Sesi 26 How To Secure An Application

This document discusses how to secure an application by addressing top security issues. It covers malware issues from 2017 and 2016, as well as a 2015 buffer overflow vulnerability. It then discusses the top attacks in 2017 and why software security is important since many devices and services rely on software. Failure can result in tangible and intangible losses, reputation damage, and productivity losses. The document identifies connectivity, extensibility, and complexity as common sources of software security problems. It provides statistics on software vulnerabilities and discusses taking a holistic viewpoint on software security.

Uploaded by

Abiyau Neo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

24 views68 pages

Sesi 26 How To Secure An Application

Uploaded by

Abiyau Neo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 68

How To Secure an

Application
Topik 26
Issues

•2017
–Malware
•2016
–Rumour: Old CMS Drupal was the cause of Panama Papers
leak
•2015
–CVE-2015-0235: GHOST: glibc gethostbyname buffer overflow
Top Attack 2017
Peta Software Security
Mengapa Software Penting?
•Berbagai perangkat / layanan bergantung pada software
–Perangkat bisnis (ATM, e-commerce)
–Alat komunikasi
–Peralatan medis
–Transportasi modern
–Peralatan elektronik rumah tangga
–…
Konsekuensi Kegagalan
•Kerugian tangible & intangible
•Reputasi rusak & kepercayaan customer hilang
•Berakibat fatal bila operasionalnya terganggu
•Kerugian produktivitas
Statistik Software Vulnerabilities
Sumber Masalah Keamanan Software

•Connectivity
–Software terhubung ke mana-mana
•Extensibility
–Software dapat diubah meskipun sudah dipasang dan digunakan
(deployed)
•Complexity
–Software semakin kompleks
nectivity
–Software terhubung ke mana-mana
•Extensibility
–Software dapat diubah meskipun sudah dipasang dan digunakan (deployed)
Extensibility
•Software dapat diubah meskipun sudah
dipasang dan digunakan (deployed)
•Diubah sambil jalan
•Fitur yang belum ada dapat
dikembangkan sambil jalan
•Autoupdate
•Applet, plug-in, …
•Trend ke depan (JAVA, .NET) makin bisa
dikembangkan
•Malicious extension bisa masuk ke sistem
Complexity Operating Year Lines Of
Software Semakin Kompleks System Codes
Windows 3.1 1990 3 milion
Windows NT 1996 4 milion
–Dihitung dari jumlah baris Windows 95 1997 15 milion
(Lines of Code) Windows NT 4.0 1998 16.5 milion

•Trennya akan makin terus Windows 98 1999 18 milion

Windows NT 2000 20 milion
naik 5.0/2K beta
–Semakin banyak jumlah Debian 2000 55 milion
GNU/Linux 2.2
baris:
Windows 2000 2000 35 milion
•makin meningkat potensi Windows XP 2001 40 milion
lubang keamanan Red Hat 7.1 2007 50 milion
•makin banyak insiden Windows Vista 2007 50 milion
Sudut Pandang Holistik
Layer
Disposal
Terima Kasih
Solving the Problem
Risk Management Framework
Software Security Tools
Software Security Knowledge
Pihak Yang Terlibat Dalam Software
Security
Software Security: When and Where
Kelemahan Umum Dalam SDLC
Start the Security Process
Software Engineering Evolution
Security Software Development Life Cycle
(SSDLC)
Security Framework: SD 3
Security Throughout Project Life Cycle
Security Requirement
Security Requirement

•How to describe
–Using natural language
–Using diagrams
•Assignment
–Create a security requirement for
•internet banking web-based application
•Sistem informasi kepegawaian
Secure Software Design

•Architectural Issues
–Jika disain arsitektur software sudah memiliki lubang
keamanan, maka implementasi tidak mengubah hal
tersebut.
–Analogi: bangunan yang didesain tanpa dinding di bagian
belakang
Design Review
Implementasi Secure Coding

•Menentukan hasil dari implementasi

–Analogi : Dinding yang dibangun dengan batu bata
(beton) akan berbeda dengan tripleks (bedeng)
–Ada beberapa tools yang dapat digunakan untuk menguji
(static analysis tools)
Risk Analysis
Penetration Testing
"Improving the Security of
Your Site by Breaking Into it”
(Dan Farmer/Wietse Venema, 1993)
http://www.fish.com/security/admin-guide-to-cracking.html
Blackbox vs Whitebox

