View
6
Download
0
Category
Preview:
Citation preview
3
Terry Dausterrydaus@yahoo.com
4
Understand Software Development Life Cycle (SDLC)
Enforce security controls in the development environment
Assess the effectiveness of softwaresecurity
Apply security across the landscape of the SDLC
5
CISSP approach for SoftwareDevelopment
Software Acquisition Security * Software Development Life Cycle (SDLC) Security Controls in the Development
Environment Common Software Development Issues Effectiveness of Software Security
6
Re-titled as “Security in the Software Development Life Cycle”
Why? Software is the prevalent interaction
component Mobility enables less direct access to “The
System” Software includes interaction across the
entire life cycle of data Combination of Live and Archived data Often access hybrid-mesh (private and public)
data across networking components that all run side-by-side
7
Integrity Model Assurance Processes
Security KernelHardware Interfaces
Hardware Abstraction Layer (HAL)
The “System”Reference
Monitor
Application Group / Suite
Program Program ProgramProgram Program
Application APIsNetworkAPIs
Hardware
Common Application Base
System APIs
Software Defined NetworkHypervisor
9
Goals Both aspects (Functionality and Security)
need to be looked at from the start of the project
Security should be integrated in the entire product and be implemented in a layered approach
Data and data processing procedures must be accurate at all times
Proactive, not Reactive
Defines the phases of software development
Select model based on the project
Don’t “band-aid” it in on top of an un-secure solution Expense of security “add-ons” increases
exponentially during later stages of a project
Comprehensive analysis
Ensure system will meet end-user
needs
Design system and software
Establish data input, flow, and output requirements
Design security features
Generate source code
Develop test scenarios and
test cases
Conduct unit and integration
testing Document for maintenance
An independent group tests to ensure: It will function within the organization’s
environment It meets all the functional and security
requirements
Test data should include: Data at the ends of the acceptable data ranges Various points in between Data beyond expected/allowable data points
Test with: Known good data Never live production data Sanitized data
Certification Authorization
Obtain security accreditation
Train the new users
Implement the system
Periodic evaluations and auditsChanges must follow SDLC and be recorded
Focuses on quality
management processes
Five maturity levels
ISO/IEC 90003:2004 is appropriate to software that is (mostly focuses on TQM): Part of a commercial contract with another
organization A product available for a market sector Used to support the processes of an organization Embedded in a hardware product, or Related to software services
INSTRUCTIONSComplete the table to compare the CMM and ISO.
CMM ISO
Purpose
Most applicable for …
Monitor the performance of the system
Ensure continuity of operations
Detect defects or weaknesses
Manage and prevent system problems
Recover from system problems
Implement system changes
Successful change management requires:
Benefits management and realization
Effective communication
Effective education,
training
Counter resistance
Monitoring of the
implementation
Management technique that simultaneously
integrates all essential acquisition activities
through multidisciplinary teams
Develop and test against production-like systemsDeploy with repeatable, reliable processes
Monitor and validate operational quality
Amplify feedback loops
PrototypingModified
Prototype Model (MPM)
Rapid Application
Development (RAD)
Joint Analysis Development
(JAD)Exploratory
Model
Computer-Aided Software Engineering
(CASE) Component-Based
Development
Reuse Model Extreme Programming
Combine models
Consider security
INSTRUCTIONS Working with a partner, please note your assigned methods in the top row of the table.
Method 1: Method 2: Method 3:
Inappropriate circumstance
Best circumstance
A suite of application programs that typically manages large, structured sets of persistent data
Stores, maintains, and provides access to data using ad hoc query capabilities
The database engine itself
The hardware platform
Application software Users
The relationship between the data elements and provides a framework for organizing the data: Transaction Persistence Fault Tolerance and Recovery Sharing by Multiple Users Security Controls
Oldest of the database models
Stores data in a series of records that have field values attached
Collects all the instances of a specific record together as a record type
Uses parent/child relationships through the use of trees
Useful for mapping 1:N relationships
Also known as Distributed Database Model
Represents its data in the form of a network of records and sets that are related to each other
Records are the equivalent of rows in the relational model
Record types are sets of records of the same type
Data is stored in more than 1 database but relatively hierarchically
Useful for N:N relationships
Based on set theory and
predicate logic
Provides a high level of
abstraction
Tables or relations Integrity rules
Data manipulation agents
Attributes Tuple
Primary keys Foreign key value
To solve the problems of concurrency and security
within a database, the database must provide
some integrity
Language in which users may issue commands
The main components of a database using SQL are: Schemas Tables Views
Data Definition Language
(DDL)
Data Manipulation
Language (DML)
Data Control Language
(DCL)
One of the most recent database
models
Stores data as objects
INSTRUCTIONSMatch the database model with the correct description.
