Embed Size (px)
Citation preview
OFFICIAL (ISC)2GUIDE TO THE
CSSLP®ypypbiF
Mano Paul, CSSLP, CISSP
TECHNISCHE
INFOR M AT IONSBIBLIOTHEK
UNIVERSITATSBIBLIOTHEK
HANNOVER
(ISC)2'SECURITY TRANSCENDS TECHNOLOGY*
CRC PressTaylor Si Francis GroupBoca Raton London New York
CRC Press is an imprint of the
Taylor St Francis Group, an Informa business
AN AUERBACH BOOK
Contents
Foreword xvii
About the Author xix
Introduction xxi
1 Secure Software Concepts 1
1.1 Introduction 1
1.2 Objectives 1
1.3 Holistic Security 2
1.4 Implementation Challenges 3
1.4.1 Iron Triangle Constraints 3
1.4.2 Security as an Afterthought 4
1.4.3 Security versus Usability 4
1.5 Quality and Security 5
1.6 Security Profile: What Makes a Software Secure? 6
1.6.1 Core Security Concepts 7
1.6.1.1 Confidentiality 7
1.6.1.2 Integrity 7
1.6.1.3 Availability 8
1.6.2 General Security Concepts 8
1.6.2.1 Authentication 8
1.6.2.2 Authorization 9
1.6.2.3 Auditing/Logging 10
1.6.2.4 Session Management 12
1.6.2.5 Errors and Exception Management 12
1.6.2.6 Configuration Parameters Management 13
1.6.3 Design Security Concepts 13
1.7 Security Concepts in the SDLC 15
1.8 Risk Management 15
1.8.1 Terminology and Definitions 16
1.8.1.1 Asset 16
1.8.1.2 Vulnerability 17
v
vi Contents
1.8.1.3 Threat 18
1.8.1.4 Threat Source/Agent 18
1.8.1.5 Attack 18
1.8.1.6 Probability 18
1.8.1.7 Impact 19
1.8.1.8 Exposure Factor 19
1.8.1.9 Controls 19
1.8.1.10 Total Risk 20
1.8.1.11 Residual Risk 20
1.8.2 Calculation ofRisk 20
1.8.3 Risk Management for Software 21
1.8.4 Handling Risk 22
1.8.5 Risk Management Concepts: Summary 25
1.9 Security Policies: The "What" and "Why" for Security 26
1.9.1 Scope of the Security Policies 26
1.9.2 Prerequisites for Security Policy Development 27
1.9.3 Security Policy Development Process 28
1.10 Security Standards 28
1.10.1 Types of Security Standards 28
1.10.1.1 Coding Standards 30
1.10.1.2 Payment Card Industry Data SecurityStandards 30
1.10.1.3 NIST Standards 32
1.10.1.4 ISO Standards 36
1.10.1.5 Federal Information Processing Standards
(FIPS) 42
1.10.2 Benefits of Security Standards 43
1.11 Best Practices 44
1.11.1 Open Web Application Security Project (OWASP) 44
1.11.1.1 OWASP Development Guide 45
1.11.1.2 OWASP Code Review Guide 46
1.11.1.3 OWASP Testing Guide 46
1.11.1.4 Other OWASP Projects 46
1.12 Information Technology Infrastructure Library (ITIL) 46
1.13 Security Methodologies 471.13.1 Socratic Methodology 47
1.13.2 Operationally Critical Threat, Asset, and VulnerabilityEvaluation (OCTAVE*) 48
1.13.3 STRIDE and DREAD 491.13.4 Open Source Security Testing Methodology Manual
(OSSTMM) 50
1.13.5 Flaw Hypothesis Method (FHM) 51
1.13.6 Six Sigma (6a) 51
Contents vii
1.13.7 Capability Maturity Model Integration (CMMI) 52
1.14 Security Frameworks 53
1.14.1 Zachman Framework 53
1.14.2 Control Objectives for Information and Related
Technology (COBIT*) 53
1.14.3 Committee of Sponsoring Organizations (COSO) 54
1.14.4 Sherwood Applied Business Security Architecture
(SABSA) 54
1.15 Regulations, Privacy, and Compliance 54
1.15.1 Significant Regulations and Acts 55
1.15.1.1 Sarbanes-Oxley (SOX) Act 55
1.15.1.2 BASEL II 56
