Transcript Application Security - Home Page

Software Development
Security
Domain Objectives
• Understand software-based security controls
• Understand the software development and
change/maintenance processes
• Specialized security controls for database and
Web applications
• Describe malicious software
• Controls for detection of malware
• Define software engineering principles
2
Information Security TRIAD
Availability
Information
Security
Integrity
Confidentiality
3
Domain Agenda
• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing
Environment
• Web Application Environment
4
Application vs. Operating System
• Project Management Controls
• Complexity of Systems and Projects
• Controls Built into Software
5
Generations of Programming Languages
• Generation One - Machine language
• Generation Two - Assembly language
• Generation Three - High-level language
• Generation Four - Very high-level language
• Generation Five - Natural language
6
Programming Languages
• COBOL, Fortran
• C, C-Plus, C++
• Smalltalk, Java, Eiffel
• Visual Programming Languages
• Visual Basic, Visual C, Delphi
• BASIC, Logo, JavaScript
7
HTML, XML, and Active X
• HTML
• XML
• Active X
8
Program Utilities
• Assembler
• Compiler
• Interpreter
9
Programming Concepts
• System Model
• Von Neumann Architecture
• Object-Oriented Programming (OOP)
• Inheritance
• Polymorphism
• Polyinstantiation
10
Programming Concepts
• Distributed Component Object Model
(DCOM)
• Common Object Request Broker
Architecture (CORBA)
11
Domain Agenda
• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing
Environment
• Web Application Environment
12
Threats and Malware
• Buffer Overflow
• Denial of Service
• Time of Check/Time of Use
(TOC/TOU)
13
Threats and Malware
• Malformed Input Attacks
• SQL Injection
• Unicode Attack
• Executable Content/Mobile Code
• Web Applets
• Dynamic Email
14
Threats and Malware
• Object Reuse
• Garbage Collection
• Trap Door
15
Threats and Malware
• Incomplete Parameter Check and
Enforcement
• Covert Channels
• Inadequate Granularity of Controls
• Social Engineering
• Multiple Paths to Information
16
Threats and Malware
• Malicious Software
• Modern malware is network aware
• Compatibility - Platform Dominance
• Malware Functionality
17
Virus
• Central characteristic is reproduction
• Generally requires some action by the user
• May or may not carry payloads
18
Virus Types
• File Infector
• Multipartite
• Boot Sector Infector
• Macro Virus
• System Infector
• Script Virus
• Email Virus
• Hoax
19
Virus Anti-Detection
• Stealth
• Tunnelling
• Polymorphism
• Antivirus (anti-malware) Disabling
20
Virus Structure
• Infection / Reproduction
• Target Search
• Infection
• Avoidance
• Trigger
• Payload
21
Worm
• Reproduces
• Generally use loopholes in systems
• May not involve user
• Often attacks server software
22
Trojan Horse
• Purported to be a positive utility
• Hidden negative payload
• Social Engineering
23
Logic Bomb
• Generally implanted by an insider
• Waits for condition or time
• Triggers negative payload
24
Diddlers, Backdoors, and Rats
• Data Diddler
• Backdoor, Trapdoor
• RAT (Remote Access Trojan)
25
Threats and Malware
• DDOS Zombie
• Prank
• Spyware and Adware
• Phishing
• BotNets
26
Domain Agenda
• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing
Environment
• Web Application Environment
27
System Life Cycle
• Project Management-based
Methodology
• Typical Phases of a System
Life Cycle
28
System Life Cycle
• Project Initiation and Planning
Establish User
Requirements
Determine
Security
Requirements
Identify
Select/Approve
Alternatives
Approach
Conduct Risk
Analysis
Define Security
Strategy
Required Security Activities
29
System Life Cycle
• Functional Design Definition
Develop
Project
Plan
Identify
Security
Areas
Identify
Functional
Requirements
Establish
Security
Requirements
Prepare Risk Analysis
and Contingency Plan
Develop
Functional
Baseline
Set Test
Criteria
Define
Strategy
Security
Tests
Include
Security
Requirements
in RFPs,
Contracts
Include
Functional
Security
Requirements
Required
Security Activities
30
System Life Cycle
• Detailed Design Specifications