a. Hierarchical Database Model
b. Network Database Management Model
c. Relational Database Management Model
d. Object-Orientated Database Model
1. _____ Stores data in a series of records that have field values attached. It
collects all the instances of a specific record together as a record type. 2. _____ Allows data to be structured in a series of
tables that have columns representing the variables and rows that contain specific
instances of data. 3. _____ One of the most recent database models. 4. _____ Represents data in the form of a network of records and sets that are related to each other, forming a network of links.
INSTRUCTIONSMatch the database model with the correct description.
a. Hierarchical Database Model
b. Network Database Management Model
c. Relational Database Management Model
d. Object-Orientated Database Model
1. __a__ Stores data in a series of records that have field values attached. It
collects all the instances of a specific record together as a record type. 2. __c__ Allows data to be structured in a series of
tables that have columns representing the variables and rows that contain specific
instances of data. 3. __d__ One of the most recent database models. 4. __b__ Represents data in the form of a network of records and sets that are related to each other, forming a network of links.
Open Database Connectivity (ODBC)
Java Database Connectivity (JDBC)
eXtensible Markup Language (XML)
Object Linking and Embedding Database (OLE DB)ActiveX Data Objects (ADO)
1. What is a markup language?
2. What is Object Linking and Embedding (OLE)?
3. What is the protocol that allows OLE to work?
4. What is JDBC?
1. What is a markup language?A system of symbols and rules to identify structures (format) in a document
2. What is Object Linking and Embedding (OLE)?A Microsoft technology that allows an object, such as an Excel spreadsheet, to be embedded or linked to the inside of another object, such as a Word document
3. What is the protocol that allows OLE to work?The Component Object Model (COM)
4. What is JDBC?An API from Sun Microsystems used to connect Java programs to databases
API security issues including: Authentication of users Authorizations of users Encryption Protection of the data from unauthorized entry,
accountability, and auditing Availability of current data
There can be any number of layersThree-tier approach is most typical: Presentation layer Business logic layer Data layer
Microsoft high-level interface for all kinds of data
No configurable restrictions on its access to the underlying system
Newer browsers implement sandboxing and stronger ActiveX controls to help mitigate this vulnerability
Metadata is useful because it provides: Valuable information about the unseen
relationships between data The ability to correlate data that was previously
considered unrelated The keys to unlocking critical or highly important
data inside the data warehouse
OLAP technologies provide an analyst with the ability to formulate
queries and define further queries
As a first line of security to prevent unauthorized users from accessing the system, the DBMS should use: Identification Authentication Authorization Other forms of access controls
Locks are used for read and write access to specific rows of data in relational systems or objects in object-oriented systems Atomicity - All or None Consistency - Changes maintain consistency Isolation - Pending transactions are Invisible to others Durability - When you say it’s done, it stays Done
The ACID test: ALL CHANGES are INVISIBLE until DONE
View-Based Access Controls
Grant and Revoke Access Controls
Security for Object-Oriented (OO)
Databases
Metadata ControlsData
Contamination Controls
Data processing system facilitating and managing transaction-oriented applications
The security concerns for OLTP systems are: Concurrency Atomicity
A key feature of knowledge
management is application of artificial intelligence techniques
to decision support
Mathematical, statistical, and
visualization method of identifying valid and
useful patterns in data
Protecting the knowledge base
Routinely verifying decisions
Changes to the rules must go through a
change control process
Additional and different queries to
verify the information
Making risk management
decisions
Developing a baseline of expected performance from the
analytical tool
Most attacks are conducted at the application level
Designed to be widely accessible
Usually heavily advertised
Administrators turn off logging
Not well suited for firewalls and intrusion detection systems
Particular assurance sign-off process for web servers
Harden operating system of such servers Extend web and network vulnerability scans
prior to deploymentPassively assess IDS and IPS technologyUse application proxy firewallsDisable unnecessary documentation and
libraries
