Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Software, Security, and the Public Good

Software, Security, and the Public Good

As engineers, our first and most important obligation is to serve the public good. The code that we write, impenetrable to most outside our industry, is finding its way deeper and deeper into peoples' every day lives. We simply must create software that safeguards the public's trust, to the best of our abilities, yet for most us, security is an afterthought. In this session, we'll learn to think like hackers while we learn how to mitigate harm and build applications that are safer and more resilient to attack.

Samantha Quiñones

May 24, 2017
Tweet

More Decks by Samantha Quiñones

Other Decks in Technology

Transcript

  1. Therac-25: What Went Wrong? The software contained an integer overflow

    bug (CWE-190) When an operator provided input during an overflow condition, the interlock failed This failure could allow the 25 MeV beam to activate without the target and collimator Patients received 100x the intended dose of radiation Patients suffered severe radiation burns and poisoning Three patients died
  2. Therac-25: What Could Have Helped? Code review Review of code

    reused from earlier models to test assumptions Unit testing Integration testing Hardware interlocks
  3. Mars Climate Orbiter: What Went Wrong? Launched 11 December 1998

    On 15 September 1999, an orbital insertion maneuver was performed Navigators had reported discrepancies between the reported and measured position Approach would bring the probe to 150-170km altitude, possibly lower, than expected 226km On 23 September 1999, the probe occulted Mars and lost radio contact. Contact was never reestablished. Postmortem found that one piece of ground software produced thrust values in pound-seconds (US Customary) rather than newton-seconds (SI)
  4. Volkswagen: What Went Wrong? Engineers at VW developed code to

    detect emissions tests and alter engine behavior This code was intentionally hidden and referred to as “acoustic condition”
  5. Heartbleed: What Went Wrong? Improper input validation bug allows out-of-bounds

    memory access (CWE-135) Exploitation of the heartbeat mechanism allows extracting secure information from vulnerable servers without authorization.
  6. Obligations to the Public To take responsibility for our work.

    To balance our interests with those of our clients, employers, and users. To ship code we believe to be safe, tested, and built according to specifications. To disclose actual or potential dangers to the user, the public, or the environment. To avoid deception. To consider the abilities of users and conditions of users. To volunteer our skills to good causes and contribute to public education.
  7. Obligations to our Clients & Employers To be honest about

    our areas of competence. To honor software licenses. To honor the property and secrets of the client or employer. To disclose the likelihood of failure, cost overrun, violation of law, or damage. To identify and disclose issues of social concern. To not work against the interests of the client or employer, unless ethics are being compromised.
  8. Obligations to the Product To balance quality, cost, and schedule

    while clearly communicating trade-offs. To identify and disclose economic, ethical, cultural, environmental, and legal issues. To employ methods appropriate to the task at hand. To understand the specifications of the product. To test, debug, review, and document all code. To collect, store, and use only data that has been derived by ethical means. To maintain what we build.
  9. Obligations to Our Colleagues To develop a professional environment and

    culture that encourages acting ethically. To promote public knowledge and education of software engineering. To participate in professional organizations, meetings, conferences, and publications. To communicate one’s obligations to one’s employers and clients. To assist others in their professional development. To give credit to the work of others.
  10. Obligations to Ourselves To develop our technical, management, and interpersonal

    skills continuously. To advocate for our users in an honest and thoughtful way. To share our knowledge and experience freely. To recognize our prejudices and not give unfair treatment because of them.
  11. Let’s Get Practical Commit the OWASP Top 10 to heart

    (https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) Embrace the CWE (https://cwe.mitre.org/index.html) Give better code reviews Demand better code reviews Become the local expert on compliance/security/testing/debugging Discover and honor your ethical boundaries