Upload
drilling-moneytree
View
216
Download
0
Embed Size (px)
Citation preview
8/10/2019 Domain6_Application & System Development
1/26
CISSP Essentials:
Mastering the Common Body of Knowledge
Class 6, Application and
System Development
Lecturer Shon Harris, CISSP, MCSE
President, Logical Security
8/10/2019 Domain6_Application & System Development
2/26
CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials
Class 6 Quiz:
www.searchsecurity.com/Class6quiz
Class 6 Spotlight:
www.searchsecurity.com/Class6spotlight
CISSP Essentials:
Mastering the Common Body of Knowledge
8/10/2019 Domain6_Application & System Development
3/26
Applications and system development
objectives
Software flaws
Database concepts and securityissues
Software lifecycle development
processes
Change control concepts
Object-oriented programming
components
Expert systems and artificialintelligence
8/10/2019 Domain6_Application & System Development
4/26
Why are we not improving at a higher rate?
Some reasons why implementing security
into software has been lacking Software vendors are trying to rush to market with their eyesset on functionality, not security
A majority of security professionals themselves are notsoftware developers
The computing society is used to receiving software with bugsand then applying patches to it
Software vendors have not been held liable for insecure code
Programmers are not taught secure coding practices in school
Carnegie Mellon University estimates that there are 5 to 15 bugs inevery 1,000 lines of code.
Windows 2000 has 4060 million lines of code.
8/10/2019 Domain6_Application & System Development
5/26
Where to implement security
Security within softwaredevelopment
Security should be planned andmanaged throughout the lifecycle of asystem
It should not be added in as an afterthoughtor front-end, which is a more time-consumingand expensive approach
Security should not be kicked to theback of the bus just because adeliverable deadline is around thecorner
Focus is usually on functionality, not security
8/10/2019 Domain6_Application & System Development
6/26
Software development models
They all have these basiccomponents:
1. Project initiation2. Functional design analysis
and planning
3. System design specifications4. Software development5. Installation/test/implement
ation
6. Operational/maintenance7. Disposal
ProjectInitiation
FunctionalDesign
System
Design
SoftwareDevelopment
InstallationTest
OperationalMaintenance
Disposal
ProjectDevelopment
8/10/2019 Domain6_Application & System Development
7/26
Agenda
Software development topics
Development tools Object-oriented programming
concepts
Programming security issues
Distributed computing
Malicious code
8/10/2019 Domain6_Application & System Development
8/26
New paradigm of coding
Software is written as
components, instead of largeapplications on top of a small
operating system
Microsoft Word has over 1,000
componentsOnly one component of a
browser is the Java Virtual
Machine
Applets run on top of it
Applets actually have plug-ins
8/10/2019 Domain6_Application & System Development
9/26
Security issues
Complexity of many components being usedtogether
Much harder to test in all scenarios Tested and secure for one use, but not for a different use
In the old paradigm, different pieces of softwarecommunicated with the operating system, so the operatingsystem could implement the security framework
Many components communicate directly to each other today, so the
operating system cannot provide protection
Use of dynamic linking In the old paradigm, the programmer would link the whole program and
test it
Dynamic linked libraries (DLLs) and shared libraries work at runtime, andare called from several different sources
Security problems from several different directions
8/10/2019 Domain6_Application & System Development
10/26
Object-oriented programming
Definition
Non-procedural programming where the emphasis is on dataobjects and their manipulation instead of processes.
Benefits
Modularity
Autonomous objects, cooperation through exchanges of messages Deferred commitment
The internal components of an object can be redefined without changingother parts of the system
Reusability Refining classes through inheritance
Other programs using objects
Naturalness Object-oriented analysis, design and modeling maps to business needs and
solutions
8/10/2019 Domain6_Application & System Development
11/26
Classes and objects
Classes
Define attributes, characteristics and
behaviors of the objects that will beinstantiated
Allows for a layer of abstraction Developer does not need to create each and every object
Objects are created from classes when needed
Provides a type of empty template of variablesthat will be populated when the object is
instantiated
Objects
Instances of a class They inherit the attributes, characteristics and
behaviors from their originating class
Modules of code that will actually carry outsome type of functionality
8/10/2019 Domain6_Application & System Development
12/26
Distributed computing
Data processing taking place on
different systems
Common Object Request Brokers CORBA, ORB
Distributed Communication Standard COM, DCOM
Enterprise Java Bean
8/10/2019 Domain6_Application & System Development
13/26
Distributed communication architecture
Common Object Request Broker Architecture (CORBA)
Architect and specifications for creating, distributing and
managing distributed objects in a distributed networkenvironment
Allows for interoperability between applications written bydifferent vendors
Based mainly on standard interfaces
Programming language independent
Over 500 members of the Object Management Group (OMG)participate by using this architecture
Microsoft does not use this architecture, it uses DCOM
8/10/2019 Domain6_Application & System Development
14/26
COM architecture
Component Object Model (COM)
The object-oriented programmingmodel that defines how objects
interact within a single application or
between applications Client software accesses an object through a
pointer to an interface
Defines APIs
COM component= A binary filecontaining code for one or more class
factories, COM classes, Registry-entry
mechanisms, loading code, etc.
