DOCSLIB.ORG

SECURITY in the SOFTWARE LIFECYCLE Making Software Development Processes— and Software Produced by Them—More Secure DRAFT Version 1.2 - August 2006

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Department of Homeland Security SECURITY IN THE SOFTWARE LIFECYCLE Making Software Development Processes— and Software Produced by Them—More Secure DRAFT Version 1.2 - August 2006 Security in the Software Lifecycle Draft Version 1.2 | August 2006 FOREWARD Dependence on information technology makes software assurance a key element of business continuity, national security, and homeland security. Software vulnerabilities jeopardize intellectual property, consumer trust, business operations and services, and a broad spectrum of critical applications and infrastructure, including everything from process control systems to commercial application products. The integrity of key assets depends upon the reliability and security of the software that enables and controls those assets. However, informed consumers have growing concerns about the scarcity of practitioners with requisite competencies to build secure software. They have concerns with suppliers’ capabilities to build and deliver secure software with requisite levels of integrity and to exercise a minimum level of responsible practice. Because software development offers opportunities to insert malicious code and to unintentionally design and build software with exploitable weaknesses, security-enhanced processes and practices—and the skilled people to perform them—are required to build software that can be trusted not to increase risk exposure. In an era riddled with asymmetric cyber attacks, claims about system reliability, integrity and safety must also include provisions for built-in security of the enabling software. The Department of Homeland Security (DHS) Software Assurance Program is grounded in the National Strategy to Secure Cyberspace which indicates: “DHS will facilitate a national public-private effort to promulgate best practices and methodologies that promote integrity, security, and reliability in software code development, including processes and procedures that diminish the possibilities of erroneous code, malicious code, or trap doors that could be introduced during development.” Software Assurance has become critical because dramatic increases in business and mission risks are now known to be attributable to exploitable software: (1) system interdependence and software dependence has software as the weakest link; (2) software size and complexity obscures intent and precludes exhaustive test; (3) outsourcing and use of unvetted software supply chain increases risk exposure; (4) attack sophistication eases exploitation; and (5) reuse of legacy software interfaced with other applications in new environments introduces other unintended consequences increasing the number of vulnerable targets. The growing extent of the resulting risk exposure is rarely understood. The number of threats specifically targeting software is increasing, and the majority of network- and system-level attacks exploit vulnerabilities in application level software. These all contribute to the increase of risks to software-enabled capabilities and the threat of asymmetric attack. A broad range of stakeholders now need justifiable confidence that the software that enables their core business operations can be trusted to perform (even with attempted exploitation). DHS began the Software Assurance (SwA) Program as a focal point to partner with the private sector, academia, and other government agencies in order to improve software development and acquisition processes. Through public-private partnerships, the Software Assurance Program framework shapes a comprehensive strategy that addresses people, process, technology, and acquisition throughout the software life cycle. Collaborative efforts seek to shift the paradigm away from patch management and to achieve a broader ability to routinely develop and deploy software products known to be trustworthy. These efforts focus on contributing to the production of higher quality, more secure software that contributes to more resilient operations. In their Report to the President entitled Cyber Security: A Crisis of Prioritization (February 2005), the President’s Information Technology Advisory Committee (PITAC) summed up the problem of non- secure software: i Security in the Software Lifecycle Draft Version 1.2 | August 2006 Network connectivity provides “door-to-door” transportation for attackers, but vulnerabilities in the software residing in computers substantially compound the cyber security problem. As the PITAC noted in a 1999 report, the software development methods that have been the norm fail to provide the high- quality, reliable, and secure software that the Information Technology infrastructure requires. Software development is not yet a science or a rigorous discipline, and the development process by and large is not controlled to minimize the vulnerabilities that attackers exploit. Today, as with cancer, vulnerable software can be invaded and modified to cause damage to previously healthy software, and infected software can replicate itself and be carried across networks to cause damage in other systems. Like cancer, these damaging processes may be invisible to the lay person even though experts recognize that their threat is growing. And as in cancer, both preventive actions and research are critical, the former to minimize damage today and the latter to establish a foundation of knowledge and capabilities that will assist the cyber security professionals of tomorrow reduce risk and minimize damage for the long term. Vulnerabilities in software that are introduced by mistake or poor practices are a serious problem today. In the future, the Nation may face an even more challenging problem as adversaries—both foreign and domestic—become increasingly sophisticated in their ability to insert malicious code into critical software. The DHS Software Assurance (SwA) program goals promote the security of software across the development life cycle and are scoped to address: 1. Trustworthiness: No exploitable vulnerabilities exist, either maliciously or unintentionally inserted; 2. Predictable Execution: Justifiable confidence that software, when executed, functions as intended; 3. Conformance: Planned and systematic set of multi-disciplinary activities that ensure software processes and products conform to requirements and applicable standards and procedures. Initiatives such as the DHS “Build Security In” Web site at https://buildsecurityin.us-cert.gov and the Software Assurance Common Body of Knowledge (CBK) will continue to evolve and provide practical guidance and reference material to software developers, architects, and educators on how to improve the quality, reliability, and security of software – and the justification to use it with confidence. This developers’ guide, entitled Security in the Software Life Cycle: Making Software Development Processes—and Software Produced by Them—More Secure, is also being published as part of the DHS Software Assurance program, and is freely downloadable from the DHS BuildSecurityIn portal. The main goal of Security in the Software Life Cycle is to arm developers, project managers, and testers with the information they need to start improving the security of the practices and processes they use to produce software. A growing number of practitioners in the software engineering and security communities have identified tools and practices that they have found in “real world” to improve the likelihood of producing resulting software with fewer faults and other weaknesses that can be exploited as vulnerabilities. In addition, while it is not always their explicit objective, the practices and technologies described in Security in the Software Life Cycle should also help increase software’s overall dependability and quality. Unlike other works published on secure software engineering, secure programming, secure coding, application security, and similar topics, Security in the Software Life Cycle does not set out to recommend ii Security in the Software Lifecycle Draft Version 1.2 | August 2006 a specific approach to the software security problem. Instead, it offers alternative approaches for addressing specific security issues. Where it does resemble such works is in the more detailed discussion of software security principles and practices in Appendix G. However, the scope of the information provided in Appendix G is broader than that found in many other published works with similar content. Also unlike other such works, the other sections of Security in the Software Life Cycle discuss a number of life cycle process models, development methodologies, and supporting tools that have been shown in “real world” software development projects, across government, industry, and academia in the United States (U.S.) and abroad, to reduce the number of exploitable software faults that can be targeted as vulnerabilities to compromise the software, the data it processes, or the computing and networking resources on which the software depends. No single practice, process, or methodology offers a universal “silver bullet” for software security. With this in mind, this document has been compiled as a reference intended to present an overview of software security and inform software practitioners about a number of practices and methodologies which they can evaluate and selectively adopt to help reshape their own development processes to increase the security and dependability of the software produced by those processes, both during its development and its operation. Security in the Software Life Cycle is a part of
Recommended publications
  • Software Rejuvenation Model for Cloud Computing Platform

    Software Rejuvenation Model for Cloud Computing Platform

    International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8332-8337 © Research India Publications. http://www.ripublication.com Software Rejuvenation Model for Cloud Computing Platform I M Umesh System Analyst, Department of Information Science & Engineering, Rashtreeya Vidyalaya College of Engineering, Mysuru Road, Bengaluru, Karnataka, India. Orcid Id: 0000-0002-7595-5501 Dr. G N Srinivasan Professor, Department of Information Science & Engineering, Rashtreeya Vidyalaya College of Engineering, Mysuru Road, Bengaluru, Karnataka, India. Orcid Id: 0000-0003-1059-5952 Matheus Torquato Professor, Federal Institute of Alagoas (IFAL), Campus Arapiraca - AL, Brazil. Orcid Id: 0000-0003-3211-7951 Abstract leading to resource exhaustion. Aging effects are the result of Cloud computing has emerged as one of the most needed error accumulation that leads to resource exhaustion. This technologies that houses software systems and relevant status of softwares makes the system gradually shift from functional entities resulting in complex, multiuser, healthy state to failure prone state. The system performance multitasking and virtualized environments. However, metrics needs to be monitored in order to find the aging reliability of such high performance computing systems patterns while the system is running. The accurate prediction depends both on hardware and software. Virtualization is the of time of aging needs to be forecasted to initiate the technology that many cloud service providers rely on for necessary actions to counter the aging effects. The software efficient management and coordination of the resource pool. aging consequences can be avoided by using the technique The software systems, during operation accumulate errors or called software rejuvenation. garbage leading to software aging which may lead to system Software rejuvenation is the proactive technique proposed to failure and associated consequences.
  • Secure App and Data Delivery

    Secure App and Data Delivery

    White Paper Secure app and data delivery - across devices, networks, and locations How Citrix Virtual Apps dramatically simplifies data protection, access control, and other critical security tasks Citrix | Secure app and data delivery 2 Most discussions of application and Growing IT security challenges desktop virtualization focus on cost Corporate IT groups are continuously challenged to support critical new business initiatives and improve reduction, simplifying IT operations, and end user computing experiences, while facing limited increasing convenience for employees. budgets and mounting pressures to improve information These factors are extremely important, security. Many of these challenges involve making computing resources easier to utilize, regardless of but IT professionals should not overlook physical and geographical boundaries. Employees are the immense impact of workspace demanding the following: virtualization on information security. • Work anywhere, with a consistent experience, from In fact, application and desktop PCs, laptops, tablets and smartphone virtualization have profound advantages • Freedom from rigid IT security controls that restrict for key security functions such as performance and inhibit productivit data protection, access control, user • Access to corporate data and self-provision provisioning and compliance. They can applications on-demand also give administrators extremely Rethink Security granular control over how employees, Clearly these trends are not sustainable with current contractors and business partners use approaches to security and remote access. How can IT and share application data. groups provide easier access to resources, in the face of more sophisticated threats, with multiplying endpoints to defend? And the challenges are not just related to the quantity of end points, but to the increasing diversity.
  • Software Assurance

    Software Assurance

    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
  • Design and Implementation of Generics for the .NET Common Language Runtime

    Design and Implementation of Generics for the .NET Common Language Runtime

    Design and Implementation of Generics for the .NET Common Language Runtime Andrew Kennedy Don Syme Microsoft Research, Cambridge, U.K. fakeÒÒ¸d×ÝÑeg@ÑicÖÓ×ÓfغcÓÑ Abstract cally through an interface definition language, or IDL) that is nec- essary for language interoperation. The Microsoft .NET Common Language Runtime provides a This paper describes the design and implementation of support shared type system, intermediate language and dynamic execution for parametric polymorphism in the CLR. In its initial release, the environment for the implementation and inter-operation of multiple CLR has no support for polymorphism, an omission shared by the source languages. In this paper we extend it with direct support for JVM. Of course, it is always possible to “compile away” polymor- parametric polymorphism (also known as generics), describing the phism by translation, as has been demonstrated in a number of ex- design through examples written in an extended version of the C# tensions to Java [14, 4, 6, 13, 2, 16] that require no change to the programming language, and explaining aspects of implementation JVM, and in compilers for polymorphic languages that target the by reference to a prototype extension to the runtime. JVM or CLR (MLj [3], Haskell, Eiffel, Mercury). However, such Our design is very expressive, supporting parameterized types, systems inevitably suffer drawbacks of some kind, whether through polymorphic static, instance and virtual methods, “F-bounded” source language restrictions (disallowing primitive type instanti- type parameters, instantiation at pointer and value types, polymor- ations to enable a simple erasure-based translation, as in GJ and phic recursion, and exact run-time types.
  • The CLASP Application Security Process

    The CLASP Application Security Process

    The CLASP Application Security Process Secure Software, Inc. Copyright (c) 2005, Secure Software, Inc. The CLASP Application Security Process The CLASP Application Security Process TABLE OF CONTENTS CHAPTER 1 Introduction 1 CLASP Status 4 An Activity-Centric Approach 4 The CLASP Implementation Guide 5 The Root-Cause Database 6 Supporting Material 7 CHAPTER 2 Implementation Guide 9 The CLASP Activities 11 Institute security awareness program 11 Monitor security metrics 12 Specify operational environment 13 Identify global security policy 14 Identify resources and trust boundaries 15 Identify user roles and resource capabilities 16 Document security-relevant requirements 17 Detail misuse cases 18 Identify attack surface 19 Apply security principles to design 20 Research and assess security posture of technology solutions 21 Annotate class designs with security properties 22 Specify database security configuration 23 Perform security analysis of system requirements and design (threat modeling) 24 Integrate security analysis into source management process 25 Implement interface contracts 26 Implement and elaborate resource policies and security technologies 27 Address reported security issues 28 Perform source-level security review 29 Identify, implement and perform security tests 30 The CLASP Application Security Process i Verify security attributes of resources 31 Perform code signing 32 Build operational security guide 33 Manage security issue disclosure process 34 Developing a Process Engineering Plan 35 Business objectives 35 Process
  • 0.1 Problems

    0.1 Problems

    0.1. PROBLEMS 1 0.1 Problems 1. Among the fundamental challenges in information security are confi- dentiality, integrity, and availability, or CIA. a. Define each of these terms: confidentiality, integrity, availability. b. Give a concrete example where confidentiality is more important than integrity. c. Give a concrete example where integrity is more important than confidentiality. d. Give a concrete example where availability is the overriding con- cern. 2. From a bank's perspective, which is usually more important, the in- tegrity of its customer's data or the confidentiality of the data? From the perspective of the bank's customers, which is more important? 3. Instead of an online bank, suppose that Alice provides an online chess playing service known as Alice's Online Chess (AOC). Players, who pay a monthly fee, log into AOC where they are matched with another player of comparable ability. a. Where (and why) is confidentiality important for AOC and its customers? b. Why is integrity necessary? c. Why is availability an important concern? 4. Instead of an online bank, suppose that Alice provides an online chess playing service known as Alice's Online Chess (AOC). Players, who pay a monthly fee, log into AOC where they are matched with another player of comparable ability. a. Where should cryptography be used in AOC? b. Where should access control used? c. Where would security protocols be used? d. Is software security a concern for AOC? Why or why not? 5. Some authors distinguish between secrecy, privacy, and confidential- ity. In this usage, secrecy is equivalent to our use of the term con- fidentiality, whereas privacy is secrecy applied to personal data, and 2 confidentiality (in this misguided sense) refers to an obligation not to divulge certain information.
  • Cybersecurity in a Digital Era.Pdf

    Cybersecurity in a Digital Era.Pdf

    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
  • The Six Dumbest Ideas in Computer Security Marcus J Ranum

    The Six Dumbest Ideas in Computer Security Marcus J Ranum

    The Six Dumbest Ideas in Computer Security Marcus J Ranum http://www.ranum.com/security/computer_security/editorials/dumb/ There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems? Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well- meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
  • Cybersecurity Guide: Hackers and Defenders Harness Design and Machine Learning

    Cybersecurity Guide: Hackers and Defenders Harness Design and Machine Learning

    Cybersecurity Guide: HACKERS AND DEFENDERS HARNESS DESIGN AND MACHINE LEARNING CYBERSECURITY GUIDE: HACKERS AND DEFENDERS HARNESS DESIGN AND MACHINE LEARNING TABLE OF CONTENTS 3 INTRODUCTION 4 SECTION 1 THE SITUATION REPORT 9 SECTION 2 THINK LIKE DA VINCI: MORE ART IS NEEDED IN THE SCIENCE OF CYBERSECURITY 16 SECTION 3 THROUGH THE LOOKING GLASS: MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE 21 ENDNOTES PAGE 2 CYBERSECURITY GUIDE: HACKERS AND DEFENDERS HARNESS DESIGN AND MACHINE LEARNING Across the globe, lives and livelihoods are increasingly For information-security professionals, successfully moving online, physical and digital worlds are beginning to defending against the fire hose of now-nonstop online overlap, and digital currencies with no real-world equivalent attacks are both the stuff of nightmares and the reason to can buy real-world goods and services. Artificial intelligence get out of bed in the morning. Who’s winning — the is powering autonomous vehicle decision-making,1 finding attackers or the defenders? new drug candidates2 daily and personalizing lessons3 to help students learn. At the same time, doctors are Given the daily drumbeat of successful intrusions that often performing life-saving surgeries on the other side of the cripple companies’ operations and erase millions of dollars in globe via the internet4 and robot proxies while networked stock value,5 it’s hard to tell. sensors shake up industries from power generation to public transit. Every year, the list of industries being disrupted by To bring the current and future landscape of cybersecurity sensors, smart machines, and microprocessors expand. into focus, HP conferred with leading experts in the field to create this comprehensive, up-to-date guide.
  • The Past, Present, and Future of Software Evolution

    The Past, Present, and Future of Software Evolution

    The Past, Present, and Future of Software Evolution Michael W. Godfrey Daniel M. German Software Architecture Group (SWAG) Software Engineering Group School of Computer Science Department of Computer Science University of Waterloo, CANADA University of Victoria, CANADA email: [email protected] email: [email protected] Abstract How does our system compare to that of our competitors? How easy would it be to port to MacOS? Are users still Change is an essential characteristic of software devel- angry about the spyware incident? As new features are de- opment, as software systems must respond to evolving re- vised and deployed, as new runtime platforms are envis- quirements, platforms, and other environmental pressures. aged, as new constraints on quality attributes are requested, In this paper, we discuss the concept of software evolu- so must software systems continually be adapted to their tion from several perspectives. We examine how it relates changing environment. to and differs from software maintenance. We discuss in- This paper explores the notion of software evolution. We sights about software evolution arising from Lehman’s laws start by comparing software evolution to the related idea of software evolution and the staged lifecycle model of Ben- of software maintenance and briefly explore the history of nett and Rajlich. We compare software evolution to other both terms. We discuss two well known research results of kinds of evolution, from science and social sciences, and we software evolution: Lehman’s laws of software evolution examine the forces that shape change. Finally, we discuss and the staged lifecycle model of Bennett and Rajlich. We the changing nature of software in general as it relates to also relate software evolution to biological evolution, and evolution, and we propose open challenges and future di- discuss their commonalities and differences.
  • Tricore Architecture Manual for a Detailed Discussion of Instruction Set Encoding and Semantics

    Tricore Architecture Manual for a Detailed Discussion of Instruction Set Encoding and Semantics

    User’s Manual, v2.3, Feb. 2007 TriCore 32-bit Unified Processor Core Embedded Applications Binary Interface (EABI) Microcontrollers Edition 2007-02 Published by Infineon Technologies AG 81726 München, Germany © Infineon Technologies AG 2007. All Rights Reserved. Legal Disclaimer The information given in this document shall in no event be regarded as a guarantee of conditions or characteristics (“Beschaffenheitsgarantie”). With respect to any examples or hints given herein, any typical values stated herein and/or any information regarding the application of the device, Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind, including without limitation warranties of non- infringement of intellectual property rights of any third party. Information For further information on technology, delivery terms and conditions and prices please contact your nearest Infineon Technologies Office (www.infineon.com). Warnings Due to technical requirements components may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies Office. Infineon Technologies Components may only be used in life-support devices or systems with the express written approval of Infineon Technologies, if a failure of such components can reasonably be expected to cause the failure of that life-support device or system, or to affect the safety or effectiveness of that device or system. Life support devices or systems are intended to be implanted in the human body, or to support and/or maintain and sustain and/or protect human life. If they fail, it is reasonable to assume that the health of the user or other persons may be endangered. User’s Manual, v2.3, Feb.
  • Secure by Design, Secure by Default: Requirements and Guidance

    Secure by Design, Secure by Default: Requirements and Guidance

    Biometrics and Surveillance Camera Commissioner Secure by Design, Secure by Default Video Surveillance Products Introduction This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS. It is intended to layout the Biometrics and Surveillance Camera Commissioners (BSCC) minimum requirements to ensure such systems are designed and manufactured in a manner that assures they are Secure by Design. It also contains certain component requirements that will ensure a configuration that is Secure by Default when the component is shipped, thereby making it more likely that the system will be installed and left in a secure state. This guidance forms part of a wider suite of documentation being developed as part of the SCC Strategy, in support of the SCC Code of Practice. Background and Context The nature of the Internet means that connected devices can be subjected to a cyber attack from anywhere in the world. Widespread attacks on connected products is a current and real threat, and a number of highly publicised attacks have already occurred. The Mirai malware targeted devices such as internet-enabled cameras (IP cameras). Mirai was successful because it exploited the use of common default credentials (such as a username and password being set by the manufacturer as ‘admin’) and poor security configuration of devices. Ultimately, this facilitated attacks on a range of commercial and social media services and included an outage of streaming services such as Netflix. An evolution of Mirai, called Reaper, has also been discovered. Reaper used publicly and easily available exploits that remained unfixed (patched) and highlighted the problem around non patching of known security vulnerabilities, allowing attackers to utilise them to cause harm.