Prepare Detailed Update Testing Develop Formal
Designs
Goals & Plans
Baseline
Establish
Security
Specifications
Update Security
Test Plans
Document
Security
Baseline
Required Security Activities
31
System Life Cycle
• Develop and Document
Develop System
Unit Testing
& Evaluation
Document
System
Develop
Security Code
Security Code
Evaluation
Document
Security Code
Required Security Activities
32
System Life Cycle
• Acceptance, Testing and Transition to Production
System
System
Integrated
Components Performance
System
Test
Validate
Security
Components
Security in
Integrated
System
Project
Manuals
Implement Document
Security
Code
Security
Controls
Acceptance
Test
System
Certify
Accept
Secure
Operations
Secure
System
Required Security Activities
33
System Life Cycle
• Decommissioning / Disposal
• Critical data recovered or destroyed
• Media sanitized or destroyed
• Software removal
34
Software Development Methods
• Waterfall
• Spiral
• Clean-room
• Structured
Programming
Development
35
Software Development Methods
• Iterative Development
• Joint Analysis Development (JAD)
• Prototyping
• Modified Prototype Model (MPM)
• Exploratory Model
• Rapid Application Development
(RAD)
36
Software Development Methods
• Reuse Model
• Computer Aided Software Engineering
(CASE)
• Component Based Development
• Extreme Programming
37
Additional Software Protection Mechanisms
• Cryptography
• Malicious Code Control
• Access Controls
• Documentation and
Common Program
• Open source
• Social Engineering
Awareness
• Testing and Evaluation
• Mobile Code Controls
• Backup and
• Data Contamination
Redundancy Controls
Controls
38
Domain Agenda
• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing
Environment
• Web Application Environment
39
Auditing and Assurance Mechanisms
• Information Integrity
• Information Auditing
• Malware Assurance
40
Change Management Process
41
Testing
• Last chance to avoid a disaster
• Testing is intended to find the
problems
• Tests should address all
normal and ‘unexpected’
entries and conditions
• Do not compromise privacy with
test data
42
Configuration Management
• Configuration Management
• Patch Management
• Patch Management Process
43
Patch Management
• Potential problem areas :
•
•
•
•
•
•
Distribution System Failures
Patch Failures
Inadequate Testing & Validation
Patch Rollback
Load on the network
Stability issues and other regression issues
44
Domain Agenda
• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing
Environment
• Web Application Environment
45
Database Environment
• Database Management Systems
• Databases - Developed to manage information
from many sources in one location
• Eliminates duplication of information
• Preserves storage space
• Prevents inconsistency in data by making
changes in one central location
46
Database Environment
• Major Elements
• DBMS should provide
•
•
•
•
Transaction Persistence
Fault Tolerance and Recovery
Sharing by Multiple Users
Security Controls
47
DBMS Models
• Hierarchical DBMS
• Stores records in a
Car
single table
Honda
Toyota
Mazda
• Parent/child
relationships
CRV
Accord
Civic
• Limited to a single tree
4-door
2-door
• Difficult to link
branches
48
DBMS Models
• Network DBMS
• Represents data as network of records and
sets that are related to each other, forming a
network of links
• Record types - records of the same type
• Set types - relationship between record types
49
DBMS Models
Ford
Mazda
BMW
Regular
Truck
Regular
4x4
Truck
4x4
Mazda 3
E Series
Mazda 6
X3
Freestar
X5
5 Speed
Transmission
Leather Interior
Front and Rear
Climate Controls
50
DBMS Models
• Relational DBMS
• Most frequently used DBMS model
• Data are structured in tables
• Columns represent the variables
(attributes)
• Rows contain the specific instances
(records) of data
51
DBMS Models
Attributes
Author Table
Author
No.
Tuples /
Rows
Last Name First Name State
123456
Smithson
Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Primary Key
52
DBMS Models
Author Table
Primary Keys
Author No.
Last Name
First
Name
State
123456
Smithson
Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Foreign
Key
Book Table
Book No.
Book Title
Book Type
Book Price
Author No.