Remove or appropriately secure administrative interfacesOnly allow access from authorized hosts or networksDo not hard code the authentication credentialsUse account lockout and extended logging and auditEnsure the interface is at least as secure as the rest of the application
Development Guide
Code Review Guide Testing Guide
Top Ten Web Application
Security Vulnerabilities
OWASP Mobile
The objective of information security is to make sure: That the system and its resources are available
when needed That the integrity of the processing of the data
and the data itself is ensured That the confidentiality of the data is protected
More distributed
Substantial increase in open protocols, interfaces, and source code
Increased sharing requires increased protection
More complex
Linus’s law:
With sufficiently many eyeballs looking at
the code, all bugs will become apparent
INSTRUCTIONSWith a partner, discuss your thoughts on whether open source leads to quick identification and repair of issues.
Individuals who find security
vulnerabilities will publicly disseminate
the information
This environment begins with the standard model of hardware resources, with items such as: Central processing unit (CPU) Memory Input/output (I/O) requests Storage devices
A programming language is a set of
rules telling the computer what
operations to perform
First generation(Machine)
Second generation(Assembly)
Third generation
(High-Level)
Fourth generation
(Report Gens)
Fifth generation
(Natural Lang)
Higher-level languages
Machine language
Directive patterns
Verifier Class Loader
Security Manager
Java Certification Path API Java GSS-API
Java Authentication and Authorization
Service (JASS)
Java Cryptography Extension (JCE)
Java Secure Socket Extension (JSSE)
Encapsulation Inheritance
Polymorphism Polyinstantiation
Specific objects, instantiated from a higher class, may vary
their behavior depending upon the data they contain
Encapsulation Polyinstantiation
Allow applications to be divided into components that can exist in different
locations
A set of standards that addresses the need for
interoperability between hardware and software
When reviewing implementations, consider: Supported CORBA security features
CORBA security
Administration
Access control mechanisms
Tools for capturing and reviewing audit logs
Any technical evaluations
A software library consists of pre-written
code, classes, procedures, scripts, and
configuration data
Increased Dependability
Reduced Process Risk
Effective Use of Specialists
Standards Compliance
Accelerated Development
A standard library in computer programming is the library made available across implementations of a programming language
The C standard library
The C++ standard library
The Framework Class Library
(FCL)
The Java Class Library (JCL)
The Ruby standard library
A program or application that software developers use to create, debug, maintain, or
otherwise support other programs and applications
Combine the features of many
tools
Maximize programmer productivity
A runtime system exhibits the behavior of the
constructs of a computer language
Based on the principle of representing oneself as someone who needs or
deserves the information to gain access to the system
INSTRUCTIONSReview each of the security weaknesses/threats on your own and write a brief, simple explanation after each one
Buffer Overflow Citizen Programmers Covert Channel Malformed Input Attacks
Memory Reuse (Object Reuse)
Executable Content/Mobile Code
Time of Check/Time of Use (TOC/TOU)
Between-the-Lines Attack Trapdoor/Backdoor
Designed to analyze source code to help find
security flaws
Used in software development phase
Scale well Output is good for developers
Many security vulnerabilities are
difficult to find automatically
False positivesFrequently cannot find configuration
issues
Difficult to prove actual vulnerability
Difficulty analyzing code that cannot be
compiled
Google CodeSearchDiggity FindBugs FxCop (Microsoft) PMD
PreFast (Microsoft) RATS (Fortify) OWASP SWAAT Project Flawfinder
RIPS Brakeman Codesake Dawn VCG
IBM Security AppScan
Source Edition Insight
(KlocWork) Parasoft Test
Seeker Source Patrol (Pentest)
Static Source Code Analysis
with CodeSecure
Static Code Analysis
(Checkmarx) Security Advisor
(Coverity) Veracode
Can compromise programs and data to the point where they are no longer available
Generally uses the resources of the system it has attacked
Viruses are the largest class of malware
A program written with functions and intent to copy and disperse itself without
the knowledge and cooperation of the owner or
user of the computer
File Infectors
Boot Sector Infectors
System Infectors
Companion Virus E-mail Virus Multipartite
Macro Virus Script Virus
Worms Hoaxes Trojans
DDoS Zombies
Logic Bombs
Spyware and
Adware
Pranks Botnets
INSTRUCTIONSWorking with your partner or small group, review