•Tidak ada pengetahuan awal

•Diberi pengetahuan lengkap
mengenai sistem yang akan diuji. mengenai sistem yang akan diuji
•Penguji menentukan dulu lokasi •Mencari lubang keamanan
dan coverage target. dengan menelusuri program :
•Menguji berbasis input dan –Dengan source code
output saja –Identifikasi programming error
–Tanpa source code –Mencari kelemahan (algoritma
dan teknik implementasi)
–Memberikan input yang tidak
lazim
Top Software Security Flaws
Terima Kasih

Unit I
No ratings yet
Unit I
17 pages
Software Security Notes
No ratings yet
Software Security Notes
4 pages
Security in Software Applications: Fall 2020
No ratings yet
Security in Software Applications: Fall 2020
30 pages
w01s1 SecureSDLC1
No ratings yet
w01s1 SecureSDLC1
37 pages
Uplink Throughput Problem
No ratings yet
Uplink Throughput Problem
5 pages
Lecture 3
No ratings yet
Lecture 3
19 pages
3 IntroSoftSec
No ratings yet
3 IntroSoftSec
42 pages
02lect - Software Security
No ratings yet
02lect - Software Security
19 pages
Software Security Engineering A Guide For Project PDF
No ratings yet
Software Security Engineering A Guide For Project PDF
6 pages
Prakt 8 - Openssl Demo Encrypting Decrypting Files Using Both Symmetric and Asymmetric Encryption PDF
No ratings yet
Prakt 8 - Openssl Demo Encrypting Decrypting Files Using Both Symmetric and Asymmetric Encryption PDF
6 pages
Basic Security Control
No ratings yet
Basic Security Control
26 pages
Propagation Model Setting
No ratings yet
Propagation Model Setting
25 pages
Blackhat 2014 Briefings Presentation Exp CC Flaws Adityaks
No ratings yet
Blackhat 2014 Briefings Presentation Exp CC Flaws Adityaks
37 pages
Prakt 9 - DVWA
No ratings yet
Prakt 9 - DVWA
8 pages
RTBB 6 Pengelolaan Orbit Satelit
No ratings yet
RTBB 6 Pengelolaan Orbit Satelit
29 pages
How To Optimize Physical Layer Using Atoll
No ratings yet
How To Optimize Physical Layer Using Atoll
14 pages
Engpar LTE Telkomsel
No ratings yet
Engpar LTE Telkomsel
4 pages
Panduan DT GFR Before
No ratings yet
Panduan DT GFR Before
13 pages
Huawei TELKOMSEL CJ Roll Out 2013
No ratings yet
Huawei TELKOMSEL CJ Roll Out 2013
13 pages
IT Automation: The Definitive Guide to Mastering Infrastructure Automation, Scaling, and Future Trends
From Everand
IT Automation: The Definitive Guide to Mastering Infrastructure Automation, Scaling, and Future Trends
turki alkhwlani
3/5 (1)
Zig Programming: From Zero to Systems Master
From Everand
Zig Programming: From Zero to Systems Master
Niklas Hoffmann
No ratings yet
The CompTIA Network+ & Security+ Certification: 2 in 1 Book- Simplified Study Guide Eighth Edition (Exam N10-008) | The Complete Exam Prep with Practice Tests and Insider Tips & Tricks | Achieve a 98% Pass Rate on Your First Attempt!
From Everand
The CompTIA Network+ & Security+ Certification: 2 in 1 Book- Simplified Study Guide Eighth Edition (Exam N10-008) | The Complete Exam Prep with Practice Tests and Insider Tips & Tricks | Achieve a 98% Pass Rate on Your First Attempt!
Comptia Ace5
5/5 (1)
Linux Essentials for Hackers & Pentesters: Kali Linux Basics for Wireless Hacking, Penetration Testing, VPNs, Proxy Servers and Networking Commands
From Everand
Linux Essentials for Hackers & Pentesters: Kali Linux Basics for Wireless Hacking, Penetration Testing, VPNs, Proxy Servers and Networking Commands
Linux Advocate Team
No ratings yet
Learning Programming and Computer Science: 1, #1
From Everand
Learning Programming and Computer Science: 1, #1
MATHY WISDOM
No ratings yet
DENT Network Operating System in Practice: The Complete Guide for Developers and Engineers
From Everand
DENT Network Operating System in Practice: The Complete Guide for Developers and Engineers
William Smith
No ratings yet
