Secure Software Notes

The document outlines the curriculum for CB3591, focusing on engineering secure software systems across five units. Key topics include the need for software security, secure software design, security risk management, security testing methodologies, and secure project management. It emphasizes the importance of integrating security throughout the software development life cycle and provides detailed insights into various testing techniques and tools for identifying vulnerabilities.

Uploaded by

Mohana Priya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

42 views4 pages

Secure Software Notes

Uploaded by

Mohana Priya

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 4

CB3591 – ENGINEERING SECURE SOFTWARE SYSTEMS

UNIT I – NEED OF SOFTWARE SECURITY AND LOW-LEVEL

ATTACKS
[Detailed notes for Unit I included previously]

UNIT II – SECURE SOFTWARE DESIGN

[Detailed notes for Unit II included previously]

UNIT III – SECURITY RISK MANAGEMENT

[Detailed notes for Unit III included previously]

UNIT IV – SECURITY TESTING

1. Traditional Software Testing vs. Security Testing
Traditional Software Testing: - Focuses on functional correctness,
performance, usability, and reliability. - Uses test cases derived from
specifications. - Techniques include unit testing, integration testing, system
testing, regression testing.
Security Testing: - Focuses on verifying the confidentiality, integrity, and
availability of software. - Aims to identify vulnerabilities and security
weaknesses. - Involves negative testing, threat modeling, fuzz testing, and
penetration testing.
Comparison: | Aspect | Traditional Testing | Security Testing | |——–|
———————-|——————| | Objective | Functional correctness |
Vulnerability detection | | Inputs | Requirements/specs | Threat models,
attack surfaces | | Techniques | Unit, regression | Fuzzing, pen-testing | |
Tools | JUnit, Selenium | OWASP ZAP, Metasploit |

2. Secure Software Development Life Cycle (SSDLC)

SSDLC integrates security at each phase of the traditional SDLC:
1. Requirements: Define security requirements alongside functional
ones.
2. Design: Use threat modeling and secure architecture principles.
3. Implementation: Follow secure coding guidelines.
4. Testing: Conduct static and dynamic analysis.
5. Deployment: Ensure secure configuration and monitoring.
6. Maintenance: Regular patching and vulnerability management.
Frameworks: - Microsoft SDL - OWASP SAMM - BSIMM (Building Security In
Maturity Model)

3. Risk-Based Security Testing

Definition: Testing focused on areas with the highest security risks.
Process: - Identify risk assets (data, services) - Perform threat modeling -
Prioritize based on likelihood and impact - Design targeted tests for high-risk
areas
Benefits: - Efficient resource allocation - Maximized vulnerability detection
in critical areas

4. Prioritizing Security Testing with Threat Modeling

Threat Modeling: - Structured approach to identify, enumerate, and
prioritize potential threats
Popular Models: - STRIDE (Spoofing, Tampering, Repudiation, Information
Disclosure, Denial of Service, Elevation of Privilege) - DREAD (Damage,
Reproducibility, Exploitability, Affected users, Discoverability) - Attack Trees
Integration: - Incorporate into design reviews - Drive test case generation
for critical threats

5. Penetration Testing
Definition: Simulated cyber attack on a system to identify exploitable
vulnerabilities.
Types: - Black-box: No prior knowledge of system - White-box: Full
knowledge of system architecture - Gray-box: Partial knowledge
Phases: 1. Planning and Scoping 2. Information Gathering
(Enumeration) 3. Vulnerability Analysis 4. Exploitation 5. Post-
Exploitation 6. Reporting
6. Planning and Scoping
 Define rules of engagement (what can and can’t be tested)
 Identify goals (e.g., gain admin access, extract data)
 Agree on timelines and success criteria

7. Enumeration
 Process of extracting detailed system information
 Includes user accounts, network shares, open ports
Tools: - Nmap - Netcat - SNMPwalk

8. Remote Exploitation
 Attacks initiated from remote machines to exploit networked systems
Examples: - Exploiting buffer overflows in network services - Brute force
attacks against login portals
Tools: - Metasploit - Hydra

9. Web Application Exploitation

 Targeting vulnerabilities in web apps (OWASP Top 10)
Common Vulnerabilities: - SQL Injection - Cross Site Scripting (XSS) -
Cross Site Request Forgery (CSRF)
Testing Tools: - OWASP ZAP - Burp Suite - Nikto

10. Exploits and Client-Side Attacks

Client-Side Exploits: - Targeting browser or local software (e.g., Adobe
Flash, PDF Readers) - Delivered via phishing emails, malicious links
Examples: - Drive-by downloads - Malicious JavaScript execution
Defense Techniques: - Browser sandboxing - Disabling unnecessary
plugins

11. Post-Exploitation
Goals: - Escalate privileges - Maintain persistence - Extract sensitive data -
Move laterally within network
Techniques: - Credential harvesting - Creating backdoors - Privilege
escalation

12. Bypassing Firewalls and Avoiding Detection

Evasion Techniques: - Port spoofing and tunneling - Encrypted payloads -
Using stealthy traffic patterns
Detection Avoidance: - Disabling antivirus - Manipulating logs - Using
known trusted processes

