Bad Software
-
Upload
chikulenka -
Category
Documents
-
view
221 -
download
0
Transcript of Bad Software
![Page 1: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/1.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 1/56
Bad Software
Greg Hoglund
CTO, Cenzic, [email protected]
![Page 2: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/2.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 2/56
What is Bad Software?
• Software that exposes confidential data toun-authenticate users
• Software which crashes or grinds to a haltwhen exposed to faulty inputs
• Software which allows an attacker to inject
code and execute it• Software which executes privilegedcommands for an attacker
![Page 3: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/3.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 3/56
Denver Airport Baggage
• Unmanned carts on a track
• Bad failure recovery/detection
– Piles of fallen bags would not stop the unloaders• Carts got out of sync
– Full carts continue to get loaded
– Empty carts get unloaded
• Delayed airport opening for 11 months – $1 million dollars a day in cost due to interest bond issues
![Page 4: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/4.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 4/56
The last photo taken by the Mars Lander before it plunged to it’s death.**This photo was found on the Internet. It has not been independently verified.
![Page 5: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/5.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 5/56
NASA Mars Lander
• Failed translation
– English units into metric units
– major error in spacecraft's path as it approachedMars
• Crashed into the planet
– Shut off descent engines prematurely• Taxpayer cost: $165 Million
![Page 6: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/6.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 6/56
![Page 7: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/7.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 7/56
4 Marines Killed
• MV-22 Osprey Helicopter Crash
• Burst hydraulic failure
• Software caused backup system to fail
![Page 8: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/8.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 8/56
Do these look alike?
![Page 9: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/9.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 9/56
Navy shoots down Civilian
Airliner • IN 1988, the US Vicennes shoots down
Airbus 320
• 290 human lives lost
• “cryptic and misleading output displayed
by the tracking software “
![Page 10: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/10.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 10/56
Microsoft’s $8.5 billion mistake
• I LOVE YOU was only possible because
Microsoft Outlook was designed to execute
programs that were mailed to it.
![Page 11: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/11.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 11/56
Why we have Bad Software
• Networked Software is not designed to
withstand a hostile environment
• Development tools do not prevent simple
security bugs (i.e., buffer overflows)
• QA Testing methods do not address security
• Customers pay for bad software
![Page 12: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/12.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 12/56
Getting Worse
• In order to compete, new services must be
delivered
• New technology is not being properly testedfor failures
• More connections, devices, and code
![Page 13: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/13.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 13/56
What happens when buffer
overflows and poor access
controls lead to mobile code
attacks on cellular phones?
Mobile code can effect
distributed systems in a matter
of hours
More Devices
![Page 14: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/14.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 14/56
More Connections
• New protocols, delivery mediums
• A high degree of connectivity makes it
possible for small failures to propagate andlead to massive outages
– Telephone network outages
– Power system grid failures
![Page 15: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/15.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 15/56
More Code• Technology is being ‘glued’ together
• More feature rich, more drivers and libraries
– In 1983, Microsoft word was only 27,000 LOC
Code Size400,000 Solaris 7
17 million Netscape
40 million Space Station10 million Space Shuttle
7 million Boeing 777
35 million NT5
Under 5 million Windows 95
1.5 million Linux
![Page 16: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/16.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 16/56
More Exposure
• Massive increase in connectivity
• A vast network of relationships
– Arpanet started with 12 nodes
• Machines that used to work behind closed doors
are now exposed
– Computers are now worn on belt-loops
![Page 17: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/17.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 17/56
5 Million Backdoors
• 5 – 50 bugs per 1000/lines of code [Vaos/McGraw]*
3000 EXE’s
1 LOC ~ 10 bytes
~100K per EXE =
10,000 LOC / EXE
5 Bugs/1000 LOC =
50 bugs/EXE
=
150,000 Bugs/
Host
X 30,000 HOSTS
4.5 Billion bugs
4.5 Billion X 10% = 500 Million Security Bugs
500 Million X 10% = 5 Million Remote Security Bugs
![Page 18: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/18.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 18/56
Software is always in the
“bleeding edge” phase• Windows 2000 shipped with 63,000 known
bugs
![Page 19: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/19.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 19/56
Software sucks because you buy it
• Yes, YOU the CONSUMER play a part indemanding bad software
• To demand new features in a very shorttime frame creates a time-to-market problem for reliable software – Will you wait two years for the features you
want?
– Will you pay 10-times as much to get thosefeatures?
![Page 20: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/20.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 20/56
Deja Vu
• The same software bugs just keep hanging around
– We knew about buffer overflows 15 years ago
• We are slow to adopt ideas – When will customers hold vendors liable for buffer
overflows?
– Is it reasonable to accept buffer overflows in
production code?
![Page 21: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/21.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 21/56
Other Industries Get Sued
• Software shops gather around to defer bugs,
decide which ones to ‘patch later’, and
which ones to ignore• In other industries, safety flaws that are not
corrected result in major class-action suits
![Page 22: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/22.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 22/56
How come vendors don’t fix this
stuff?• They can afford not to!
• Hardware is expensive to replace – so huge
investments are placed into testinghardware prior to release – Intel F00F bug cost $500 million
• Software bugs can be patched anddownloaded from a web-site – They pass the cost of a bug to the customer
![Page 23: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/23.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 23/56
Software is not a Steel Bridge
• The methods used for testing in traditional
analog systems do not apply to software
• With a bridge, you extrapolate results – What happens in between a 1000 kg test and a
10,000 kg test?
– The system is continuous – State changes are gradual and predictable
![Page 24: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/24.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 24/56
Discrete systems
• State changes are not predictable
• Numbers can change between
00001111
and
11110000in an instant
![Page 25: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/25.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 25/56
Let the compiler do the
Diagnostics• If programmers had to book time on the
mainframe two weeks in advance, they would
invest countless hours checking their work • Code hackers today just bounce code off the
compiler until all the errors go away
– This puts the responsibility of “code review” on the
compiler
![Page 26: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/26.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 26/56
Form follows Failure
• Sub-synchronous resonance in power systems – The addition of series AC capacitors in high energy power
systems increases electrical stability
– However, due to line inductance, the capacitors createelectrical oscillations that effect the mechanical generator
• Mohave Generating Station, Southern Nevada, 1971 – This snapped the drive shaft on a generator twice before it
was properly diagnosed – This phenomenon is now a serious consideration is any
power system design
![Page 27: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/27.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 27/56
How to Fix Bad Software
• Better compilers and languages
– More formal, more tractable
• Failure analysis and fault-injection
• Hold vendors liable
• Stop buying it
![Page 28: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/28.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 28/56
Security testing requires
attacking the software.
The software should be testedfor the unexpected and the
unknown.
Software will never be placed
or deployed into a trustedor predictable environment.
Security Testing
![Page 29: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/29.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 29/56
The Missing Leg of Software Reliability
Functional Performance
FunctionalPerforma
nce
ReliabilityReliability ReliabilityReliability
Security
Traditional QA testing methods have never addressedsecurity. Software systems cannot be reliable unless
they are secure.
![Page 30: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/30.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 30/56
Security Testing History
• Attack and Pen
• Source Code Review
• Network Scanning
• Fault Injection
•Full Disclosure
![Page 31: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/31.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 31/56
Fault Injection
• Source code changes require recompile
• Binary instrumentation requires host agent
• API input testing requires test harness
• Network input testing requires additional
network node
![Page 32: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/32.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 32/56
Black Box
• Can be automated
• Can easily find ‘low hanging fruit’
• Automated Tools:
– ISICS
– Spike
– Hailstorm™
– PROTOS
![Page 33: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/33.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 33/56
MSQL Overflow with Spikes_binary("12 01 00 34 00 00 00 00 00
00 15 00 06 01 00 1b");
s_binary("00 01 02 00 1c 00 0c 03 00
28 00 04 ff 08 00 02");
//this is probably a length field
s_binary("10 00 00 00");
//make this big
s_string_variable("MSSQLServer");
s_binary("00 24 01 00 00");
![Page 34: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/34.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 34/56
UDP-1434 SQL Overflow
Buffer Attack Injected Into Protocol Statement
![Page 35: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/35.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 35/56
0040e890 e87b8cffff call
0040e895 c3 ret
0040e896 8bc0 mov
FAULT ->0040e898 8b10 mov0040e89a 33c9 xor
![Page 36: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/36.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 36/56
White Box
• IDA-Pro (reverse assemble)
• More expensive and requires an expert
• Very time consuming
![Page 37: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/37.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 37/56
IDA reverse of popular app-server’s
“CanonicalizeURIPath”
![Page 38: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/38.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 38/56
A Fusion – Grey Box
• Combines:
– A runtime debugger
• SoftIce• GDB
– A white box tool
• IDA
– A black box tool
• Hailstorm™
![Page 39: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/39.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 39/56
Using Instrumentation
• Using Rational Purify™
• Using API call hooks
• Using Code-coverage (gcov, etc) – Cananocalization routines
– Filtering routines
– Decision logic
– Parsers
H il t ™ h MS SQL 7
![Page 40: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/40.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 40/56
Hailstorm™ crashes MS-SQL 7
![Page 41: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/41.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 41/56
Input Path Tracing
• Path tracing
– ltrace
– truss
• Data tracing
– Gdb breakpoints
– Modified ltrace
• Where is user-data getting placed? – Trusted API calls?
