Summit2008/Sessions/Proposals/Writing Secure Software & Basic Hacking Techniques

From MozillaWiki
< Summit2008‎ | Sessions/Proposals
Revision as of 00:23, 14 July 2008 by Pvnick (talk | contribs) (Writing Secure Software & Basic Hacking Techniques)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Session Title

Writing Secure Software & Basic Hacking Techniques

Session Leader

Paul Nickerson

Introduction

Firefox has been known having good security, and it's important to keep up that image. To do so requires techniques to write secure code. As software hacking evolves, so should the ways we prevent and detect bugs.

General Practices

Some basic practices can set the foundation for either writing secure or insecure software. I'll go over these as well as implementation examples.

Threat Modeling

Threat modeling is the basic process of identifying potential flaws in a program. Using data flow diagrams, it helps make preventing security flaws a visual task that can be a collaborative effort. Using proper and in-depth threat modeling techniques, most high-level design flaws can be avoided altogether.

Example: threatmodel.png

S.T.R.I.D.E.

Stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. This is a basically a checklist that can be used for threat modeling. I'll define each and show some examples.

Specific Firefox Attacks

Since Firefox has a lot of consistent behavior, some attacks can be consistent in the ways that they're found, e.g. making chrome attempt to access a javascript URL. Programmers can keep these behaviors and their attacks in mind to reduce bugs entering the codebase.

Retrieved from "https://wiki.mozilla.org/index.php?title=Summit2008/Sessions/Proposals/Writing_Secure_Software_%26_Basic_Hacking_Techniques&oldid=100100"