your assigned malware type and prepare to share it with the rest of the group
Please include the following in your introduction: Definition Example Ideas about how to avoid and/or overcome this
type of malware
Do not double-click on
attachments
Describe the content of
attachments
Do not blindly use the most widely
used products as a company standard
Disable Windows Script Host,
ActiveX, VBScript, and JavaScript
Do not send HTML-formatted e-mail
Use more than one scanner, and scan
everything
Scanners Heuristic Scanners Activity Monitors
Change Detection Reputation
Monitoring/Zero-day/Zero-hour
Antimalware Policies
Collection of all of thehardware, software, and
controls within a computersystem that can be trusted toadhere to the security policy
Ensures any subject attempting to
access any object has the appropriate
rights to do so
Protects the object from unauthorized
access attempts by bad actors
Made up of all of the components of the TCB and it is responsible for
implementing and enforcing the reference
monitor
Protect the processor and the activities
that it performs
Privilege levels are typically
referenced in a ring structure
A buffer overflow: Is caused by improper bounds checking on input
to a program Must be corrected by the programmer or by
directly patching system memory
The lack of parameter
checking can lead to buffer overflow
attacks
Operating systems should offer some
type of buffer management
Ensure that multiple processes do not attempt
to access the same system resources at the
same time
Interrupts allows the operating system to ensure that a
process is given enough time to access the CPU when necessary to carry out its
required functions
Encapsulating a process means that no other
process is able to understand or interact with the internal programming
code of the process
Allows the operating system to provide structured access
to processes that need to use resources according to a
tightly managed schedule
Ensure that each process is assigned a unique identity
within the context of the operating system
Allows each process to have access to its own
memory space as it executes
Enforced through the operating
system’s use of the memory manager
Provide an abstraction level for programmers
Maximize performance with the limited amount
of memory available
Protect the operating system and applications
once they are loaded into memory
Relocation Protection Sharing
Logical organization
Physical organization
Allow the operating system to make sure that a process is only able to interact with the defined
memory segments
Access kernel components only while in kernel mode
ASLR and process isolation
Data execution prevention
(DEP)
Use of ACLs to protect shared
memory
Inspection of sharedcommunication channels thatcould allow two cooperating
processes to transferinformation in a way that
violates the system’s securitypolicy
Cryptographic techniques protect the confidentiality
and integrity of information
Encrypting stored passwords
with hashes, and usingoverstrike masking within
application interface
If there is not enough granularity of security users may be able to gain more
access permission than needed
Development environment
Quality assurance
environment
Application (production) environment
If there are multiple threads of execution occurring at the same time, a TOC/TOU attack is possible
Attack takes advantage of event timing dependencies in a multitasking operating system
To avoid TOC/TOU attacks, the operating system should use software locking
Some of the ways attackers can try to use social influence over users include: Subtle intimidation Bluster Pulling rank Exploiting guilt Pleading for special treatment Exploiting a natural desire to be helpful Appealing to an underling’s subversive streak
Backing up operating system and application software ensures productivity in the event of a system crash
Operation copies of software should be available in the event of a system crash
Analysis of program code to determine or
provide evidence for the intent or authorship of a
program
Examples of threats to resources include:
Disclosure of information
Denial-of-service (DoS)
attacks
Damaging or modifying data
Annoyance attacks
Provides a protective area for program execution
Type-safe language: Method of providing safe execution of programs Ensures that arrays stay in bounds, the pointers are
always valid, and code cannot violate variable typing
Goal is to guarantee integrity, availability, and
usage of the correct version of all system
components
The set of artifacts (configuration items)
under the jurisdiction of CM
How artifacts are named How artifacts enter and leave the controlled set
How an artifact under CM is allowed to
change
How different versions of an artifact under CM are
made available
How CM tools are used to enable and enforce
