Secure Programming Lecture 1: Introduction

Pointers for references in slides

Recent high-profile vulnerabilities

Exercise: find articles and read about these examples mentioned in the lecture:

2018: Meltdown and Spectre
2016: Dyn DDoS and Mirai
2015: OPM, TalkTalk
2014: Heartbleed, Shellshock

Try to find out more about the underlying technical issues in each case.

Cost of cyber crime

The 2007 US Government report estimated a cost of $105bn pa to US
The 2011 UK Government report, which suggested a cost of £27bn pa to UK.
It was criticised for being overblown. The 2013 evidence-based review estimated “several billions”.
Since then, widely-publicised bugs like Heartbleed and the TalkTalk breach have brought the issue to the fore and more recent estimates are higher again.

Ransomware

The CryptoLocker ransomware and copies of it infected PCs at the end of 2013. It uses vulnerabilities in Java and PDF plugins.

Stuxnet

Stuxnet (2010) was the first example of cyber physical warfare made public. Designed to thwart Iran’s nuclear enrichment programme, in 2013, it was reported that Stuxnet also infected Russian facilities

German Steel Mill

In 2014, reportedly the second cyber-physical damage from an attack occured in a German steel mill blast furnace. The attack used booby-trapped emails.

Ukranian power cut (not mentioned in slides)

In December 2015, Ukranian power outages were alleged to have been caused by cyber attack using phishing emails. This is another example of cyber attacks having physical impact. See the BBC report.

Massive DDoS attacks on Dyn

In October 2016, the largest known DDoS attack so far occurred on the domain name provider Dyn which used an estimated 10,000 compromised devices and resulted in cyber outages for high-profile sites such as Twitter, CNN, Netflix. Most of the traffic came from Mirai, an IoT botnet whose source code was later released on Github.

Responsibility for insecure software

See the Microsoft licensing terms for their EULAs. Most manufacturers (and open source vendors) have similar (usually worse) terms, of course.
Bad Code: Should Software Makers Pay? in New Republic magazine, October 2013.
David Rice. Geekonomics: The Real Cost of Insecure Software, Addison-Wesley, 2007. Read an interview with the author on SANS.

Recommended reference reading: older books

J. Viega and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, 2001.

One of the first books on the topic of Secure Programming. Still useful to understand some of the principles, although details are not current.

M. Howard and D. LeBlanc. Writing Secure Code. Microsoft Press, second edition, 2003.

Another early book; this one focuses on Windows. Again highly influential and useful for reference, but not up-to-date for current use. More recent titles are available from the Microsoft Press.

Recommended reference reading: newer books

B. Chess and J. West. Secure Programming with Static Analysis. Addison-Wesley, 2007.

This book introduces ideas behind static analysis tools for detecting security flaws. Written by the founders of Fortify, now a part of HP.

M. Dowd, J. McDonald and J. Schuh. The Art of Software Security Assessment. Addison-Wesley 2007.

A lengthy book with detailed guidance on code reviewing for secure programming.

David Basin, Patrick Schaller, Michael Schlapfer. Applied Information Security: A Hands-on Approach. Springer, 2011.

A short practical introduction using Linux VMs to demonstrate some attacks and defences.

Fred Long et al. The CERT Oracle Secure Coding Standard for Java, Addison-Wesley, 2012.

A set of guidelines for Java. Some need to be enforced by design and code reviews; others might be enforced automatically by tools.

CERT also provide a shorter book Java Coding Guidelines: 75 Recommendations … as well as books giving coding standards for C and C++.

Some online resources

OWASP, the web application security project is one of the best places to find out about software security.
The CERT secure coding website provides online versions of the CERT coding standards, which are developed in a Wiki.
SANS, a security training organisation, provides some useful resource including some material on secure programming.

Home : Teaching : Courses : Sp : 2017

Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh