Welcome back. A very comprehensive source of current threats is maintained by the Mitre Corporation, a federally funded research and development center. The webpage of interest is Mitre, excuse me, cve.mitre.org. CVE stands for common vulnerabilities and exposures. If you go there, you'll see this page. The data which you can download is the link in the center top of the page, circled in red. If you click on that link, you'll get the following page from which you can download the entire vulnerability list in different formats. There's also a search link circled on the next slide. This will show you how to search for vulnerabilities by keywords. For example, you can enter Windows 10 and obtain a list of all the vulnerabilities affecting Windows 10. By following the links associated with the vulnerability, you can learn more about the nature of the threat and the fixes that are available, how this ranks in seriousness against other threats. The primary value of the CVE database in the design context is to familiarize you with the threat landscape. You'll see that many of the threats arise from unchecked user input. This may give you an idea of how to make your design more secure. Also, the threat database is time ordered. So you can get an idea how the threat has increased over time. Here's the result of searching for Adobe Acrobat, and plotting the number of CVEs per year from 2000 to 2016. As you might expect from everything you've read about viruses, there's been a dramatic increase in assaults, not only against Acrobat but also many other common applications. Including yours. So, what can we do about the threats? It's certainly useful to analyze the threats against a piece of software to see how your software can be exploited. But another approach, especially if you need answers fast, is to look at the common weakness enumeration, CWE. This is also a knowledge database supported by Mitre, so go to cwe.mitre.org to get started. This brings us to this webpage. The CWE is an organized list of common software errors. Many of these errors are at the implementation level. As always, they're useful to know, but let's look at something that's more along the design level. Handling of user inputs. Select view by development concepts. On the next page select web problems from the list that's presented. Then select URL redirection to untrusted site. This brings you to a page with information about that particular weakness. You can explore this page to learn how to identify the weakness and how to resolve it at the architectural or the design level. So in this lesson, we've introduced you to two powerful sources of information about threats and mitigations. The common vulnerabilities list gives you insight into what the current threat might be. The common weaknesses list can give you ideas how to avoid pitfalls, and mitigate those threats. Thanks for your time. Now, in the next talk, we'll look at why we call these things viruses and what might be an implication of this medical or biological model.