1.15.1.3 Gramm-Leach-Bliley Act (GLBA) 56
1.15.1.4 Health Insurance Portability and
Accountability Act (HIPAA) 57
1.15.1.5 Data Protection Act 57
1.15.1.6 Computer Misuse Act 57
1.15.1.7 State Security Breach Laws 58
1.15.2 Challenges with Regulations and Privacy Mandates 58
1.15.3 Privacy and Software Development 58
1.16 Security Models 59
1.16.1 BLP Confidentiality Model 60
1.16.2 Biba Integrity Model 61
1.16.3 Clark and Wilson Model (Access Triple Model) 62
1.16.4 Brewer and Nash Model (Chinese Wall Model) 63
1.17 Trusted Computing 65
1.17.1 Ring Protection 65
1.17.2 Trust Boundary (or Security Perimeter) 66
1.17.3 Trusted Computing Base (TCB) 66
1.17.3.1 Process Activation 67
1.17.3-2 Execution Domain Switching 68
1.17.3.3 Memory Protection 68
1.17.3.4 Input/Output Operations 68
1.17.4 Reference Monitor 69
1.17.5 Rootkits 69
1.18 Trusted Platform Module (TPM) 70
1.19 Acquisitions 71
1.20 Summary 72
1.21 Review Questions 73
References 76
2 Secure Software Requirements 79
2.1 Introduction 79
viii Contents
2.2 Objectives 80
2.3 Sources for Security Requirements 81
2.4 Types of Security Requirements 82
2.4.1 Confidentiality Requirements 84
2.4.2 Integrity Requirements 87
2.4.3 Availability Requirements 88
2.4.4 Authentication Requirements 90
2.4.4.1 Anonymous Authentication 91
2.4.4.2 Basic Authentication 91
2.4.4.3 Digest Authentication 92
2.4.4.4 Integrated Authentication 92
2.4.4.5 Client Certificate-Based Authentication 92
2.4.4.6 Forms Authentication 92
2.4.4.7 Token-Based Authentication 93
2.4.4.8 Smart Cards-Based Authentication 94
2.4.4.9 Biometric Authentication 94
2.4.5 Authorization Requirements 96
2.4.5.1 Discretionary Access Control (DAC) 96
2.4.5.2 Nondiscretionary Access Control (NDAC) 97
2.4.5.3 Mandatory Access Control (MAC) 97
2.4.5.4 Role-Based Access Control (RBAC) 98
2.4.5.5 Resource-Based Access Control 101
2.4.6 Auditing/Logging Requirements 102
2.4.7 Session Management Requirements 103
2.4.8 Errors and Exception Management Requirements 104
2.4.9 Configuration Parameters Management Requirements 104
2.4.10 Sequencing and Timing Requirements 104
2.4.10.1 Race Condition Properties 105
2.4.10.2 Race Conditions Protection 105
2.4.11 Archiving Requirements 106
2.4.12 International Requirements 107
2.4.13 Deployment Environment Requirements 109
2.4.14 Procurement Requirements 109
2.4.15 Antipiracy Requirements 110
2.5 Protection Needs Elicitation 110
2.5.1 Brainstorming Ill
2.5.2 Surveys (Questionnaires and Interviews) Ill
2.5.3 Policy Decomposition 112
2.5.4 Data Classification 114
2.5.5 Use and Misuse Case Modeling 117
2.5.5.1 Use Cases 117
2.5.5.2 Misuse Cases 118
2.5.6 Subject-Object Matrix 119
Contents ix
2.5.7 Templates and Tools 119
2.6 Requirements Traceability Matrix (RTM) 120
2.7 Summary 120
2.8 Review Questions 121
References 125
3 Secure Software Design 127
3.1 Introduction 127
3.2 Objectives 128
3.3 The Need for Secure Design 128
3.4 Flaws versus Bugs 129
3.5 Design Considerations 130
3.5.1 Core Software Security Design Considerations 130
3.5.1.1 Confidentiality Design 130
3.5.2 Integrity Design 138
3.5.2.1 Hashing (Hash Functions) 139
3.5.2.2 Referential Integrity 142
