Application and System Development

1
Application and System Development

• CISSP

2
Introduction

• Topic Application and System Development
• General security principles
• The Problem
• The Controls

3
General Security Principles

• Accountability
• Authorization
• Logging
• Separation of duties
• Least privilege
• Risk reduction
• Layered defense

4
The Initial Problem

• Information
• Internet uses data to transfer
• Access to Information in a Database
• Release of information
• Modification of information
• Denial of service
• Discretionary vs Mandatory
• Specific authorization granted and denied
• Authorization based on assigned classification
• Relational vs Object Oriented

5
Relational Database

• Tables
• Relation (Table or set of columns in table)
• With Attributes (Columns)
• Having Permissible values
• Specific Attribute is Key with unique values
• Occurring in Instances (Rows)
• Tuple of a Relation Instance
• Views
• Virtual Relations (tables)
• With selected Attributes
• Linked by Key attributes

6
Relational Database Controls

• Grant/Revoke Privileges by Table, Column, Key set
• Permissions by View combining specific Tables,
  Columns, Key sets
• Conceptually dividing the database into pieces to
  allow sensitive data to be hidden from
  unauthorized users
• Authorizations for specific views having specific
  attributes, and for actions to perform within
  those views
• DAC, by specific grant to user or group by owner
• MAC, by classification level
• Granularity - fineness of control permissible
  in database controls - dependent upon database
  and implementation

7
Relational Database Issues

• Issues
• Verifying access granted - DAC
• Verifying that View limitations function - MAC
• Preventing users from creating a copy (becoming
  owner) and granting access to others

8
Object-Oriented Database

• Subjects
• Objects
• Methods of accessing them
• Controls using Encapsulation, Inheritance,
  Information hiding
• Granularity - fineness of control permissible
  in database controls

9
DAC Object-Oriented Models

• ORION - Explicit authorization for groups of
  users to objects based on role
• Data Hiding (Dr. Elisa Bertino) - Explicit
  authorization for (groups of) users to objects
  using public methods
• Control of Function Evaluations (Rafiul Ahad) -
  Explicit authorization for (groups of) users to
  execute specific methods
• Methods Data Hiding (Joel Richardson) - Explicit
  authorization to execute specific methods
  determined by the owner

10
DAC Object-Oriented Models - 2

• Positive/Negative Authorizations (Dr Eduardo
  Fernandez) - Explicit positive and negative
  authorizations
• View Mechanism (Dr Naftaly Minsky) - Multiple
  interfaces to objects with a list of laws (rules)
  governing access

11
MAC Object-Oriented Models

• SORION (Dr Bhavani Thuraisingham) - Assigns
  security/sensitivity levels to subjects, objects
  and access methods and regulates access via
  properties based on sensitivity levels
• Millen-Lunt Model - Assigns sensitivity levels to
  subjects, objects and access methods and
  regulates access via axioms and three cases
• Data is classified
• Existence of data is classified
• Reason for classifying data is classified
• SODA (Dr Thomas Keefe) - Secure Object-Oriented
  Database
• Presented as a standard example
• Assigns classification levels via inheritance

12
Object-Oriented Issues

• Polyinstantiation
• Producing a more defined version of an object by
  iteratively replacing variables with other
  variables or values
• Information located in more than one location for
  use by more than one user, usually having
  different security levels
• Requires sensitive information to be removed when
  stored at lower levels
• Insuring integrity with multiple updates going on
  is difficult
• Polymorphism
• Different objects responding to a common command
  in different ways

13
Programming/Data Attacks

• Salami attack
• Data diddling
• Fraud
• Logic bomb
• Mistakes
• Boundary errors
• Validation errors
• Time of Check/Time of Use (serialization) errors
• Covert channels

14
Database Controls

• Biggest issue still mistakes, omissions
• Protection by operating system/platform/db
• Physical data base integrity
• Logical data base integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability
• Two-phase update (Intent/Commit and Lock)
• Error detection/correction
• Integrity with multiple instances
  (polyinstantiation)

15
Applications Beyond the Database

• Centralized systems
• Biggest issue still mistakes, omissions
• Protection by operating system/platform
• Physical data base integrity
• Logical data base integrity
• Element integrity
• Database and controlled access links
• Layers of vulnerabilities
• Examples and Vulnerabilities

16
Applications Beyond the Database

• Centralized systems
• Distributed systems
• More normal now
• Decentralized - connected or unconnected but
  related platforms running independent copies of
  software with independent copies of data