Linux for Beginners: Linux Command Line, Linux Programming and Linux Operating System
From Everand
Linux for Beginners: Linux Command Line, Linux Programming and Linux Operating System
Steve Will
4.5/5 (3)
100-140 CCST-IT Study guide Cisco Certified Support Technician – IT Support
From Everand
100-140 CCST-IT Study guide Cisco Certified Support Technician – IT Support
Anand Vemula
No ratings yet
Rust for Network Programming and Automation: Learn to Design and Automate Networks, Performance Optimization, and Packet Analysis with low-level Rust
From Everand
Rust for Network Programming and Automation: Learn to Design and Automate Networks, Performance Optimization, and Packet Analysis with low-level Rust
Brian Anderson
No ratings yet
PHP Microservices
From Everand
PHP Microservices
Carlos Pérez Sánchez
3/5 (1)
Fundamentos de Seguridad de la Red
From Everand
Fundamentos de Seguridad de la Red
NUMA EDITORIAL
No ratings yet
Rust for Network Programming and Automation
From Everand
Rust for Network Programming and Automation
Brian Anderson
No ratings yet
Linux Interview Questions: Open Source Operating Systems Interview Questions, Answers, and Explanations
From Everand
Linux Interview Questions: Open Source Operating Systems Interview Questions, Answers, and Explanations
Equity Press
4.5/5 (2)
Study Guide 300-615 Dcit Troubleshooting Cisco Data Centre Infrastructure
From Everand
Study Guide 300-615 Dcit Troubleshooting Cisco Data Centre Infrastructure
Anand Vemula
No ratings yet
Cisco Network Administration Interview Questions: CISCO CCNA Certification Review
From Everand
Cisco Network Administration Interview Questions: CISCO CCNA Certification Review
equitypress
4.5/5 (6)
In Depth Security Vol. III: Proceedings of the DeepSec Conferences
From Everand
In Depth Security Vol. III: Proceedings of the DeepSec Conferences
BoD - Books on Demand
No ratings yet
Study Guide Cisco 300-915 DEVIOT Developing Solutions using Cisco IoT and Edge Platforms Exam
From Everand
Study Guide Cisco 300-915 DEVIOT Developing Solutions using Cisco IoT and Edge Platforms Exam
Anand Vemula
No ratings yet
Rust for Embedded Systems
From Everand
Rust for Embedded Systems
James Oakton
No ratings yet
Hack into your Friends Computer
From Everand
Hack into your Friends Computer
Magelan Cyber Security
No ratings yet
Security+ Boot Camp Study Guide
From Everand
Security+ Boot Camp Study Guide
Chad Russell
5/5 (1)
Linux Essentials for Hackers & Pentesters
From Everand
Linux Essentials for Hackers & Pentesters
Linux Advocate Team
No ratings yet
Windows Operating System Interview Questions and Answers
From Everand
Windows Operating System Interview Questions and Answers
Manish Soni
No ratings yet
Building Telephony Systems with OpenSER
From Everand
Building Telephony Systems with OpenSER
Goncalves Flavio E.
No ratings yet
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
Expert Linux Development: Mastering System Calls, Filesystems, and Inter-Process Communication
From Everand
Expert Linux Development: Mastering System Calls, Filesystems, and Inter-Process Communication
Adam Jones
No ratings yet
All My IT Tech Posts
From Everand
All My IT Tech Posts
Stephen Edwards
No ratings yet
Daemon Architecture and Implementation: Definitive Reference for Developers and Engineers
From Everand
Daemon Architecture and Implementation: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Mastering Nikto: A Comprehensive Guide to Web Vulnerability Scanning: Security Books
From Everand
Mastering Nikto: A Comprehensive Guide to Web Vulnerability Scanning: Security Books
Erwin Dirks
No ratings yet
Cloud Infrastructure and Data Center
From Everand
Cloud Infrastructure and Data Center
Duong Tran
No ratings yet
Information Technology HandBook
From Everand