Allows for interoperability andreusability of objects
Programming language independent Every component has a unique 128-
bit number called a Globally Unique
Identifier
8/10/2019 Domain6_Application & System Development
15/26
Mobile code with active content
Active content
Mobile code = transferred from a
host to a client (or another hostcomputer) to be executed
Active content = software that isembedded transparently in Web
pages that cause some type of action
to occur Java applets, JavaScript, ActiveX
controls, macros, executable e-mail
attachments
Extends capabilities and functionalitybut can introduce threats
Trojan horses, backdoors, viruses, maliciouscode, worms
8/10/2019 Domain6_Application & System Development
16/26
Java and bytecode
Uses bytecode verifier. When an applet is downloaded, the verifier checks the
code to ensure that it is correctly formatted and does not contain common
errors.
8/10/2019 Domain6_Application & System Development
17/26
Common Gateway Interface
CGIA server-side interface for initiating software services.
Specification lets Web servers execute other programs andincorporate their output into the text, graphics and audio sent to aWeb browser.
CGI is a method of manipulating data passed to a Web site.
Allows for interactive Web sites that process user inputCGI script resides on Web server, not the browser
Security risks are that they use an array of low-level systemcommands that can be exploited
The CGI scripts should check for illegal commands before processing
8/10/2019 Domain6_Application & System Development
18/26
Agenda
Database components
Management system software Models
Definitions
Security issues
Distributed databases Data mining
8/10/2019 Domain6_Application & System Development
19/26
Database model
Model characteristics
Describes relationships between data elements
Used to represent the conceptual organization of data
Formal method of representing information
Database models
Hierarchical
Distributed
Object-oriented
Relational
8/10/2019 Domain6_Application & System Development
20/26
Agenda
Database security
mechanisms and issues Concurrency problems
Checkpoints
Trusted front-end
Aggregation Inference
Views
8/10/2019 Domain6_Application & System Development
21/26
Artificial intelligence
Expert systems
Refers to computer programs that apply
substantial knowledge of specific areas of
expertise to the problem-solving process
Applications of artificial intelligence techniques tocarry out decision-making tasks based on a
programmed set of rules and logic within specific
subject areas
Systems in which human expertise is conveyed inthe form of rules
Allows the system to diagnose situations without a humanexpert being present
8/10/2019 Domain6_Application & System Development
22/26
Artificial Neural Networks
Artificial Neural Networks (ANN) Computers whose architecture is modeled
after the brain They contain neurons called nodes which
are connected together in a network tosimulate a human brain
Algorithms simulating the function ofhuman neurons may be used for pattern
recognition problems Has the ability to learn from scenarios
8/10/2019 Domain6_Application & System Development
23/26
Malware
Virus
MeMe virus
Blended attacks
Remote controlmalware
Worm
Logic bomb
Trojan horse
Timing attacks
Side channel attacks
8/10/2019 Domain6_Application & System Development
24/26
MalwareVirus
A piece of code that requires a host
application to reproduce itself Virus types
Macro Virus = easy to create because of the simplicity ofthe macro language
Boot Sector Virus = malicious code inserted into the diskboot sector
Compression Virus = when decompressed, it initializes
Stealth Virus = hides its footprints and the changes it hasmade
Polymorphic Virus = makes copies and then changes thosecopies in some way uses a mutation engine
Multi-Partite Virus = infects both boot sector and filesystem
Self-garbling Virus = modifies own code to elude detection
8/10/2019 Domain6_Application & System Development
25/26
Advanced malware
Blended malware
Using more than one way toinfect and spread malicious
code within networks
Combination of virus, wormand Trojan horse
technologies
Remote control programs Many Trojan horses set up
backdoors on systems and
applications that can control
the victim system remotely
Cult of the Dead Cow's Back Orifice
Symantec's pcAnywhere
NetBus
SubSeven
8/10/2019 Domain6_Application & System Development
26/26
CISSP Essentials:
Mastering the Common Body of Knowledge
Lecturer Shon Harris, CISSP, MCSEPresident, Logical Security
www.LogicalSecurity.com
Coming next:Class 7: Business Continuity
Register at the CISSP Essentials Library:
www.searchsecurity.com/CISSPessentials