《【精编】软件安全基础课件》由会员分享,可在线阅读,更多相关《【精编】软件安全基础课件(49页珍藏版)》请在金锄头文库上搜索。
1、Fortify Software Inc 第1页 Know your code Trust your code 软件安全基础 Develop Security Software 主讲人 王 宏 Fortify Software Inc 第2页 Know your code Trust your code 主 题 基本概念 软件安全的重要性 分析软件安全越来越严重的原因和根源 解决软件安全问题的措施和方法 Fortify Software Inc 第3页 Know your code Trust your code 基本概念 软件安全的定义 在软件受到恶意的攻击下 软件 能够正常运行 功能 性能
2、 软件安全课题 了解产生软件安全的风险并怎样去 管理他们 Building secure software designing software to be secure make sure that software is secure educating software developers architects and users about how to build security in Fortify Software Inc 第4页 Know your code Trust your code 软件安全的重要性 信息安全的期望 信息安全的现状 软件安全漏洞的发展趋势 传统解决信
3、息安全的努力和投资方向 软件安全在信息安全中的重要地位 Fortify Software Inc 第5页 Know your code Trust your code 信息安全的期望 在原理上 我们花更多钱去降低的安全事件和安全利用 以 此来帮助我们 保护我们的业务不会被恶义的家伙破坏 限制责任和义务 满足法规和标准 避免对公司品牌和声誉造成破坏 info sec spending incidents exploits Fortify Software Inc 第6页 Know your code Trust your code 然而在事实上 我们每年都花了数百万的资金在信息安全 上 但是效果
4、并不如意 我们遭遇的安全问题越来越多 info sec spending 17B impact 40B breaches grow dramatically seriously impacting uptime regulatory compliance liability brand and reputation 信息安全的现状 Fortify Software Inc 第7页 Know your code Trust your code 分析机构的最近统计 In 2004 average time from vulnerability announcement to 1st attack
5、5 8 days 99 days 2003 532 increase in CERT incidents reported 2000 2003 43 report an increase in e crimes and intrusions versus previous year On average 48 new vulnerabilities per week were disclosed in 1H04These four factoids are just a sampling of results found by the FBI Carnegie Mellon s SEI CER
6、T Coordination Center an industry body that focuses on alerting corporations of security vulnerabilities and Symantec in its 5th Internet Security Threat Report Jan June 2004 Fortify Software Inc 第8页 Know your code Trust your code 软件安全漏洞的发展趋势 Fortify Software Inc 第9页 Know your code Trust your code C
7、ERT 2006年的报告 Fortify Software Inc 第10页 Know your code Trust your code 我们的钱花在哪儿 去了 为什么我们的安全 工作毫无效果 Why Fortify Software Inc 第11页 Know your code Trust your code 传统信息安全的方法和投资 方向 Fortify Software Inc 第12页 Know your code Trust your code The experts are telling us we have a SOFTWARE problem Over 70 of sec
8、urity vulnerabilities exist at the application layer not the network layer It s not just operating systems or web browsers but all types of applications particularly applications that automate key business processes Gartner Group 2004 软件安全在信息安全中的重要地位 Fortify Software Inc 第13页 Know your code Trust yo
9、ur code 结 论 目前我们信息安全的主要问题是 应用软件安全问题 Fortify Software Inc 第14页 Know your code Trust your code 软件安全越来越严重的原因 为什么软件安全问题日益增长 黑客攻击方式的进化 传统的分层保护方案减轻系统的风险 为什么传统的基于网络的方案不工作 黑客可直接利用软件的弱点达到攻击系统 演示如何通过攻击软件达到窃取商业信息和破坏应用系 统 软件必须保护它们自己 传统学校关于安全技术的教育 软件补丁和软件安全攻击的关系 软件安全的根源问题 Fortify Software Inc 第15页 Know your code
10、 Trust your code 为什么软件安全问题增长 Connectivity 互联性 Extensibility 延展性 Complexity 复杂性 Fortify Software Inc 第16页 Know your code Trust your code 为什么软件安全问题变得 如此困难 Connectivity The Internet is everywhere and most software is on it Complexity Networked distributed mobile code is hard Extensibility Systems evolv
11、e in unexpected ways and are changed on the fly This simple interface is this complex program NET The network is the computer Fortify Software Inc 第17页 Know your code Trust your code 19801985199019952000 黑客攻击方式的进化 Password Guessing Self Replicating Code Password Cracking Exploiting Known Vulnerabili
12、ties Burglaries Hijacking Sessions Networked Management Diagnosis GUI Automated Probes Scans www Attacks Distributed Attack Tools Staged Attack Attack Sophistication Intruder Knowledge LOW HIGH 19801985199019952000 Disabling Audits Back Doors Sweepers Sniffers Packet Spoofing Denial of Service Steal
13、th Advanced Scanning Techniques Cross Site Scripting Fortify Software Inc 第18页 Know your code Trust your code 传统的 加层 保护方案 Hackers Worms Viruses Malicious Insiders Traditional network perimeter defenses Critical Software Automation Of Key Operational Processes Fortify Software Inc 第19页 Know your code
14、 Trust your code 软件的应用因为业务和功能的需要必须 打破传统的保护层 直接与外面的系统交互 Web Facing Applications Legacy App Integration Connectivity w Partners Suppliers Outsourcing Employee Self Service Fortify Software Inc 第20页 Know your code Trust your code 为什么传统的基于网络方案不工作 Key Network Web Restrict Access Firewall Everyone has acc
15、ess Authenticate users Windows Unix auth HTTP has WEAK authentication Monitor for attacks IDS IPS Critical traffic is in SSL Tunnel Track users state User of TCP IP connections HTTP is stateless Block known attacks IPS Self defending networks Web attacks are extremely hard to distinguish from normal
16、 activity Fortify Software Inc 第21页 Know your code Trust your code InternetDMZ Trusted Inside Corporate Inside HTTP S IMAP FTP SSH TELNET POP3 Firewall only allows PORT 80 or 443 SSL traffic from the Internet to the web server Any Web Server 80 Firewall only allows applications on the web server to talk to application server Firewall only allows application server to talk to database server IIS SunOne Apache ASP NET WebSphere Java SQL Oracle DB2 Fortify Software Inc 第22页 Know your code Trust you