17
Applications Beyond the Database

• Centralized systems
• Distributed systems
• Decentralized - connected or unconnected but
  related platforms running independent copies of
  software with independent copies of data
• Dispersed - interconnected and related
  platforms running the same software and using the
  same data, one of which (data or software) is
  centralized
• Accommodates change
• Deploys resources
• Improves performance
• Lower risk of system failure due to hardware
  malfunction

18
Applications Beyond the Database

• Centralized systems
• Distributed systems
• Decentralized - connected or unconnected but
  related platforms running independent copies of
  software with independent copies of data
• Dispersed - interconnected and related
  platforms running the same software and using the
  same data, one of which (data or software) is
  centralized
• Interoperable or Cooperative - interconnected
  platforms running independent copies of software
  with independent copies of data
• Combines processing from dissimilar platforms
• Independently execute/test each component

19
Definitions

• Loose coupling
• weak dependencies between modules
• High cohesion
• modules perform discrete functions
• Together, design supporting distributed systems
• Agent
• Client/server local link to other areas of
  system, performs information preparation
  exchange for client or server

20
Potential Vulnerabilities

• Data problems
• Aggregation - building new objects from existing
  objects
• Inference deriving information not explicit
• Object reuse/garbage collection - reclaiming
  information from dynamic storage
• Data contamination

21
Potential Vulnerabilities

• Malicious Code
• Trojan horse - program with hidden and
  undesirable functions
• Virus - malicious, usually destructive, code that
  infects other programs to propagate itself
• Logic bomb - hidden code designed to perform
  undesirable activities upon receiving or
  observing a specific condition
• Letter bomb - email attachment with malicious
  code
• Worm - a program that uses communications methods
  to propagate itself between systems
• Applet - platform-independent download-and-run
  mini-program used in Java programming

22
Other Definitions

• Java
• Sun platform-independent programming language
• Object-oriented, distributed, interpreted
• ActiveX
• Microsoft replacement for Java - stripped OLE,
  designed to run on slow Internet links

23
Potential Vulnerabilities

• Access problems
• Trap door - secret way in
• Back door - unapproved method of accessing the
  system
• Covert channel - Unapproved communications link
  between application and another
• Covert storage channel - Writing to storage
  through one process, and reading by another
  (lower security level)
• Covert timing channel - Processes signal to one
  another by modulating system use
• Physical access to the area

24
Vulnerabilities Summary

• Spoofing/Eavesdropping
• Unable to identify/track access/updates
• Theft of information or hard assets
• Improper access to information
• Improper update of information
• Improper destruction of information
• Lack of or inadequate data validation
• Data overwrites
• Incorrect internal processing
• Direct data access

25
Definitions

• Data mining
• Analyzing databases for trends/anomalies using
  automated tools without knowledge of data
• Knowledge-base system
• System to query a collection of knowledge
  expressed using a formal knowledge representation
  language
• Artificial Neural Network
• Simple processors networked on a uni-directional
  communications channel that operate on local data
  and input from the connection
• able to learn from example and to generalize

26
Definitions

• OLE
• MS Object Linking Embedding
• CORBA
• Common Object Request Broker Architecture (Object
  Management Group)
• Structured Programming
• Using programming rules and procedures and
  pre-programmed modules
• MDAC Microsoft Data Access Components

27
Object-Oriented Concepts

• Abstract Data Type is an abstract view to define
  properties of a set of entities.
• class is an actual representation of an ADT
• (Object) An object is an instance of a class. It
  can be uniquely identified by its name and it
  defines a state which is represented by the
  values of its attributes at a particular time.

28
Controls - Personnel Issues

• Accountability and Risk Reduction
• Background checks of all personnel
• Separation of Duties
• Separate responsibilities for application
  development, approval, implementation, support

29
Application System Development

• Implement a Systems Development Life Cycle
• Quality Assurance program
• Involve QA/QC, Audit, Information Security
• Enforce review and approval of all applications

30
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance

31
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Verify that security requirements have been met
• Perform review of design and code

32
Application System Development

• Project Initiation
• Involve information security in initial
  discussion of project
• Perform Risk Assessment to
• Define sensitivity of information
• Define criticality of system
• Define security risks
• Define level of protection needed
• Ensure regulatory/legal/privacy issues are
  addressed
• Ensure requirements can be met by application