13. Tools for Penetration Testing

Tool Purpose
Nmap Network discovery & port
scanning
Metasploit Exploitation framework
Wireshark Packet analysis
Nikto Web vulnerability scanning
OWASP ZAP Web app penetration testing
Hydra Password brute-forcing
Burp Suite Intercepting proxy for web
attacks
John the Ripper Password cracking

UNIT V – SECURE PROJECT MANAGEMENT

[Placeholder for next update]

Software Security
No ratings yet
Software Security
5 pages
Mastering Web App Security - VAPT Techniques
No ratings yet
Mastering Web App Security - VAPT Techniques
8 pages
Honours IA2 - Exam - Notes
No ratings yet
Honours IA2 - Exam - Notes
9 pages
Esss - Unit 2
No ratings yet
Esss - Unit 2
46 pages
ESSS
No ratings yet
ESSS
3 pages
Ess
No ratings yet
Ess
3 pages
CompTIA Security+ Exam Guide
No ratings yet
CompTIA Security+ Exam Guide
11 pages
ST Unit-5 Full Notes
No ratings yet
ST Unit-5 Full Notes
27 pages
General SIEM Q
No ratings yet
General SIEM Q
12 pages
Application Security
No ratings yet
Application Security
6 pages
Unit 2
No ratings yet
Unit 2
17 pages
Unit 2 Notes
No ratings yet
Unit 2 Notes
18 pages
ML59 Netriders
No ratings yet
ML59 Netriders
41 pages
Cysa+ Cs0-002 Exam Topics Notes: 1.0 Threat and Vulnerability Management
50% (2)
Cysa+ Cs0-002 Exam Topics Notes: 1.0 Threat and Vulnerability Management
14 pages
Unit-2-Notes WAS
No ratings yet
Unit-2-Notes WAS
18 pages
Key Topics in Secure Software Design 2
No ratings yet
Key Topics in Secure Software Design 2
5 pages
Phases of SSDLC in Agile
No ratings yet
Phases of SSDLC in Agile
8 pages
Ess Unit 4
No ratings yet
Ess Unit 4
23 pages
Secure Software Notes
No ratings yet
Secure Software Notes
4 pages
CISSP Domain 6: Security Testing
No ratings yet
CISSP Domain 6: Security Testing
11 pages
Secure Software Notes
No ratings yet
Secure Software Notes
4 pages
TwishaAhuja 16010421129 Exp8
No ratings yet
TwishaAhuja 16010421129 Exp8
9 pages
3 IntroSoftSec
No ratings yet
3 IntroSoftSec
42 pages
CISSP Cheat Sheet
No ratings yet
CISSP Cheat Sheet
2 pages
Lecture3 SSD Israfil
No ratings yet
Lecture3 SSD Israfil
40 pages
CISSP Exam Insights: Simplified Guide
100% (4)
CISSP Exam Insights: Simplified Guide
76 pages
Cissp Domain 6
No ratings yet
Cissp Domain 6
9 pages
Udemy CSSLP Domain 2 Text
No ratings yet
Udemy CSSLP Domain 2 Text
23 pages
Software Application Security Unit Outline
No ratings yet
Software Application Security Unit Outline
3 pages
Certified Application Security Course
No ratings yet
Certified Application Security Course
3 pages
App Security
No ratings yet
App Security
5 pages
Security Testing
No ratings yet
Security Testing
28 pages
Chap 3 Software Security Fundamentals and Best Practices
No ratings yet
Chap 3 Software Security Fundamentals and Best Practices
38 pages
Exam Summary SIO
No ratings yet
Exam Summary SIO
10 pages
Secure Software Notes
No ratings yet
Secure Software Notes
4 pages
Study
No ratings yet
Study
25 pages
CISSP Program Overview
No ratings yet
CISSP Program Overview
18 pages
CSWAE Version2
No ratings yet
CSWAE Version2
9 pages
Engineering Secure Software Systems
No ratings yet
Engineering Secure Software Systems
3 pages
Is - QB
No ratings yet
Is - QB
19 pages
Document 2
No ratings yet
Document 2
5 pages
Reviewer
No ratings yet
Reviewer
3 pages
Software Security Essentials
No ratings yet
Software Security Essentials
19 pages
Fundamentals of Cybersecurity Syllabus
No ratings yet
Fundamentals of Cybersecurity Syllabus
8 pages
CyberSecurity 3days 2025
No ratings yet
CyberSecurity 3days 2025
10 pages
SW Security Course GuideBook - 2017, Semester I
No ratings yet
SW Security Course GuideBook - 2017, Semester I
5 pages
D487 Vocab Review
No ratings yet
D487 Vocab Review
7 pages
Secure Coding Practices - AbdulMalik
No ratings yet
Secure Coding Practices - AbdulMalik
8 pages
8 SDLC - Class
No ratings yet
8 SDLC - Class
15 pages
Security Testing
No ratings yet
Security Testing
6 pages
Is Course File
No ratings yet
Is Course File