Information Technology HandBook
Duong Tran
3/5 (1)
Programming and Prototyping with Teensy Microcontrollers: Definitive Reference for Developers and Engineers
From Everand
Programming and Prototyping with Teensy Microcontrollers: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Raspberry Pi :The Ultimate Step by Step Raspberry Pi User Guide (The Updated Version )
From Everand
Raspberry Pi :The Ultimate Step by Step Raspberry Pi User Guide (The Updated Version )
Jason Scotts
4/5 (4)
Penetration Testing Fundamentals-2: Penetration Testing Study Guide To Breaking Into Systems
From Everand
Penetration Testing Fundamentals-2: Penetration Testing Study Guide To Breaking Into Systems
Devi Prasad
No ratings yet
Free Antivirus And Antimalware Software For Ubuntu & Linux Mint
From Everand
Free Antivirus And Antimalware Software For Ubuntu & Linux Mint
Cyber Jannah Studio
No ratings yet
Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release Build
From Everand
Securing Application Deployment with Obfuscation and Code Signing: How to Create 3 Layers of Protection for .NET Release Build
Slava Gomzin
No ratings yet
Evaluation of Some Intrusion Detection and Vulnerability Assessment Tools
From Everand
Evaluation of Some Intrusion Detection and Vulnerability Assessment Tools
Dr. Hedaya Mahmood Alasooly
No ratings yet
Security Engineering: CISSP, #3
From Everand
Security Engineering: CISSP, #3
Selwyn Classen
No ratings yet
CISA EXAM-Testing Concept-Firewall
From Everand
CISA EXAM-Testing Concept-Firewall
Hemang Doshi
2.5/5 (2)
A Practical Guide Wireshark Forensics
From Everand
A Practical Guide Wireshark Forensics
alasdair gilchrist
5/5 (4)
Design and Implementation with i.MX Processors: Definitive Reference for Developers and Engineers
From Everand
Design and Implementation with i.MX Processors: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Communication and Network Security: CISSP, #4
From Everand
Communication and Network Security: CISSP, #4
Selwyn Classen
No ratings yet
The Windows Command Line Beginner's Guide: Second Edition
From Everand
The Windows Command Line Beginner's Guide: Second Edition
Jonathan Moeller
4/5 (4)
Framework for SCADA Cybersecurity
From Everand
Framework for SCADA Cybersecurity
Richard Clark
5/5 (1)
Certified Ethical Hacker (CEH v12) Exam Preparation
From Everand
Certified Ethical Hacker (CEH v12) Exam Preparation
Georgio Daccache
No ratings yet
Information Technology 2016
From Everand
Information Technology 2016
Duong Tran
No ratings yet
.Net Framework and Programming in ASP.NET
From Everand
.Net Framework and Programming in ASP.NET
Priyanka Agarwal
No ratings yet
CCNA Exam Focus: Study Guide with Practice Tests
From Everand
CCNA Exam Focus: Study Guide with Practice Tests
SUJAN
No ratings yet
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
From Everand
Footprinting, Reconnaissance, Scanning and Enumeration Techniques of Computer Networks
Dr. Hidaia Mahmood Alassouli
No ratings yet
CCSP - Certified Cloud Security Professional Exam Insights
From Everand
CCSP - Certified Cloud Security Professional Exam Insights
SUJAN
No ratings yet
Microsoft .NET Interview Questions: MS .NET Certification Review
From Everand
Microsoft .NET Interview Questions: MS .NET Certification Review
equitypress
No ratings yet
C# for Beginners: Learn in 24 Hours
From Everand
C# for Beginners: Learn in 24 Hours
Alex Nordeen
No ratings yet
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Tim Speed
No ratings yet

Sesi 26 How To Secure An Application

Uploaded by

Sesi 26 How To Secure An Application

Uploaded by

How To Secure an

•Trennya akan makin terus Windows 98 1999 18 milion

•Menentukan hasil dari implementasi

•Tidak ada pengetahuan awal

You might also like