33
Application System Development

• Project Definition (Design Analysis)
• Functional/system design requirements
• Determine acceptable level of risk
• Level of loss
• Percentage of loss
• Permissible variance
• Identify security requirements and controls
• Determine exposure points in process
• Define controls to mitigate exposure
• Ensure requirements can be met by application

34
Application System Development

• System Design (Design Specification)
• Detailed planning of functional components
• Design program controls
• Design security mechanisms
• Design test plan
• Design verification
• Mathematical verification of model and design
  correspondence

35
Application System Development

• Programming/Training (Software Development)
• Development personnel should be authorized to
  work on system
• Document security
• Training of support personnel and users

36
Application System Development

• Installation, Evaluation and Testing
• Development staff should not conduct
  evaluation/testing
• Certification of security functionality
• Certification of processing integrity
• Desk check, operational test

37
Definitions

• Acceptance
• Verification that performance and security
  requirements have been met
• Accreditation
• Formal acceptance of security adequacy,
  authorization for operation and acceptance of
  existing risk (QC)
• Certification
• Formal testing of security safeguards
• Operational assurance
• Verification that a system is operating according
  to its security requirements
• Assurance
• Degree of confidence that the implemented
  security measures work as intended

38
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Project Definition (Design Analysis)
• System Design (Design Specification)
• Programming and Training (Software Development)
• Installation, Evaluation and Testing
• Destruction

39
The Real World

• Systems Development Life Cycle
• Organizations understaffed, wear too many hats
• Separation of duties seldom complete
• Infosec seldom involved in initial stages of
  development
• Risks seldom adequately assessed
• Exposure points and controls seldom adequately
  determined
• Code checks are often skimped
• Approvals are often perfunctory
• Development process continues without formal
  approval
• Few limits on access to program code
• Change control for programs only

40
Operational Issues

• Implementation and Operation
• Code issues - Change Control
• Data issues
• Access
• Integrity
• Personnel issues

41
Controls

• Implementation and Operation
• All support personnel should be authorized
• All code should be reviewed prior to
  implementation

42
Controls

• Separation of Duties -
• Development staff should not review, implement
  systems
• Development staff should not support production
  data
• Development staff should not manage security
  function

43
Controls

• Accountability -
• No access should be permitted directly to
  database
• Production data should be managed by users, not
  support staff

44
Controls

• Implementation and Operation
• All support personnel should be authorized
• All code should be reviewed prior to
  implementation
• Development staff should not review, implement
  systems
• Development staff should not support production
  data
• Development staff should not manage security
  function
• Accountability -
• No access should be permitted directly to
  database
• Production data should be managed by users, not
  support staff
• All access to production data should be logged

45
Controls

• Implementation and Operation
• All support personnel should be authorized
• All code should be reviewed prior to
  implementation
• Development staff should not review, implement
  systems
• Development staff should not support production
  data
• Development staff should not manage security
  function
• No access should be permitted directly to
  database
• Production data should be managed by users, not
  support staff
• All access to production data should be logged
• Least Privilege
• Access control
• Access should be given to necessary data fields
  only

46
Controls

• Implementation and Operation
• All support personnel should be authorized
• All code should be reviewed prior to
  implementation
• Development staff should not review, implement
  systems
• Development staff should not support production
  data
• Development staff should not manage security
  function
• No access should be permitted directly to
  database
• Production data should be managed by users, not
  support staff
• All access to production data should be logged
• Access should be given to necessary data fields
  only
• Layered Defense
• Access controls should be used in addition to
  system access

47
The Real World

• Implementation and Operation
• Organizations understaffed, wear too many hats
• Separation of duties seldom complete
• Development staff often support production
  systems
• IT staff often maintain production data
• Access is often granted on basis of least effort

48
An Example Y2K Remediation

• Y2K remediation being done off site
• 3rd party?
• Overseas?
• Background checks?

49
An Example Y2K Remediation

• Y2K remediation being done off site
• Code returned
• Data corrections being performed by IT
  remediation staff

50
Definitions

• Loose coupling
• weak dependencies between modules
• High cohesion
• modules perform discrete functions
• Due Care
• minimum and customary practice of responsible
  protection of assets that reflects a community or
  societal norm
• Due Diligence
• prudent management and execution of due care

51
Final Considerations

• What does the development life cycle and change
  control implementation cover?
• Applications programs?
• Supporting libraries?
• Operating systems?
• Proportionality