3.5.2.3 Resource Locking 143
3.5.2.4 Code Signing 144
3.5.3 Availability Design 144
3.5.4 Authentication Design 145
3.5.5 Authorization Design 145
3.5.6 Auditing/Logging Design 146
3.6 Information Technology Security Principles and Secure Design.... 147
3.7 Designing Secure Design Principles 148
3.7.1 Least Privilege 149
3.7.2 Separation ofDuties 150
3.7.3 Defense in Depth 150
3.7.4 Fail Secure 151
3.7.5 Economy of Mechanisms 152
3.7.6 Complete Mediation 153
3.7.7 Open Design 154
3.7.8 Least Common Mechanisms 156
3.7.9 Psychological Acceptability 156
3.7.10 Leveraging Existing Components 157
3.8 Balancing Secure Design Principles 158
3.9 Other Design Considerations 158
3.9.1 Programming Language 159
3.9.2 Data Type, Format, Range, and Length 160
3-9.3 Database Security 162
3.9.3.1 Polyinstantiation 163
3.9.3.2 Database Encryption 164
3.9.3.3 Normalization 166
x Contents
3.9.3.4 Triggers and Views 169
3.9.4 Interface 171
3.9.4.1 User Interface 171
3.9.4.2 Security Management Interfaces (SMI) 171
3.9.5 Interconnectivity 172
3.10 Design Processes 173
3.10.1 Attack Surface Evaluation 173
3.10.1.1 Relative Attack Surface Quotient 174
3.10.2 Threat Modeling 176
3.10.2.1 Threat Sources/Agents 177
3.10.2.2 What Is Threat Modeling? 178
3.10.2.3 Benefits 179
3.10.2.4 Challenges 179
3.10.2.5 Prerequisites 179
3.10.2.6 What Can We Threat Model? 180
3.10.2.7 Process 181
3.10.2.8 Comparison of Risk Ranking Methodologies... 191
3.10.2.9 Control Identification and Prioritization 191
3.11 Architectures 192
3.11.1 Mainframe Architecture 195
3.11.2 Distributed Computing 196
3.11.3 Service Oriented Architecture 198
3.11.4 Rich Internet Applications 201
3.11.5 Pervasive Computing 202
3.11.6 Software as a Service (SaaS) 204
3.11.7 Integration with Existing Architectures 206
3.12 Technologies 207
3.12.1 Authentication 207
3.12.2 Identity Management 208
3.12.3 Credential Management 211
3.12.4 Password Management 211
3.12.5 Certificate Management 212
3.12.6 Single Sign-On (SSO) 215
3.12.7 Flow Control 216
3.12.7.1 Firewalls and Proxies 217
3.12.7.2 Queuing Infrastructure and Technology 218
3.12.8 Auditing/Logging 218
3.12.8.1 Syslog 219
3.12.8.2 Intrusion Detection System (IDS) 219
3.12.8.3 Intrusion Prevention Systems (IPS) 220
3.12.9 Data Loss Prevention 221
3.12.10 Visualization 222
3.12.11 Digital Rights Management 224
Contents xi
3.13 Secure Design and Architecture Review 226
3.14 Summary 227
3.15 Review Questions 227
References 230
4 Secure Software Implementation/Coding 233
4.1 Introduction 233
4.2 Objectives 234
4.3 Who Is to Be Blamed for Insecure Software? 234
4.4 Fundamental Concepts of Programming 234
4.4.1 Computer Architecture 235
4.4.2 Programming Languages 238
4.4.2.1 Compiled Languages 240
4.4.2.2 Interpreted Languages 241
4.4.2.3 Hybrid Languages 241
4.5 Software Development Methodologies 242
4.5.1 Waterfall Model 242
4.5.2 Iterative Model 243
4.5.3 Spiral Model 244
4.5.4 Agile Development Methodologies 245
4.5.5 Which Model Should We Choose? 247
4.6 Common Software Vulnerabilities and Controls 247
4.6.1 Injection Flaws 248
4.6.1.1 Injection Flaws Controls 259
4.6.2 Cross-Site Scripting (XSS) 261