27 pages
Malware Project
No ratings yet
Malware Project
18 pages
Syllabus - Cyber Security
No ratings yet
Syllabus - Cyber Security
6 pages
Example
No ratings yet
Example
9 pages
Bellla, Biba
No ratings yet
Bellla, Biba
12 pages
Unit 4 Soft
No ratings yet
Unit 4 Soft
13 pages
Unit 1 ESSS
No ratings yet
Unit 1 ESSS
34 pages
SDN PPT1
No ratings yet
SDN PPT1
29 pages
NLP AU Ques
No ratings yet
NLP AU Ques
4 pages
CS460/IT632 Natural Language Processing/Language Technology For The Web
No ratings yet
CS460/IT632 Natural Language Processing/Language Technology For The Web
11 pages
Secure Software Notes
No ratings yet
Secure Software Notes
3 pages
FDSA Unit - 2
No ratings yet
FDSA Unit - 2
142 pages
DC Notes 2
No ratings yet
DC Notes 2
15 pages
NLP Unit5 Discourse and Lexical Resources Elaborated
No ratings yet
NLP Unit5 Discourse and Lexical Resources Elaborated
4 pages
File Handling
No ratings yet
File Handling
13 pages
Secure Software Notes
No ratings yet
Secure Software Notes
4 pages
FDS Unit - 5
No ratings yet
FDS Unit - 5
26 pages
FDS Unit - 5
No ratings yet
FDS Unit - 5
10 pages
FDS Unit - 5
No ratings yet
FDS Unit - 5
17 pages
FDS Unit - 5
No ratings yet
FDS Unit - 5
16 pages
FDS Unit - 5
No ratings yet
FDS Unit - 5
13 pages
Background Processing (Global Script) : Sitrain
No ratings yet
Background Processing (Global Script) : Sitrain
9 pages
Trendline Torys
100% (1)
Trendline Torys
10 pages
CBLM Interpret Technical Drawing
100% (1)
CBLM Interpret Technical Drawing
24 pages
Jawaban It Essential Chapter1-6
No ratings yet
Jawaban It Essential Chapter1-6
11 pages
CS 352: Computer Systems Architecture
No ratings yet
CS 352: Computer Systems Architecture
23 pages
IP Camera Setup Guide
No ratings yet
IP Camera Setup Guide
24 pages
Carroll 2002
No ratings yet
Carroll 2002
5 pages
ARM 3-Stage Pipeline Overview
No ratings yet
ARM 3-Stage Pipeline Overview
25 pages
9661 VUHF Ground Radio Family 6137
0% (1)
9661 VUHF Ground Radio Family 6137
2 pages
Optical Encoder
100% (1)
Optical Encoder
5 pages
Web Development for Beginners
No ratings yet
Web Development for Beginners
4 pages
Data Comm and Networking 3 Midterm Quiz 2
No ratings yet
Data Comm and Networking 3 Midterm Quiz 2
2 pages
PCI Express 1x, 4x, 8x, 16x Bus Pinout Diagram @
No ratings yet
PCI Express 1x, 4x, 8x, 16x Bus Pinout Diagram @
1 page
Quick Installation Guide: Super G™ Wireless Access Point
No ratings yet
Quick Installation Guide: Super G™ Wireless Access Point
17 pages
10 - 20R110 - Device Control Module
No ratings yet
10 - 20R110 - Device Control Module
28 pages
Internship Report
No ratings yet
Internship Report
14 pages
Transaction and Master Files
No ratings yet
Transaction and Master Files
5 pages
3.2-Variables in OutSystems
No ratings yet
3.2-Variables in OutSystems
12 pages
Kalman Filter for PMSM Estimation
No ratings yet
Kalman Filter for PMSM Estimation
7 pages
Micro Project Proposal and Report Format - 19-20
No ratings yet
Micro Project Proposal and Report Format - 19-20
3 pages
Isuzu OBD II Diagnostic Interface Pinout
100% (1)
Isuzu OBD II Diagnostic Interface Pinout
6 pages
Industrial Fiber Optic Converters
No ratings yet
Industrial Fiber Optic Converters
4 pages
Safety At175 - en P
No ratings yet
Safety At175 - en P
32 pages
S SMK55
No ratings yet
S SMK55
2 pages
Amazon Login Automation Using Selenium Webdriver
No ratings yet
Amazon Login Automation Using Selenium Webdriver
9 pages
Tech-Savvy Computer Technician CV
No ratings yet
Tech-Savvy Computer Technician CV
3 pages
ELE8311 - Module 1 - Introduction
No ratings yet
ELE8311 - Module 1 - Introduction
5 pages
Case Study Atm
100% (1)
Case Study Atm
16 pages
Keil Setup For STM32F4-Discovery
No ratings yet
Keil Setup For STM32F4-Discovery
3 pages
Slidesgo Mastering PHP An Introduction To Features Data Types Syntax and More 20240907175620IrVi
No ratings yet
Slidesgo Mastering PHP An Introduction To Features Data Types Syntax and More 20240907175620IrVi
14 pages