CM
Protect shared software from unauthorized modification
with policies, developmental controls, and life cycle
controls
Spend a few minutes studying the measuresprovided: Note the ones that will be of particular value in
your organization Note one or more concerns and issues that may
not fit under these measures
Application Programming Interfaces Are the connectors for the Internet of Things (IoT),
allowing our devices to speak to each other The “unknown, unseen force”
A means of expressing specific entities in a system by URL path elements
Allows interaction with a web-based system via simplified URLs
Employ the same security mechanisms for your APIs as any web application your organization deploys
Do not create and implement your own security solutions
Unless your API is a free, read-only public API, do not use single key-based authentication
Do not pass unencrypted static keys
Use HMAC
Basic Authentication
w/TLSOauth1.0a
Oauth2
“RESTful web services should use session-based authentication, either by establishing a session token via a POST
or using an API key as a POST body argument or as a cookie. Usernames
and passwords, session tokens, and API keys should not appear in the URL, as
this can be captured in web server logs and makes them intrinsically
valuable….”
Federal agency mandated to
conduct security certification testing
Certification process is followed with authorization
The revised process emphasizes: Building information security capabilities Maintaining awareness Providing essential information to senior leaders
The risk management process changes the
traditional focus of C&A as a static, procedural activity to a more dynamic approach
Encourages the use of automation
Integrates information security
Emphasizes selection, implementation, assessment, and monitoring of security controls
Links risk management processes at the information-
system level to risk management processes at the organization level
Establishes responsibility and accountability for security controls
Which characteristic(s) embody the dynamic nature of the RMF compared with a more traditional approach?
Why?
Why private organizations may choose certification: Control framework Low overhead Use of standards Includes all aspects of a system’s security
With a partner, discuss why or why not you think it’s a good idea for private organizations to pursue certification.
Systems and network device reporting is
important to the overall health and security of
systems
Are records of actions and events that have taken place on a computer system
Provide a clear view of who owns a process, what action was initiated, when it was initiated, where the action occurred, and why the process ran
Are primary record keepers of system and network activity
The enterprise should have auditing policies in place that
effectively and efficiently collect information regarding critical
events in the form of logs and to manage them appropriately
VMware, Microsoft, Oracle, and Cisco
NIST SP 880-92 Guide to Computer Security Log
Management
NIST SP 800-137 ISCM for Federal Information
Systems and Organizations
CERT-IN Security Guidance CISG-2008-01
Information integrity
Information accuracy
Character checks
Relationship checks
Transaction limits
Information auditing
Risk An event that has a probability of occurring and
could have either a positive or negative impact to a project should that risk occur
•Cause: Reduction in assigned personnel to design a
projectRisk event: The assigned personnel may not be adequate for
the activity Impact: If that event occurs, there may be an impact on
the project cost, schedule, or performance
An ongoing process that continues through the life of a project
Includes processes for: Risk management planning Identification Analysis Monitoring Control
When a risk is identified, it is: 1. Assessed to ascertain:
The probability of occurring The degree of impact to the schedule, scope,
cost, and quality2. Prioritized
The assignment of risk priority is based on: The probability of occurrence The number of categories impacted The degree (high, medium, low) to which they
impact the project
Risk register Document
risk statement
Mitigation steps
Contingency plan
Contingency plans implemented prior to the risk occurring are pre-emptive actions
intended to reduce the impact
Monitor all risks on a scheduled basis
Integrate analysis and strategy into
the SDLC
Use standardized methods
Track and manage weaknesses
Memorialize resultant risk
decisions
Implement policies and procedures to limit the
vulnerabilities by implementing
applicable vendor patches
Ensure a patch management solution is
architected and implemented
Use a Change Control Process
Read All Related Documentation
Testing
Have a Working Backup and Schedule Production Downtime
Always Have a Back-Out Plan
