults 復里大软件学院 LiT
4 LiJT Fixing Faults - Testing • which is better: – finding and fixing 20 faults in a module? – finding and fixing 100 faults ' ' ' ?
Fixing Faults · Which is better finding and fixing 20 faults in a module? finding and fixing 100 faults finding 100 could mean you have better testing methods OR code is really bad 100 were just the tip of the iceberg software testing literature finding many errors early probably find many more 5 復里大软件学院 LiT
5 LiJT Fixing Faults • which is better: – finding and fixing 20 faults in a module? – finding and fixing 100 faults ' ' ' ? • finding 100 could mean – you have better testing methods – OR • code is really bad • 100 were just the tip of the iceberg – software testing literature: • finding many errors early → probably find many more