4.6.2.1 XSS Controls 262
4.6.3 Buffer Overflow 264
4.6.3.1 Buffer Overflow Controls 266
4.6.4 Broken Authentication and Session Management 268
4.6.4.1 Broken Authentication and Session
Management Controls 269
4.6.5 Insecure Direct Object References 271
4.6.5.1 Insecure Direct Object References Controls 272
4.6.6 Cross-Site Request Forgery (CSRF) 273
4.6.6.1 CSRF Controls 274
4.6.7 Security Misconfiguration 276
4.6.7.1 Security Misconfiguration Controls 277
4.6.8 Failure to Restrict URL Access 277
4.6.8.1 Failure to Restrict URL Access Controls 278
4.6.9 Unvalidated Redirects and Forwards 278
4.6.9.1 Unvalidated Redirects and Forwards
Controls 279
4.6.10 Insecure Cryptographic Storage 280
xii Contents
4.6.10.1 Insecure Cryptographic Storage Controls 281
4.6.11 Insufficient Transport Layer Protection 283
4.6.11.1 Insufficient Transport Layer Protection
Controls 284
4.6.12 Information Leakage and Improper Error Handling 285
4.6.12.1 Information Leakage and Improper Error
Handling Controls 287
4.6.13 File Attacks 289
4.6.13.1 File Attacks Controls 291
4.6.14 Race Condition 293
4.6.14.1 Race Condition Controls 293
4.6.15 Side Channel Attacks 294
4.6.15.1 Side Channel Attacks Controls 295
4.7 Defensive Coding Practices—Concepts and Techniques 296
4.7.1 Attack Surface Evaluation and Reduction 297
4.7.2 Input Validation 297
4.7.2.1 How to Validate? 297
4.7.2.2 Where to Validate? 298
4.7.2.3 What to Validate? 298
4.7.3 Canonicalization 298
4.7.4 Code Access Security 299
4.7.4.1 Security Actions 300
4.7.4.2 Type Safety 300
4.7.4.3 Syntax Security (Declarative and Imperative).. 300
4.7.4.4 Secure Class Libraries 301
4.7.5 Container (Declarative) versus Component(Programmatic) Security 301
4.7.6 Cryptographic Agility 302
4.7.7 Memory Management 304
4.7.7.1 Locality of Reference 304
4.7.7.2 Dangling Pointers 304
4.7.7.3 Address Space Layout Randomization (ASLR).... 305
4.7.7.4 Data Execution Prevention (DEP)/Executable Space Protection (ESP) 305
4.7.7.5 /GSFlag 306
4.7.7.6 StackGuard 306
4.7.8 Exception Management 306
4.7.9 Anti-Tampering 307
4.7.10 Secure Startup 308
4.7.11 Embedded Systems 308
4.7.12 Interface Coding 310
4.8 Secure Software Processes 310
4.8.1 Versioning 310
Contents xiii
4.8.2 Code Analysis 311
4.8.3 Code/Peer Review 311
4.9 Build Environment and Tools Security 315
4.10 Summary 316
4.11 Review Questions 317
References 320
5 Secure Software Testing 323
5.1 Introduction 323
5.2 Objectives 324
5.3 Quality Assurance 324
5.4 Types of Software QA Testing 325
5.4.1 Reliability Testing (Functional Testing) 325
5.4.1.1 Unit Testing 326
5.4.1.2 Integration Testing 327
5.4.1.3 Logic Testing 328
5.4.1.4 Regression Testing 329
5.4.2 Recoverability Testing 330
5.4.2.1 Performance Testing 330
5.4.2.2 Scalability Testing 331
5.4.3 Resiliency Testing (Security Testing) 331
5.4.3.1 Motives, Opportunities, and Means 332
5.4.3.2 Testing of Security Functionality versus
Security Testing 333
5.4.3.3 The Need for Security Testing 333
5.5 Security Testing Methodologies 333
5.5.1 White Box Testing 333
5.5.2 Black Box Testing 335
5.5.3 Fuzzing 335
5.5.4 Scanning 336
5.5.5 Penetration Testing (Pen-Testing) 339