PC1234
Learning Database
Models
Computer
39.99
123456
PC4321
Data Modeling
Techniques
69.99
234567
PC6789
Designing a Database
Computer
39.99
345678
PC9876
Secrets of Databases
Computer
19.99
456789
53
DBMS Models
Attributes
Author Table
Author
No.
Tuples /
Rows
Last Name First Name State
Smithson
Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Primary Key
54
DBMS Models
Author Table
Primary Keys
Author No.
Last Name
First
Name
State
123456
Smithson
Mary
CA
234567
Rogers
Mike
NY
345678
Tucker
Sally
CT
456789
Gleason
Sarah
IL
Foreign
Key
Book Table
Book No.
Book Title
Book Type
Book Price
PC1234
Learning Database
Models
Computer
39.99
PC4321
Data Modeling
Techniques
PC6789
Designing a Database
PC9876
Secrets of Databases
Author No.
69.99
234567
Computer
39.99
345678
Computer
19.99
456789
55
DBMS Models
• Relational Database Security Issues
• Ensuring integrity of input data
• Preventing deadlocking
• Access controls
56
DBMS Models
• OODBMS & ORDBMS
• OODBMS (Object Oriented Database
Management System)
• ORDBMS (Object Relational Database
Management System)
57
Database Interface Languages
• Open Database Connectivity (ODBC)
• Java Database Connectivity (JDBC)
• eXtensible Markup Language (XML)
• Structured Query Language (SQL)
58
Database Security Issues
• Inference
• Query Attacks
• Aggregation
• Bypass Attacks
• Unauthorized Access
• Interception of
Data
• Improper Modification
of Data
• Access Availability
• Web Security
• Data
Contamination
59
View-Based Access Controls
• Constrained views
• Sensitive data is hidden from
unauthorized users
• Controls located in the front-end
application (user interface)
60
Data Warehouse
• Consolidated view of enterprise data
• Data Mart
• Designed to support decision making
through data mining
61
Building Data Warehouse
• Feed all data into large, high-security
database
• Normalize the data
• Mine the data for correlations to
produce metadata
• Sanitize and export the metadata to its
intended users
62
Metadata
• Information about data
• Provides unseen relationships between
data
63
Knowledge Discovery in Databases (KDD)
• Methods of identifying patterns in data
• Some KDD methods use artificial intelligence (AI)
techniques
• Probabilistic Models
• Statistical Approach
• Classification Approach
• Deviation and Trend Analysis
• Neural Networks
• Expert System Approach
64
Knowledge Management Security Controls
• Protect knowledge database
• Routinely verify decisions
65
Online Transaction Processing (OLTP)
• Records transactions as they occur
– in real-time
• Security concerns are concurrency
and atomicity
• Lock Controls
66
Lock Controls - The ACID Test
• Atomicity
• Consistency
• Isolation
• Durability
67
Domain Agenda
• Programming Concepts
• Threats and Malware
• Software Protection
• Audit and Assurance Mechanisms
• Database and Data Warehousing
Environment
• Web Application Environment
68
Web Site Incidents
• Vandalism
• Financial fraud
• Privileged access
• Theft of transaction information
• Theft of intellectual property
• Denial of Service (DoS)
69
Web Hacks
• Majority of hacks at the application level
• Firewalls provide minimal protection
• Information Gathering
• Administrative Interfaces
• Configuration Management
• Authentication & Access Control
70
Web Hacks
• Input Validation
• Parameter Manipulation
• Session Management
71
Web Application Security Principles
• Validate all input and output
• Fail Secure (closed)
• Fail Safe
• Make it simple
• Defense in depth
• Only as secure as your weakest link
• Security by obscurity
72
Web Application Security Principles
• Do not cache secure pages
• Ensure all encryption meets industry standards
• Monitor third party code vendors for security
alerts
• Handle exceptions properly
• Do not trust any data from the client
• Do not trust data from other servers, partners,
or other parts of the application
73
Domain Summary
• Understand software-based security controls
• Understand the software development and
change/maintenance processes
• Specialized security controls for database and
Web applications
• Describe malicious software
• Controls for detection of malware
• Define software engineering principles
74
“Security Transcends Technology”