![Page 42: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/42.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 42/56
Boron Tagging with GDB.text:00056140 INTutil_uri_is_evil_internal:
.text:00056140 ldsb [%o0], %o1
.text:00056144 mov 1, %o3
.text:00056148 mov 2, %o4
.text:0005614C cmp %o1, 0
.text:00056150 be,pn %icc, loc_561F4
.text:00056154 mov %o0, %o5
.text:00056158 mov %o2, %o0
.text:0005615C mov 0, %o2
.text:00056160 cmp %o1, 0x2F
.text:00056164
.text:00056164 loc_56164:
.text:00056164 bne,a %icc, loc_561DC
(gdb) x/8s $o0
0x97f030: “/iplanet/servers/TEST_STRING”
0x97f064: "ervers/docs"
0x97f070: "/usr/local/iplanet/docs"
0x97f090: ""
0x97f091: "\227ð\230"
0x97f095: ""
0x97f096: ""0x97f097: ""
TEST_STRING
![Page 43: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/43.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 43/56
Using TRUSS on Solaris# truss -u *:: -vall -xall -p 2307 2>&1 | grep –v read | grep –v poll
The 2>&1 tag is required since truss does not deliver all of it’s data
on the stdout pipe.
The output of the command will look something like:
/67: <- libns-httpd40:__0FT_util_strftime_convPciTCc() = 50
/67: -> libns-httpd40:__0FT_util_strftime_convPciTCc(0xff2ed342, 0x2, 0x2, 0
/67: <- libns-httpd40:__0FT_util_strftime_convPciTCc() = 0xff2ed345
/67: <- libns-httpd40:INTutil_strftime() = 20
/67: -> libns-httpd40:INTsystem_strdup(0xff2ed330, 0x9, 0x41, 0x50)
/67: -> libns-httpd40:INTpool_strdup(0x9e03a0, 0xff2ed330, 0x0, 0x0)
/67: -> libc:strlen(0xff2ed330, 0x0, 0x0, 0x0)
/67: <- libc:strlen() = 20
/67: <- libns-httpd40:INTpool_strdup() = 0x9f8b10
/67: <- libns-httpd40:INTsystem_strdup() = 0x9f8b10
/67: <- libns-httpd40:time_cache_curr_strftime_logfmt() = 0x9f8b10/67: -> libc:strcpy(0xf7400710, 0x9f8b10, 0x0, 0x7efefeff)
/67: <- libc:strcpy() = 0xf7400710
/67: -> libc:strlen(0xf7400710, 0x9f8b28, 0xf7400710, 0x0)
/67: <- libc:strlen() = 20
/67: -> libc:strlen(0x9f4f48, 0x34508f, 0x0, 0x7efefeff)
/67: <- libc:strlen() = 25
![Page 44: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/44.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 44/56
Win32 hook on strcpy
![Page 45: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/45.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 45/56
If there is code for it…
• What if?
• Assume filters fail
• Assume API call input can be controlled
• Map the capability of every DLL
• Controlled by process permissions and
access control
![Page 46: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/46.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 46/56
Every DLL that calls
SetSecurityDescriptorDACL
![Page 47: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/47.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 47/56
User Input
• What can the user directly control in terms
of API calls?
– Authentication calls – Filesystem
– Database
– Command shell
![Page 48: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/48.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 48/56
Remote Capability
• Do any of the native calls operate over the
network?
– Domain specification – Data source specification
– Ip address
– NTFS Path name
![Page 49: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/49.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 49/56
Authentication
• Response aggregation – User/password enumeration when errors differ
• No lockout – Brute force
• Failed logging
– Alternative requests• Can you specify a remote domain or target?
– Proxied attacks
![Page 50: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/50.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 50/56
![Page 51: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/51.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 51/56
![Page 52: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/52.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 52/56
Architecture Flaws
• Lack of randomness
– Hijacking keys
• No authentication – Bad configuration or design
• No compartments
– Use the same buffer for crypto and clear • Race conditions
![Page 53: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/53.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 53/56
• Test before you buy
• Perform independent testing on the software
• Perform internal testing on the software
• Cooperate and create a shared testing lab
• Create an acceptance criteria
Take control of the Problem
![Page 54: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/54.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 54/56
• Vote with your dollars
• Force vendors into a comparison against
competitive products• Make the vendor produce a technically
credible security audit
• Force vendors to accept liability associatedwith a security bug – Make the vendor pay the cost of a bug
Make the vendor responsible
![Page 55: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/55.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 55/56
• As the customers of technology, you have
the right to demand safety and reliability
• Security knowledge is widespread• Reliable software is secure
• Security testing is the only way to eliminate
the bugs that undermine your systems
It’s Ultimately Your Decision
![Page 56: Bad Software](https://reader030.fdocuments.in/reader030/viewer/2022021322/577dab161a28ab223f8be6ac/html5/thumbnails/56.jpg)
8/14/2019 Bad Software
http://slidepdf.com/reader/full/bad-software 56/56
Greg Hoglund
Thank You