The Role of Static Analysis in Secure Software （在安全软件静态分析的作用）.pdf

The Role of Static Analysis in  Secure Software Development Tin Aung Win President, (ISC)2 Singapore Chapter •What is secure software? • What is static analysis? • Why static analysis? • Where does static analysis fit in a SDLC? • Static analysis tools – Pros and Cons • Conclusion  Software that satisfies all of the following ( non‐exhaustive)  criteria: • It functions as intended • Possess  performs only needed functionality • Uses only needed facilities • Behaves correctly in the presence of malicious attacks • Built with incidence response in mind • It fails  safely • Not an easy feat…exceptions,  race conditions, concurrency, …. • It is resilient • It can (probably) defend itself Why do we need Secure Software? • Humanity heavily relies on software (unfortunately) • Insecure software can lead to any or all of the following: • From loss of personal information to state secrets • From e‐robbery to destruction of financial operations • From inconveniences to infrastructure damages • From business disturbance to ruining the business ecosystem • From free speech advocates to hacktivism • From harming individuals to cyber war  between nation states  Flame: A glimpse into the future of war The most sophisticated cyberweapon yet unleashed. Exploit:JS/Blacole Description: Blacole, also known as the •Three primary causes: Blackhole exploit pack, is found on a compromised server and is installed there by an