Software Development Security

1
Software Development Security
2
Domain Objectives

• Understand software-based security controls
• Understand the software development and
  change/maintenance processes
• Specialized security controls for database and
  Web applications
• Describe malicious software
• Controls for detection of malware
• Define software engineering principles

3
Information Security TRIAD
4
Domain Agenda

• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing Environment
• Web Application Environment

5
Application vs. Operating System

• Project Management Controls
• Complexity of Systems and Projects
• Controls Built into Software

6
Generations of Programming Languages

• Generation One - Machine language
• Generation Two - Assembly language
• Generation Three - High-level language
• Generation Four - Very high-level language
• Generation Five - Natural language

7
Programming Languages

• COBOL, Fortran
• C, C-Plus, C
• Smalltalk, Java, Eiffel
• Visual Programming Languages
• Visual Basic, Visual C, Delphi
• BASIC, Logo, JavaScript

8
HTML, XML, and Active X

• HTML
• XML
• Active X

9
Program Utilities

• Assembler
• Compiler
• Interpreter

10
Programming Concepts

• System Model
• Von Neumann Architecture
• Object-Oriented Programming (OOP)
• Inheritance
• Polymorphism
• Polyinstantiation

11
Programming Concepts

• Distributed Component Object Model (DCOM)
• Common Object Request Broker Architecture (CORBA)

12
Domain Agenda

• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing Environment
• Web Application Environment

13
Threats and Malware

• Buffer Overflow
• Denial of Service
• Time of Check/Time of Use (TOC/TOU)

14
Threats and Malware

• Malformed Input Attacks
• SQL Injection
• Unicode Attack
• Executable Content/Mobile Code
• Web Applets
• Dynamic Email

15
Threats and Malware

• Object Reuse
• Garbage Collection
• Trap Door

16
Threats and Malware

• Incomplete Parameter Check and Enforcement
• Covert Channels
• Inadequate Granularity of Controls
• Social Engineering
• Multiple Paths to Information

17
Threats and Malware

• Malicious Software
• Modern malware is network aware
• Compatibility - Platform Dominance
• Malware Functionality

18
Virus

• Central characteristic is reproduction
• Generally requires some action by the user
• May or may not carry payloads

19
Virus Types

• Multipartite
• Macro Virus
• Script Virus
• Hoax

• File Infector
• Boot Sector Infector
• System Infector
• Email Virus

20
Virus Anti-Detection

• Stealth
• Tunnelling
• Polymorphism
• Antivirus (anti-malware) Disabling

21
Virus Structure

• Infection / Reproduction
• Target Search
• Infection
• Avoidance
• Trigger
• Payload

22
Worm

• Reproduces
• Generally use loopholes in systems
• May not involve user
• Often attacks server software

23
Trojan Horse

• Purported to be a positive utility
• Hidden negative payload
• Social Engineering

24
Logic Bomb

• Generally implanted by an insider
• Waits for condition or time
• Triggers negative payload

25
Diddlers, Backdoors, and Rats

• Data Diddler
• Backdoor, Trapdoor
• RAT (Remote Access Trojan)

26
Threats and Malware

• DDOS Zombie
• Prank
• Spyware and Adware
• Phishing
• BotNets

27
Domain Agenda

• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing Environment
• Web Application Environment

28
System Life Cycle

• Project Management-based Methodology
• Typical Phases of a System Life Cycle

29
System Life Cycle

• Project Initiation and Planning

Select/Approve Approach
Identify Alternatives
Establish User Requirements
Determine Security Requirements
Conduct Risk Analysis
Define Security Strategy
Required Security Activities
30
System Life Cycle

• Functional Design Definition

Develop Project Plan
Identify Functional Requirements
Set Test Criteria
Define Strategy
Develop Functional Baseline
Include Security Requirements in RFPs, Contracts
Include Functional Security Requirements
Identify Security Areas
Establish Security Requirements
Security Tests
Required Security Activities
Prepare Risk Analysis and Contingency Plan
31
System Life Cycle