5.5.6 White Box Testing versus Black Box Testing 341
5.6 Software Security Testing 3445.6.1 Testing for Input Validation 344
5.6.2 Injection Flaws Testing 3455.6.3 Testing for Nonrepudiation 345
5.6.4 Testing for Spoofing 347
5.6.5 Failure Testing 347
5.6.6 Cryptographic Validation Testing 349
5.6.7 Testing for Buffer Overflow Defenses 349
5.6.8 Testing for Privileges Escalations Defenses 350
5.6.9 Anti-Reversing Protection Testing 350
5.7 Other Testing 351
xiv Contents
5.7.1 Environment Testing 351
5.7.1.1 Interoperability Testing 351
5.7.1.2 Simulation Testing 352
5.7.1.3 Disaster Recovery (DR) Testing 352
5.7.2 Privacy Testing 353
5.7.3 User Acceptance Testing 353
5.8 Defect Reporting and Tracking 354
5.8.1 Reporting Defects 354
5.8.2 Tracking Defects 358
5.9 Impact Assessment and Corrective Action 359
5.10 Tools for Security Testing 360
5.11 Summary 361
5.12 Review Questions 361
References 364
6 Software Acceptance 367
6.1 Introduction 367
6.2 Objectives 368
6.3 Guidelines for Software Acceptance 368
6.4 Benefits ofAccepting Software Formally 370
6.5 Software Acceptance Considerations 370
6.5.1 Considerations When Building Software 371
6.5.1.1 Completion Criteria 371
6.5.1.2 Change Management 372
6.5.1.3 Approval to Deploy/Release 373
6.5.1-4 Risk Acceptance and Exception Policy 373
6,5.1.5 Documentation of Software 375
6.5.2 When Buying Software 377
6.5.2.1 Procurement Methodology 379
6.6 Legal Protection Mechanisms 383
6.6.1 IP Protection 384
6.6.1.1 Patents (Inventions) 3846.6.1.2 Copyright 3856.6.1.3 Trademark 385
6.6.1.4 Trade Secret 386
6.6.2 Disclaimers 387
6.6.3 Validity Periods 3876.6.4 Contracts and Agreements 388
6.6.4.1 Service Level Agreements (SLA) 389
6.6.4.2 Nondisclosure Agreements (NDA) 390
6.6.4.3 Noncompete Agreements 3926.7 Software Escrow 392
6.8 Verification and Validation (V&V) 394
Contents xv
6.8.1 Reviews 395
6.8.2 Testing 396
6.8.3 Independent (Third Party) Verification and Validation 397
6.8.4 Checklists and Tools 397
6.9 Certification and Accreditation 398
6.10 Summary 398
6.11 Review Questions 399
References 402
7 Software Deployment, Operations, Maintenance, and Disposal .403
7.1 Introduction 403
7.2 Objectives 404
7.3 Installation and Deployment 404
7.3.1 Hardening 405
7.3.2 Enforcement ofSecurity Principles 406
7.3.3 Environment Configuration 406
7.3.4 Bootstrapping and Secure Startup 408
7-4 Operations and Maintenance 409
7.4.1 Monitoring 412
7.4.1.1 Why Monitor? 413
7.4.1.2 What to Monitor? 413
7.4.1.3 Ways to Monitor 414
7.4.1.4 Metrics in Monitoring 416
7.4.1.5 Audits for Monitoring 418
7.4.2 Incident Management 419
7.4.2.1 Events, Alerts, and Incidents 420
7.4.2.2 Types of Incidents 420
7-4.2.3 Incident Response Process 421
7.4.3 Problem Management 429
7.4.3.1 Problem Management Process 429
7.4.4 Patching and Vulnerability Management 431
7.5 Disposal 435
7.5.1 End-of-Life Policies 435
7.5.2 Sunsetting Criteria 436
7.5-3 Sunsetting Processes 436
7.5.4 Information Disposal and Media Sanitizatkm 437
7.6 Summary 440
7.7 Review Questions 441
References 445
Appendix A 447
Appendix B 499
xvi Contents
Appendix C 513
Appendix D 517
Appendix E 521
Index 535