Forewarn Help Desk and Key User Groups
Target Non-Critical Servers First
Not all findings need to be mitigated You must be in a position to provide: The finding How the risk was determined The remediation cost details
Ishikawa Diagrams P-Diagrams
Preliminary Hazard Analysis
(PHA)
Failure Modes and Effect
Analysis (FMEA)
Failure Modes and Effect Criticality
Analysis (FMECA)
Hazard Analysis of Critical Control Points (HACCP)
When mitigations are implemented, they must be tested
Development environments are supported with testing teams and quality assurance
Security findings should be addressed the same as any other change request
Developer or system owner does not declare the risk mitigated without concurrence of an independent verification and validation (IV&V)
• Code signing:‒ A technique that can be used to:
• Ensure code integrity• Determine who developed a piece of code• Determine the purposes for which a developer
intended a piece of code to be used
• Certificates:‒ Digital certificates that will help protect users
from downloading compromised files or applications
Seal Digital signature
Unique identifier
Cannot guarantee that a piece of code is free of security vulnerabilities
Cannot guarantee an app will not load unsafe or altered code during
execution
Is not a DRM or copy protection technology
Whenever developers change or modify their software, even a small
tweak can have unexpected consequences
Tests existing software applications to make sure that a change or addition has not broken any existing functionality
Catches bugs that may have been accidentally introduced into a new build or release candidate
Ensures that previously eradicated bugs continue to stay dead
Test fixed bugs promptly
Test fixed bugs promptly
Watch for side effects of fixesWatch for side effects of fixes
Write a regression test for each bug
fixed
Write a regression test for each bug
fixed
If two or more tests are similar, get rid of the less
effective one
If two or more tests are similar, get rid of the less
effective one
Archive tests that the program
consistently passes
Archive tests that the program
consistently passes
Focus on functional issues, not design issues
Focus on functional issues, not design issues
Make changes to data and find
any resulting corruption
Make changes to data and find
any resulting corruption
Trace the effects of the changes
on program memory
Trace the effects of the changes
on program memory
INSTRUCTIONSWork with a partner to identify at least three more strategies for success.
Develop a standard battery of test cases that can be
run every time a new version of the program is
built
A formal test conducted to determine whether a
system satisfies its acceptance criteria and to
enable the customer to determine whether or not
to accept the system
In agile software development, acceptance tests/criteria are usually: Created by business customers Expressed in a business domain language
“Software assurance is the level of confidence that software is free from vulnerabilities, either intentionally designed into the
software or accidentally inserted at any time during its life cycle, and that it functions
in the intended manner.”
Planning Contracting
Monitoring and Acceptance Follow-on
Needs determination: Develop software requirements Create an acquisition strategy Develop evaluation criteria and an evaluation
plan
Create/issue the solicitation
or RFP
Evaluate supplier
proposals
Finalize contract
negotiation
Establish and consent to the contract work
schedule
Implement change control
procedures
Review and accept software
deliverables
Sustainment Disposal or decommissioning
1. What activities take place during the planning phase?
2. What activities take place during the monitoring and acceptance phase?
Ensure a well-documented SwA policy and process is in place in the enterprise
Unintentional errors
Intentional insertion of malicious code
Theft of vital information
Theft of personal information
Changed product
Inserted agents
Corrupted information
“System and software assurance focuses on the management of risk and
assurance of safety, security, and dependability within the context of system
and software life cycles”
How does the supplier ensure that an infrastructure for safety and security is established and
maintained?
How does the supplier ensure safety and security risks are identified and managed?
How does the supplier ensure safety and security
requirements are satisfied?
How does the supplier ensure that activities and products are
managed to achieve safety and security requirements and
objectives?
Understand the Software Development Life Cycle (SDLC) and how to apply security to itIdentify which security control(s) are
appropriate for the development environmentAssess the effectiveness of software
security
121
Q & A
Terry Dausterrydaus@yahoo.com
Recommended