• Detailed Design Specifications

Develop Formal Baseline
Update Testing Goals Plans
Prepare Detailed Designs
Document Security Baseline
Establish Security Specifications
Update Security Test Plans
Required Security Activities
32
System Life Cycle

• Develop and Document

Document System
Unit Testing Evaluation
Develop System
Develop Security Code
Security Code Evaluation
Document Security Code
Required Security Activities
33
System Life Cycle

• Acceptance, Testing and Transition to Production

System Components
System Performance
Integrated System
Project Manuals
Acceptance Test
System
Test
Validate
Implement
Document
Certify
Accept
Security in Integrated System
Security Components
Security Code
Security Controls
Secure Operations
Secure System
Required Security Activities
34
System Life Cycle

• Decommissioning / Disposal
• Critical data recovered or destroyed
• Media sanitized or destroyed
• Software removal

35
Software Development Methods

• Waterfall
• Spiral
• Clean-room
• Structured Programming Development

36
Software Development Methods

• Iterative Development
• Joint Analysis Development (JAD)
• Prototyping
• Modified Prototype Model (MPM)
• Exploratory Model
• Rapid Application Development (RAD)

37
Software Development Methods

• Reuse Model
• Computer Aided Software Engineering (CASE)
• Component Based Development
• Extreme Programming

38
Additional Software Protection Mechanisms

• Cryptography
• Access Controls
• Open source
• Social Engineering Awareness
• Backup and Redundancy Controls

• Malicious Code Control
• Documentation and Common Program
• Testing and Evaluation
• Mobile Code Controls
• Data Contamination Controls

39
Domain Agenda

• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing Environment
• Web Application Environment

40
Auditing and Assurance Mechanisms

• Information Integrity
• Information Auditing
• Malware Assurance

41
Change Management Process
Analyze Request for feasibility, impact, timeline
(security)
Formal Request for Change
Develop Implementation Strategy
Approval of Change
Implement and test the Change
Develop the Change
Review Change Effectiveness
Report to Management
42
Testing

• Last chance to avoid a disaster
• Testing is intended to find the problems
• Tests should address all normal and unexpected
  entries and conditions
• Do not compromise privacy with test data

43
Configuration Management

• Configuration Management
• Patch Management
• Patch Management Process

44
Patch Management

• Potential problem areas
• Distribution System Failures
• Patch Failures
• Inadequate Testing Validation
• Patch Rollback
• Load on the network
• Stability issues and other regression issues

45
Domain Agenda

• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing Environment
• Web Application Environment

46
Database Environment

• Database Management Systems
• Databases - Developed to manage information from
  many sources in one location
• Eliminates duplication of information
• Preserves storage space
• Prevents inconsistency in data by making changes
  in one central location

47
Database Environment

• Major Elements
• DBMS should provide
• Transaction Persistence
• Fault Tolerance and Recovery
• Sharing by Multiple Users
• Security Controls

48
DBMS Models

• Hierarchical DBMS
• Stores records in a single table
• Parent/child relationships
• Limited to a single tree
• Difficult to link branches

Car
Honda
Toyota
Mazda
Civic
Accord
CRV
4-door
2-door
49
DBMS Models

• Network DBMS
• Represents data as network of records and sets
  that are related to each other, forming a network
  of links
• Record types - records of the same type
• Set types - relationship between record types

50
DBMS Models
Ford
Mazda
BMW
4 x 4 X3
Truck E Series
Regular Mazda 3
4 x 4 X5
Truck Freestar
Regular Mazda 6
5 Speed Transmission
Leather Interior
Front and Rear Climate Controls
51
DBMS Models

• Relational DBMS
• Most frequently used DBMS model
• Data are structured in tables
• Columns represent the variables (attributes)
• Rows contain the specific instances (records) of
  data

52
DBMS Models
Attributes
Author Table Author Table Author Table Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Tuples / Rows
Primary Key
53
DBMS Models
Author Table Author Table Author Table Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Foreign Key
Primary Keys
Book Table Book Table Book Table Book Table Book Table
Book No. Book Title Book Type Book Price Author No.
PC1234 Learning Database Models Computer 39.99 123456
PC4321 Data Modeling Techniques 69.99 234567
PC6789 Designing a Database Computer 39.99 345678
PC9876 Secrets of Databases Computer 19.99 456789
54
DBMS Models
Attributes
Author Table Author Table Author Table Author Table
Author No. Last Name First Name State
Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Tuples / Rows
Primary Key
55
DBMS Models
Author Table Author Table Author Table Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Foreign Key
Primary Keys
Book Table Book Table Book Table Book Table Book Table
Book No. Book Title Book Type Book Price Author No.
PC1234 Learning Database Models Computer 39.99
PC4321 Data Modeling Techniques 69.99 234567
PC6789 Designing a Database Computer 39.99 345678
PC9876 Secrets of Databases Computer 19.99 456789
56
DBMS Models

• Relational Database Security Issues
• Ensuring integrity of input data
• Preventing deadlocking
• Access controls

57
DBMS Models

• OODBMS ORDBMS
• OODBMS (Object Oriented Database Management
  System)
• ORDBMS (Object Relational Database Management
  System)

58
Database Interface Languages

• Open Database Connectivity (ODBC)
• Java Database Connectivity (JDBC)
• eXtensible Markup Language (XML)
• Structured Query Language (SQL)

59
Database Security Issues

• Query Attacks
• Bypass Attacks
• Interception of Data
• Web Security
• Data Contamination

• Inference
• Aggregation
• Unauthorized Access
• Improper Modification of Data
• Access Availability

60
View-Based Access Controls

• Constrained views
• Sensitive data is hidden from unauthorized users
• Controls located in the front-end application
  (user interface)

61
Data Warehouse

• Consolidated view of enterprise data
• Data Mart
• Designed to support decision making through data
  mining

62
Building Data Warehouse

• Feed all data into large, high-security database
• Normalize the data
• Mine the data for correlations to produce
  metadata
• Sanitize and export the metadata to its intended
  users

63
Metadata

• Information about data
• Provides unseen relationships between data

64
Knowledge Discovery in Databases (KDD)

• Methods of identifying patterns in data
• Some KDD methods use artificial intelligence (AI)
  techniques
• Probabilistic Models
• Statistical Approach
• Classification Approach
• Deviation and Trend Analysis
• Neural Networks
• Expert System Approach

65
Knowledge Management Security Controls

• Protect knowledge database
• Routinely verify decisions

66
Online Transaction Processing (OLTP)

• Records transactions as they occur in real-time
• Security concerns are concurrency and atomicity
• Lock Controls

67
Lock Controls - The ACID Test

• Atomicity
• Consistency
• Isolation
• Durability

68
Domain Agenda

• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing Environment
• Web Application Environment

69
Web Site Incidents

• Vandalism
• Financial fraud
• Privileged access
• Theft of transaction information
• Theft of intellectual property
• Denial of Service (DoS)

70
Web Hacks

• Majority of hacks at the application level
• Firewalls provide minimal protection
• Information Gathering
• Administrative Interfaces
• Configuration Management
• Authentication Access Control

71
Web Hacks

• Input Validation
• Parameter Manipulation
• Session Management

72
Web Application Security Principles

• Validate all input and output
• Fail Secure (closed)
• Fail Safe
• Make it simple
• Defense in depth
• Only as secure as your weakest link
• Security by obscurity

73
Web Application Security Principles

• Do not cache secure pages
• Ensure all encryption meets industry standards
• Monitor third party code vendors for security
  alerts
• Handle exceptions properly
• Do not trust any data from the client
• Do not trust data from other servers, partners,
  or other parts of the application

74
Domain Summary

• Understand software-based security controls
• Understand the software development and
  change/maintenance processes
• Specialized security controls for database and
  Web applications
• Describe malicious software
• Controls for detection of malware
• Define software engineering principles

75
Security
Transcends
Technology